Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virus causing Google redirects, NT Authority/System shutdown, disables McAfee


  • This topic is locked This topic is locked
6 replies to this topic

#1 ClemsonTiger519

ClemsonTiger519

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 06 February 2010 - 04:53 PM

Hello, this is my first time visiting your site.

I seem to have a problem, either malware or a virus. Its symptoms include redirects of my Google/Bing search results, System Shutdowns that indicate NT AUTHORITY/SYSTEM has caused an error in DCOM Process Server and disabling of my McAfee. I also cannot seem to boot into safe mode. My computer stalls after loading mup.sys and I get a blue screen error that reads 0000007E. It really seems to be debilitating my computer. Any help would be greatly appreciated. Thank you, thank you, thank you!

Here are my logs:


DDS (Ver_09-12-01.01) - NTFSx86
Run at 11:24:04.67 on Sat 02/06/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_18
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============


============== Pseudo HJT Report ===============

uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/openmanage
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: bho2gr Class: {31ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\getright\xx2gr.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [PeerBlock] c:\program files\peerblock\peerblock.exe
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
mRun: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] c:\program files\google\gmail notifier\gnotify.exe
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [MediaFace Integration] c:\program files\fellowes\mediaface 4.0\SetHook.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bitmet~1.lnk - c:\program files\codebox\bitmeter\BitMeter2.exe
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with GetRight Pro - c:\program files\getright\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Open with GetRight Pro Browser - c:\program files\getright\GRbrowse.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\shaunc~1\applic~1\mozilla\firefox\profiles\lfaz3ahz.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\documents and settings\user\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\user\application data\mozilla\firefox\profiles\lfaz3ahz.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
FF - plugin: c:\program files\final codecs\mozillaplugins\nppl3260.dll
FF - plugin: c:\program files\final codecs\mozillaplugins\nprjplug.dll
FF - plugin: c:\program files\final codecs\mozillaplugins\nprpjplug.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\k-lite codec pack\real\browser\plugins\nprpjplug.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2010-02-06 04:45:36 0 d-----w- c:\docume~1\shaun~1\applic~1\Malwarebytes
2010-02-06 04:45:27 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-06 04:45:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-06 04:45:22 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-06 04:45:22 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-05 22:22:07 4198 ----a-w- c:\windows\system32\tmp.reg
2010-02-05 04:11:09 0 d-----w- c:\windows\system32\wbem\Repository
2010-02-04 02:07:52 0 dc----w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-04 02:07:18 0 d-----w- c:\program files\Lavasoft
2010-01-27 02:59:30 0 d-----w- c:\docume~1\shaun~1\applic~1\LEGO Company
2010-01-27 02:59:14 0 d-----w- c:\program files\LEGO Company
2010-01-24 21:16:44 0 d-----w- c:\program files\Xvid
2010-01-17 18:48:25 0 d-----w- c:\program files\common files\Real
2010-01-17 18:45:51 0 d-----w- c:\program files\common files\Sonic Shared
2010-01-17 18:41:47 0 d-----w- c:\program files\Final Codecs
2010-01-13 11:47:25 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

==================== Find3M ====================

2010-02-05 23:35:55 36529 ----a-w- c:\windows\system32\nvModes.dat
2010-02-05 22:09:25 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2009-12-22 05:21:05 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20:58 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-17 23:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll

============= FINISH: 11:29:20.07 ===============



Attached Files



BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 07 February 2010 - 07:10 AM

Please download TDSSKiller.zip and unzip it to your Desktop

Run the TDSSKiller and wait until it finishes (should be just a few seconds or below a minute).. Then find the log at your %systemdrive% (drive that contains Windows)

The log shall be named something like this one..

(TDSSKiller.version_date_time_log) for example.. (TDSSKiller.2.1.1_22.12.2009_19.33.44_log)





Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from HERE or HERE and save it to your Desktop.

