Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

z00clicker.dll infection.. maybe others too.


  • This topic is locked This topic is locked
14 replies to this topic

#1 MysticDragon

MysticDragon

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:22 AM

Posted 24 February 2010 - 01:23 AM

To start off I just want to say please help someone with more desperate problems before helping me. I understand that there are A LOT of people requesting help on here and my problem is minor and more annoying than destructive.

Now, to begin, I do a monthly scan with AVG Internet Security and regularly update it but I also download some programs from some "questionable" websites. About two weeks ago I DL'd an video file (*.avi) and upon opening after scanning it the file redirected me to a website that I'm pretty sure started all these issues, namely www.w3player.com. I closed the web browser as soon as I realized what it did (within about a minute or less) but I think it was too late. So, being the ever nosy person I downloaded SuperAntiSpyware and MBAM and ran both. MBAM found 7 infected files which it removed successfully. One of these files was "DNSChanger" or some variation, I have the log with the results if needed. I then noticed over the next few days that my google search results pages were still being redirected to various other search engines that I don't remember off hand the URL. I checked the properties of my TCP/IP protocols through the network settings window and noticed that the DNS setting had been changed to 93.188.162.206 and 93.188.166.59. I changed that setting back to "automaticly detect..." and thought the problem was solved, however, it still exists. I then searched this website for "google redirect" and found quite a few posts on the topic. That led me to run a couple of programs, one of which was GooredFix and the other was RootRepeal. The last one found the file referenced in the topic title and hence my post here. I cannot find z00clicker.dll when I do a search through the start menu and I don't know how to find it as none of the scanning programs I have run find any problems. As reference I have run MBAM numerous times, AdAware Free edition, SAS both in "normal" boot mode and "safe mode", I also ran ESET OnlineScan and it also came up with no infections.

Below I have included the logs requested in the "preparation Guide". I can attach or copy/paste any of the other logs that I mentioned in my post as well if needed.

Thanks to whomever replies for any and all help offered! :D


DDS (Ver_09-12-01.01) - NTFSx86
Run by Cheryl at 0:03:31.70 on Wed 02/24/2010
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.63 [GMT -5:00]

AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\System32\aniServ.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgfws8.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\PROGRA~1\AVG\AVG8\avgam.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\AVG\AVG8\avgcsrvx.exe
C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Cheryl\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.dejazzd.com/my_jazzd/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = By D&E Jazzd
mWindow Title = By D&E Jazzd
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
uURLSearchHooks: H - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 5.0\reader\activex\AcroIEHelper.ocx
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: {BA52B914-B692-46c4-B683-905236F6F655} - No File
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [LDM] c:\program files\logitech\desktop messenger\8876480\program\BackWeb-8876480.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Toshiba Hotkey Utility] "c:\program files\toshiba\windows utilities\Hotkey.exe" /lang en
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [AVGIDS] "c:\program files\avg\avg8\identityprotection\agent\bin\AVGIDSUI.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\kodake~1.lnk - c:\program files\kodak\kodak easyshare software\bin\EasyShare.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~2.lnk - c:\program files\logitech\desktop messenger\8876480\program\LDMConf.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\KEM.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_02\bin\npjpi150_02.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\intuit\quickbooks 2009\HelpAsyncPluggableProtocol.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - c:\windows\system32\mscoree.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\cheryl\applic~1\mozilla\firefox\profiles\3c5ge7w1.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.earthlink.net/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg8\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: browser.blink_allowed - false
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R0 AVGIDSErHr;AVGIDSErHr;c:\windows\system32\drivers\AVGIDSErHr.sys [2009-7-22 25608]
R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [2010-2-5 12552]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-2-7 64288]
R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-2-5 335240]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-2-5 27784]
R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-2-5 108552]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R3 Avgfwdx;Avgfwdx;c:\windows\system32\drivers\avgfwdx.sys [2010-2-5 29208]
R3 AVGIDSDriver;AVGIDSDriver;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSDriver.sys [2009-7-22 121352]
R3 AVGIDSFilter;AVGIDSFilter;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSFilter.sys [2009-7-22 30216]
R3 AVGIDSShim;AVGIDSShim;c:\program files\avg\avg8\identityprotection\agent\driver\platform_xp\AVGIDSShim.sys [2009-7-22 27232]
R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-3-31 211200]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]
R3 VBus;Virtual Bus;c:\windows\system32\drivers\NkVBus.sys [2005-6-17 17664]
S3 Avgfwfd;AVG network filter service;c:\windows\system32\drivers\avgfwdx.sys [2010-2-5 29208]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]