During the download, rename Combofix to Combo-Fix as follows:






It is important you rename Combofix during the download, but not after.

**NOTE: If you are using Firefox, make sure that your download settings are as follows:
  • Tools->Options->Main tab
  • Set to "Always ask me where to Save the files".


After that, double-click and run Combo-Fix. Let it finish its job and post the log here

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..


Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 ClemsonTiger519

ClemsonTiger519
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 07 February 2010 - 09:08 AM

OK, I ran both TDSSKiller and ComboFix (renamed Combo-Fix). Here are the two logs:

TDSSKiller:

07:28:11:828 1088 TDSS rootkit removing tool 2.2.2 Jan 13 2010 08:42:25
07:28:11:828 1088 ================================================================================
07:28:11:828 1088 SystemInfo:

07:28:11:828 1088 OS Version: 5.1.2600 ServicePack: 3.0
07:28:11:828 1088 Product type: Workstation
07:28:11:828 1088 ComputerName: SMALL
07:28:11:828 1088 UserName: User
07:28:11:828 1088 Windows directory: C:\WINDOWS
07:28:11:828 1088 Processor architecture: Intel x86
07:28:11:828 1088 Number of processors: 2
07:28:11:828 1088 Page size: 0x1000
07:28:11:828 1088 Boot type: Normal boot
07:28:11:828 1088 ================================================================================
07:28:11:843 1088 UnloadDriverW: NtUnloadDriver error 2
07:28:11:843 1088 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
07:28:11:843 1088 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
07:28:11:859 1088 UtilityInit: KLMD drop and load success
07:28:11:859 1088 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201000)
07:28:11:859 1088 UtilityInit: KLMD open success
07:28:11:859 1088 UtilityInit: Initialize success
07:28:11:859 1088
07:28:11:859 1088 Scanning Services ...
07:28:11:859 1088 CreateRegParser: Registry parser init started
07:28:11:859 1088 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
07:28:11:859 1088 CreateRegParser: DisableWow64Redirection error
07:28:11:859 1088 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
07:28:11:859 1088 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
07:28:11:859 1088 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
07:28:11:859 1088 wfopen_ex: Trying to KLMD file open
07:28:11:859 1088 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
07:28:11:859 1088 wfopen_ex: File opened ok (Flags 2)
07:28:11:859 1088 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 264900
07:28:11:859 1088 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
07:28:11:875 1088 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
07:28:11:875 1088 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
07:28:11:875 1088 wfopen_ex: Trying to KLMD file open
07:28:11:875 1088 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
07:28:11:875 1088 wfopen_ex: File opened ok (Flags 2)
07:28:11:875 1088 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 2649A8
07:28:11:875 1088 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
07:28:11:875 1088 CreateRegParser: EnableWow64Redirection error
07:28:11:875 1088 CreateRegParser: RegParser init completed
07:28:12:375 1088 GetAdvancedServicesInfo: Raw services enum returned 338 services
07:28:12:375 1088 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
07:28:12:375 1088 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
07:28:12:375 1088
07:28:12:375 1088 Scanning Kernel memory ...
07:28:12:375 1088 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
07:28:12:375 1088 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 8A6B1910
07:28:12:375 1088 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
07:28:12:375 1088
07:28:12:375 1088 DetectCureTDL3: DEVICE_OBJECT: 8A6A8030
07:28:12:375 1088 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6A8030
07:28:12:375 1088 KLMD_ReadMem: Trying to ReadMemory 0x8A6A8030[0x38]
07:28:12:375 1088 DetectCureTDL3: DRIVER_OBJECT: 8A6B1910
07:28:12:375 1088 KLMD_ReadMem: Trying to ReadMemory 0x8A6B1910[0xA8]
07:28:12:375 1088 KLMD_ReadMem: Trying to ReadMemory 0xE1705620[0x18]
07:28:12:375 1088 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
07:28:12:375 1088 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
07:28:12:375 1088 DetectCureTDL3: IrpHandler (1) addr: 804F4562
07:28:12:375 1088 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
07:28:12:375 1088 DetectCureTDL3: IrpHandler (3) addr: BA908D1F
07:28:12:375 1088 DetectCureTDL3: IrpHandler (4) addr: BA908D1F
07:28:12:375 1088 DetectCureTDL3: IrpHandler (5) addr: 804F4562
07:28:12:375 1088 DetectCureTDL3: IrpHandler (6) addr: 804F4562
07:28:12:375 1088 DetectCureTDL3: IrpHandler (7) addr: 804F4562
07:28:12:375 1088 DetectCureTDL3: IrpHandler (8) addr: 804F4562
07:28:12:375 1088 DetectCureTDL3: IrpHandler (9) addr: BA9092E2
07:28:12:375 1088 DetectCureTDL3: IrpHandler (10) addr: 804F4562
07:28:12:375 1088 DetectCureTDL3: IrpHandler (11) addr: 804F4562
07:28:12:375 1088 DetectCureTDL3: IrpHandler (12) addr: 804F4562
07:28:12:375 1088 DetectCureTDL3: IrpHandler (13) addr: 804F4562
07:28:12:375 1088 DetectCureTDL3: IrpHandler (14) addr: BA9093BB
07:28:12:375 1088 DetectCureTDL3: IrpHandler (15) addr: BA90CF28
07:28:12:375 1088 DetectCureTDL3: IrpHandler (16) addr: BA9092E2
07:28:12:375 1088 DetectCureTDL3: IrpHandler (17) addr: 804F4562
07:28:12:375 1088 DetectCureTDL3: IrpHandler (18) addr: 804F4562
07:28:12:375 1088 DetectCureTDL3: IrpHandler (19) addr: 804F4562
07:28:12:375 1088 DetectCureTDL3: IrpHandler (20) addr: 804F4562
07:28:12:375 1088 DetectCureTDL3: IrpHandler (21) addr: 804F4562
07:28:12:375 1088 DetectCureTDL3: IrpHandler (22) addr: BA90AC82
07:28:12:390 1088 DetectCureTDL3: IrpHandler (23) addr: BA90F99E
07:28:12:390 1088 DetectCureTDL3: IrpHandler (24) addr: 804F4562
07:28:12:390 1088 DetectCureTDL3: IrpHandler (25) addr: 804F4562
07:28:12:390 1088 DetectCureTDL3: IrpHandler (26) addr: 804F4562
07:28:12:390 1088 TDL3_FileDetect: Processing driver: Disk
07:28:12:390 1088 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
07:28:12:390 1088 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
07:28:12:406 1088 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
07:28:12:406 1088
07:28:12:406 1088 DetectCureTDL3: DEVICE_OBJECT: 8A6ABC68
07:28:12:406 1088 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6ABC68
07:28:12:406 1088 KLMD_ReadMem: Trying to ReadMemory 0x8A6ABC68[0x38]
07:28:12:406 1088 DetectCureTDL3: DRIVER_OBJECT: 8A6B1910
07:28:12:406 1088 KLMD_ReadMem: Trying to ReadMemory 0x8A6B1910[0xA8]
07:28:12:406 1088 KLMD_ReadMem: Trying to ReadMemory 0xE1705620[0x18]
07:28:12:406 1088 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
07:28:12:406 1088 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
07:28:12:406 1088 DetectCureTDL3: IrpHandler (1) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
07:28:12:406 1088 DetectCureTDL3: IrpHandler (3) addr: BA908D1F
07:28:12:406 1088 DetectCureTDL3: IrpHandler (4) addr: BA908D1F
07:28:12:406 1088 DetectCureTDL3: IrpHandler (5) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (6) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (7) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (8) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (9) addr: BA9092E2
07:28:12:406 1088 DetectCureTDL3: IrpHandler (10) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (11) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (12) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (13) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (14) addr: BA9093BB
07:28:12:406 1088 DetectCureTDL3: IrpHandler (15) addr: BA90CF28
07:28:12:406 1088 DetectCureTDL3: IrpHandler (16) addr: BA9092E2
07:28:12:406 1088 DetectCureTDL3: IrpHandler (17) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (18) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (19) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (20) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (21) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (22) addr: BA90AC82
07:28:12:406 1088 DetectCureTDL3: IrpHandler (23) addr: BA90F99E
07:28:12:406 1088 DetectCureTDL3: IrpHandler (24) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (25) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (26) addr: 804F4562
07:28:12:406 1088 TDL3_FileDetect: Processing driver: Disk
07:28:12:406 1088 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
07:28:12:406 1088 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
07:28:12:406 1088 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
07:28:12:406 1088
07:28:12:406 1088 DetectCureTDL3: DEVICE_OBJECT: 8A5E49F0
07:28:12:406 1088 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A5E49F0
07:28:12:406 1088 KLMD_ReadMem: Trying to ReadMemory 0x8A5E49F0[0x38]
07:28:12:406 1088 DetectCureTDL3: DRIVER_OBJECT: 8A6B1910
07:28:12:406 1088 KLMD_ReadMem: Trying to ReadMemory 0x8A6B1910[0xA8]
07:28:12:406 1088 KLMD_ReadMem: Trying to ReadMemory 0xE1705620[0x18]
07:28:12:406 1088 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
07:28:12:406 1088 DetectCureTDL3: IrpHandler (0) addr: BA90EBB0
07:28:12:406 1088 DetectCureTDL3: IrpHandler (1) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (2) addr: BA90EBB0
07:28:12:406 1088 DetectCureTDL3: IrpHandler (3) addr: BA908D1F
07:28:12:406 1088 DetectCureTDL3: IrpHandler (4) addr: BA908D1F
07:28:12:406 1088 DetectCureTDL3: IrpHandler (5) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (6) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (7) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (8) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (9) addr: BA9092E2
07:28:12:406 1088 DetectCureTDL3: IrpHandler (10) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (11) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (12) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (13) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (14) addr: BA9093BB
07:28:12:406 1088 DetectCureTDL3: IrpHandler (15) addr: BA90CF28
07:28:12:406 1088 DetectCureTDL3: IrpHandler (16) addr: BA9092E2
07:28:12:406 1088 DetectCureTDL3: IrpHandler (17) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (18) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (19) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (20) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (21) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (22) addr: BA90AC82
07:28:12:406 1088 DetectCureTDL3: IrpHandler (23) addr: BA90F99E
07:28:12:406 1088 DetectCureTDL3: IrpHandler (24) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (25) addr: 804F4562
07:28:12:406 1088 DetectCureTDL3: IrpHandler (26) addr: 804F4562
07:28:12:406 1088 TDL3_FileDetect: Processing driver: Disk
07:28:12:406 1088 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
07:28:12:406 1088 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
07:28:12:406 1088 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
07:28:12:406 1088
07:28:12:406 1088 DetectCureTDL3: DEVICE_OBJECT: 8A5E5AB8
07:28:12:406 1088 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A5E5AB8
07:28:12:406 1088 DetectCureTDL3: DEVICE_OBJECT: 8A5EB510
07:28:12:406 1088 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A5EB510
07:28:12:406 1088 DetectCureTDL3: DEVICE_OBJECT: 8A6B2940
07:28:12:406 1088 KLMD_GetLowerDeviceObject: Trying to get lower device object for 8A6B2940
07:28:12:406 1088 KLMD_ReadMem: Trying to ReadMemory 0x8A6B2940[0x38]
07:28:12:406 1088 DetectCureTDL3: DRIVER_OBJECT: 8A5B8B68
07:28:12:421 1088 KLMD_ReadMem: Trying to ReadMemory 0x8A5B8B68[0xA8]
07:28:12:421 1088 KLMD_ReadMem: Trying to ReadMemory 0x8A68B030[0x38]
07:28:12:421 1088 KLMD_ReadMem: Trying to ReadMemory 0x8A68C428[0xA8]
07:28:12:421 1088 KLMD_ReadMem: Trying to ReadMemory 0xE16DDDA0[0x1A]
07:28:12:421 1088 DetectCureTDL3: DRIVER_OBJECT name: \Driver\atapi, Driver Name: atapi
07:28:12:421 1088 DetectCureTDL3: IrpHandler (0) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (1) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (2) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (3) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (4) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (5) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (6) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (7) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (8) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (9) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (10) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (11) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (12) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (13) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (14) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (15) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (16) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (17) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (18) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (19) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (20) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (21) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (22) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (23) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (24) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (25) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: IrpHandler (26) addr: 8A5EF856
07:28:12:421 1088 DetectCureTDL3: All IRP handlers pointed to one addr: 8A5EF856
07:28:12:421 1088 KLMD_ReadMem: Trying to ReadMemory 0x8A5EF856[0x400]
07:28:12:421 1088 TDL3_IrpHookDetect: CheckParameters: 4, FFDF0308, 333, 121, 3, 109
07:28:12:421 1088 Driver "atapi" Irp handler infected by TDSS rootkit ... 07:28:12:421 1088 KLMD_WriteMem: Trying to WriteMemory 0x8A5EF8CF[0xD]
07:28:12:421 1088 cured
07:28:12:421 1088 KLMD_ReadMem: Trying to ReadMemory 0x8A5EF701[0x400]
07:28:12:421 1088 TDL3_StartIoHookDetect: CheckParameters: 9, FFDF0308, 1
07:28:12:421 1088 Driver "atapi" StartIo handler infected by TDSS rootkit ... 07:28:12:421 1088 TDL3_StartIoHookCure: Number of patches 1
07:28:12:421 1088 KLMD_WriteMem: Trying to WriteMemory 0x8A5EF80A[0x6]
07:28:12:421 1088 cured
07:28:12:421 1088 TDL3_FileDetect: Processing driver: atapi
07:28:12:421 1088 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
07:28:12:421 1088 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\atapi.sys
07:28:12:468 1088 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
07:28:12:468 1088 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 07:28:12:468 1088 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
07:28:12:468 1088 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
07:28:12:500 1088 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab
07:28:12:593 1088 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp2.cab
07:28:12:625 1088 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp3.cab
07:28:12:656 1088 CabinetCallback: Backup candidate found: atapi.sys:96512, extracting..
07:28:12:703 1088 CabinetCallback: File extracted successfully: C:\DOCUME~1\SHAUNC~1\LOCALS~1\Temp\bck19.tmp
07:28:12:703 1088 ValidateDriverFile: Stage 1 passed
07:28:12:718 1088 ValidateDriverFile: Stage 2 passed
07:28:13:031 1088 DigitalSignVerifyByHandle: Embedded DS result: 800B0100
07:28:14:953 1088 DigitalSignVerifyByHandle: Cat DS result: 00000000
07:28:14:953 1088 ValidateDriverFile: Stage 3 passed
07:28:14:953 1088 CabinetCallback: File validated successfully, restore information prepared
07:28:14:953 1088 FindDriverFileBackup: Backup copy found in cab-file
07:28:14:953 1088 TDL3_FileCure: Backup copy found, using it..
07:28:15:031 1088 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tsk1A.tmp
07:28:15:109 1088 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk1A.tmp, system32\drivers\atapi.sys)
07:28:15:109 1088 TDL3_FileCure: KLMD jobs schedule success
07:28:15:109 1088 will be cured on next reboot
07:28:15:109 1088 UtilityBootReinit: Reboot required for cure complete..
07:28:15:125 1088 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
07:28:15:125 1088 UtilityBootReinit: KLMD drop success
07:28:15:125 1088 KLMD_ApplyPendList: Pending buffer(20F4_5510, 608) dropped successfully
07:28:15:125 1088 UtilityBootReinit: Cure on reboot scheduled successfully
07:28:15:125 1088
07:28:15:125 1088 Completed
07:28:15:125 1088
07:28:15:125 1088 Results:
07:28:15:125 1088 Memory objects infected / cured / cured on reboot: 2 / 2 / 0
07:28:15:125 1088 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
07:28:15:125 1088 File objects infected / cured / cured on reboot: 1 / 0 / 1
07:28:15:125 1088
07:28:15:125 1088 UnloadDriverW: NtUnloadDriver error 1
07:28:15:125 1088 KLMD_Unload: UnloadDriverW(klmd21) error 1
07:28:15:125 1088 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
07:28:15:125 1088 UtilityDeinit: KLMD(ARK) unloaded successfully


and Combo-Fix:

ComboFix 10-02-06.03 - User 02/07/2010 7:38.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1517 [GMT -6:00]
Running from: c:\documents and settings\user\Desktop\Combo-Fix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\kb913800.exe
c:\windows\system32\404Fix.exe
c:\windows\system32\Agent.OMZ.Fix.exe
c:\windows\system32\drivers\1028_DELL_XPS_MXC062 .MRK
c:\windows\system32\drivers\DELL_XPS_MXC062 .MRK
c:\windows\system32\dumphive.exe
c:\windows\system32\IEDFix.C.exe
c:\windows\system32\IEDFix.exe
c:\windows\system32\o4Patch.exe
c:\windows\system32\Process.exe
c:\windows\system32\SrchSTS.exe
c:\windows\system32\stacsv.exe
c:\windows\system32\tmp.reg
c:\windows\system32\VACFix.exe
c:\windows\system32\VCCLSID.exe
c:\windows\system32\WS2Fix.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_STacSV
-------\Service_STacSV


((((((((((((((((((((((((( Files Created from 2010-01-07 to 2010-02-07 )))))))))))))))))))))))))))))))
.

2010-02-06 04:45 . 2010-02-06 04:45 -------- d-----w- c:\documents and settings\user\Application Data\Malwarebytes
2010-02-06 04:45 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-06 04:45 . 2010-02-06 04:45 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-06 04:45 . 2010-02-06 04:45 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-06 04:45 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-05 04:11 . 2010-02-05 04:11 -------- d-----w- c:\windows\system32\wbem\Repository
2010-02-04 02:07 . 2010-02-05 22:08 -------- dc----w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-04 02:07 . 2010-02-04 02:07 -------- d-----w- c:\program files\Lavasoft
2010-02-04 02:07 . 2010-02-04 02:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-27 12:30 . 2010-01-27 12:30 61440 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-14998e2d-n\decora-sse.dll
2010-01-27 12:30 . 2010-01-27 12:30 503808 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-56fcc26f-n\msvcp71.dll
2010-01-27 12:30 . 2010-01-27 12:30 499712 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-56fcc26f-n\jmc.dll
2010-01-27 12:30 . 2010-01-27 12:30 348160 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-56fcc26f-n\msvcr71.dll
2010-01-27 12:29 . 2010-01-27 12:29 12800 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-14998e2d-n\decora-d3d.dll
2010-01-27 02:59 . 2010-01-27 02:59 -------- d-----w- c:\documents and settings\user\Application Data\LEGO Company
2010-01-27 02:59 . 2010-01-27 02:59 -------- d-----w- c:\program files\LEGO Company
2010-01-24 21:16 . 2010-01-24 21:16 -------- d-----w- c:\program files\Xvid
2010-01-24 16:18 . 2010-01-24 16:18 -------- d-----w- c:\documents and settings\user\Application Data\DivX
2010-01-22 23:57 . 2008-06-26 17:43 74240 ----a-w- c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\lfaz3ahz.default\extensions\{e23e1101-6cde-4b94-b415-508a7cde8628}\components\test.dll
2010-01-17 18:48 . 2010-01-17 18:48 -------- d-----w- c:\program files\Common Files\Real
2010-01-17 18:47 . 2010-01-17 18:47 -------- d-----w- c:\windows\system32\drivers\umdf
2010-01-17 18:45 . 2010-01-17 18:45 -------- d-----w- c:\program files\Common Files\Sonic Shared
2010-01-17 18:41 . 2010-01-17 18:48 -------- d-----w- c:\program files\Final Codecs
2010-01-13 11:47 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-07 13:30 . 2004-08-10 11:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-02-06 20:27 . 2009-10-11 19:16 36529 ----a-w- c:\windows\system32\nvModes.dat
2010-02-05 22:09 . 2009-10-12 01:38 -------- d-----w- c:\documents and settings\user\Application Data\uTorrent
2010-02-05 22:08 . 2009-10-12 01:24 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-05 22:08 . 2009-10-12 01:24 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-05 22:08 . 2009-10-12 01:22 -------- d-----w- c:\program files\SpywareBlaster
2010-02-04 02:16 . 2010-01-06 02:03 -------- d-----w- c:\program files\PeerBlock
2010-01-31 21:24 . 2009-10-11 18:12 79000 ----a-w- c:\documents and settings\user\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-01-27 12:30 . 2009-10-11 19:21 -------- d-----w- c:\program files\Common Files\Java
2010-01-27 12:29 . 2009-10-11 19:21 -------- d-----w- c:\program files\Java
2010-01-25 00:36 . 2009-11-15 02:32 -------- d-----w- c:\documents and settings\All Users\Application Data\DVD Shrink
2010-01-24 23:46 . 2009-11-08 00:37 -------- d-----w- c:\documents and settings\user\Application Data\AVI ReComp
2010-01-24 21:15 . 2009-11-08 00:36 -------- d-----w- c:\program files\AVI ReComp
2010-01-17 18:36 . 2010-01-06 02:34 -------- d-----w- c:\program files\K-Lite Codec Pack
2010-01-14 09:08 . 2009-10-14 19:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-01-06 02:35 . 2010-01-06 02:28 -------- d-----w- c:\program files\CCleaner
2010-01-06 02:09 . 2009-10-12 01:17 -------- d-----w- c:\program files\PeerGuardian2
2009-12-27 21:40 . 2009-11-12 02:45 -------- d-----w- c:\documents and settings\user\Application Data\dvdcss
2009-12-27 21:24 . 2009-12-27 20:37 -------- d-----w- c:\program files\CDRWIN 6
2009-12-27 20:37 . 2009-12-27 20:37 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2009-12-25 19:01 . 2009-12-25 19:01 152576 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-25 19:00 . 2009-12-25 19:00 79488 ----a-w- c:\documents and settings\user\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-22 05:21 . 2006-03-04 03:33 667136 ----a-w- c:\windows\system32\wininet.dll
2009-12-22 05:20 . 2004-08-10 11:00 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-12-21 00:22 . 2009-12-20 23:38 256 ----a-w- c:\windows\system32\pool.bin
2009-12-20 23:38 . 2009-12-20 23:38 -------- d-----w- c:\documents and settings\user\Application Data\Research In Motion
2009-12-20 23:38 . 2009-12-20 23:38 53248 ----a-r- c:\documents and settings\user\Application Data\Microsoft\Installer\{5A447CFB-B64E-4D3C-9744-2EA44EFB8F97}\ARPPRODUCTICON.exe
2009-12-20 23:38 . 2009-12-20 23:38 -------- d-----w- c:\program files\Common Files\Research In Motion
2009-12-19 23:41 . 2009-12-19 23:41 -------- d-----w- c:\program files\MWSnap
2009-12-17 23:14 . 2009-12-25 19:09 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-11 09:18 . 2009-10-12 02:47 -------- d-----w- c:\program files\McAfee
2009-11-21 15:51 . 2004-08-10 11:00 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2009-09-28 1524824]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 139264]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="c:\program files\Google\Gmail Notifier\gnotify.exe" [2005-07-15 479232]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2006-03-10 35328]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 761947]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-09-05 417792]
"nwiz"="nwiz.exe" [2006-03-22 1519616]
"NVHotkey"="nvHotkey.dll" [2006-03-22 73728]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-03-22 7557120]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"MediaFace Integration"="c:\program files\Fellowes\MediaFACE 4.0\SetHook.exe" [2003-08-18 53248]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2006-06-29 1032192]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bitmeter2.lnk - c:\program files\Codebox\BitMeter\BitMeter2.exe [2007-4-9 1392640]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
c:\windows\system32\dumprep 0 -u [X]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

R3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [1/5/2010 8:03 PM 14424]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - PBFILTER

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-01-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-12 17:22]

2010-02-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-10-12 17:22]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = hxxp://www.dell.com/openmanage
uInternet Settings,ProxyOverride = *.local
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert link target to existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: Download with GetRight Pro - c:\program files\GetRight\GRdownload.htm
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: Open with GetRight Pro Browser - c:\program files\GetRight\GRbrowse.htm
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\lfaz3ahz.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://my.yahoo.com/
FF - plugin: c:\documents and settings\Shaun Callahan\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Shaun Callahan\Application Data\Mozilla\Firefox\Profiles\lfaz3ahz.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
FF - plugin: c:\program files\Final Codecs\MozillaPlugins\nppl3260.dll
FF - plugin: c:\program files\Final Codecs\MozillaPlugins\nprjplug.dll
FF - plugin: c:\program files\Final Codecs\MozillaPlugins\nprpjplug.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - D:\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-07 07:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2960)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\windows\ehome\mcrdsvc.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\windows\system32\rundll32.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-02-07 07:52:20 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-07 13:52

Pre-Run: 58,265,776,128 bytes free
Post-Run: 58,161,315,840 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

- - End Of File - - 4AD856F8C2BFEEF7780F76783F9806D0


Thank you!

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 08 February 2010 - 06:41 AM

Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the ActiveX control to install
  4. Click Start
  5. Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  6. Click Scan
    Wait for the scan to finish
  7. Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  8. Copy and paste that log as a reply to this topic

How's the computer now? smile.gif


Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 ClemsonTiger519

ClemsonTiger519
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 08 February 2010 - 07:41 PM

Here is the ESET log. It said it did not find any threats.

In answer to your question in your previous post, the computer is running MUCH smoother. No problems since you helped me! Thank you!!

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=6.00.2900.5512 (xpsp.080413-2105)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=1b2ac539b2358445bd2ed6d72b8a8543
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-02-09 12:33:23
# local_time=2010-02-08 06:33:23 (-0600, Central Standard Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=5121 16776869 100 96 4245247 17672590 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=63937
# found=0
# cleaned=0
# scan_time=8138

#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:10:28 PM

Posted 09 February 2010 - 07:07 AM

Looks good to me.. Lets do some cleanup...


Please download OTC and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTC
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles write by my friends:
Preventing Malware and Safe Computing by Rorschach112
What makes your machine slow? by Artellos


Also, please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware


Read these great info's about safe internet surfing..

http://www.pcpitstop.com/spycheck/safesurfing.asp
http://bluefive.pair.com/practice_safe_surfing.htm




Please reply to this thread once more and tell us about the computer behaviour before we can close this thread smile.gif



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 ClemsonTiger519

ClemsonTiger519
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:28 AM

Posted 12 February 2010 - 05:07 PM

Thank you. I cleaned up and everything looks good. I will check out those articles. Thank you so much once again!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users