=============== Created Last 30 ================

2010-02-24 04:54:13 0 ----a-w- c:\documents and settings\cheryl\defogger_reenable
2010-02-24 02:22:11 0 d-----w- c:\program files\ESET
2010-02-22 21:22:30 0 d-----w- c:\docume~1\cheryl\applic~1\Skinux
2010-02-22 21:07:42 0 d-----w- c:\program files\common files\Kodak
2010-02-22 21:01:23 62976 -c----w- c:\windows\system32\dllcache\cdrom.sys
2010-02-22 21:01:22 465920 -c----w- c:\windows\system32\dllcache\imapi2fs.dll
2010-02-22 21:01:22 465920 ------w- c:\windows\system32\imapi2fs.dll
2010-02-22 21:01:22 317952 -c----w- c:\windows\system32\dllcache\imapi2.dll
2010-02-22 21:01:22 317952 ------w- c:\windows\system32\imapi2.dll
2010-02-22 21:01:06 0 d-----w- C:\479bde93127607378803098de361ce0f
2010-02-22 21:00:58 0 d-----w- c:\program files\Kodak
2010-02-22 20:49:11 0 d-----w- c:\docume~1\alluse~1\applic~1\Kodak
2010-02-19 22:35:47 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2010-02-19 22:24:38 30536 ----a-w- c:\windows\system32\TURegOpt.exe
2010-02-19 22:22:39 0 d-----w- c:\docume~1\cheryl\applic~1\TuneUp Software
2010-02-19 22:22:07 0 d-----w- c:\program files\TuneUp Utilities 2010
2010-02-19 22:19:47 0 d-----w- c:\docume~1\alluse~1\applic~1\TuneUp Software
2010-02-19 22:18:36 0 d-sh--w- c:\docume~1\alluse~1\applic~1\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-02-19 19:42:54 0 d-----w- c:\docume~1\cheryl\applic~1\Malwarebytes
2010-02-19 19:42:43 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-19 19:42:41 0 d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2010-02-19 19:42:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-19 19:42:40 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-19 19:42:40 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-12 21:24:55 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-02-12 21:23:23 0 d-----w- c:\program files\SUPERAntiSpyware
2010-02-12 21:23:23 0 d-----w- c:\docume~1\cheryl\applic~1\SUPERAntiSpyware.com
2010-02-12 21:21:01 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-02-07 07:36:12 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-07 05:15:03 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-07 05:09:21 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-07 05:07:39 0 d-----w- c:\program files\Lavasoft
2010-02-06 02:22:54 0 d-----w- c:\docume~1\cheryl\applic~1\AVG8
2010-02-06 00:35:42 0 d--h--w- C:\$AVG8.VAULT$
2010-02-05 23:22:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Downloaded Installations
2010-02-05 23:20:32 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-02-05 23:20:32 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-05 23:20:30 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-05 23:20:22 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-05 23:20:06 0 d-----w- c:\windows\system32\drivers\Avg
2010-02-05 23:19:58 0 d-----w- c:\docume~1\alluse~1\applic~1\AVG Security Toolbar
2010-02-05 23:17:24 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-02-05 23:17:24 29208 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-02-05 23:17:24 0 d-----w- c:\program files\AVG
2010-02-05 23:17:23 0 d-----w- c:\docume~1\alluse~1\applic~1\avg8
2010-01-30 20:57:40 47 ----a-w- c:\windows\NeroDigital.ini
2010-01-28 07:41:11 819200 ----a-w- c:\windows\system32\xvidcore.dll
2010-01-28 07:41:11 77824 ----a-w- c:\windows\system32\xvid.ax
2010-01-28 07:41:11 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2010-01-28 07:41:10 0 d-----w- c:\program files\Xvid
2010-01-28 07:26:05 0 d-----w- c:\program files\IrfanView
2010-01-28 06:58:43 0 d-----w- c:\program files\Windows Media Connect 2
2010-01-28 06:55:55 0 d-----w- c:\windows\system32\LogFiles

==================== Find3M ====================

2010-01-06 02:01:07 81920 ------r- c:\windows\bwUnin-6.1.4.68-8876480L.exe
2010-01-05 10:00:29 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00:21 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:20 17408 ----a-w- c:\windows\system32\corpol.dll
2009-02-28 23:47:56 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009022820090301\index.dat

============= FINISH: 0:06:55.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 MysticDragon

MysticDragon
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:22 AM

Posted 25 February 2010 - 09:44 PM

This is not a "bump".... I just have another question.

I noticed that in the ark.txt file there was a reference to atapi.sys having a "suspicious modification". Is this another rootkit or is this associated with my original problem?

#3 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:22 AM

Posted 26 February 2010 - 12:09 PM

Hi MysticDragon,

Welcome to Virus/Trojan/Spyware/Malware Removal (VTSMR) forum. I am going to assist you with your problem.

Please refrain from making any changes to your system (scanning or running other tools, updating Windows, installing applications, removing files, etc.) from now on as it might interfere with our fixes. Please let me know in your next reply if you agree with this.

To answer your question about atapi.sys I think it is the rootkit and related to your original problem.
  1. Disable AVG Resident Shield:
    • Double click AVG system tray icon to open AVG.
    • In Overview section double click Resident Shield.
    • Uncheck Resident Shield Active.
    • Press Save Changes.

      Note: It is important to activate the resident shield immediately after ComboFix produced its log.
  2. Download ComboFix from one of these locations:

    Link 1
    Link 2
    Link 3

    * IMPORTANT !!! Save ComboFix.exe to your Desktop
    • Disable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools. (Information on A/V control HERE)
    • Double click on ComboFix.exe & follow the prompts.
    • You will get a warning about the not trusted download sites for ComboFix, click Yes.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



    Click on Yes, to continue scanning for malware.

    When finished, it shall produce a log for you. Please copy and paste the C:\ComboFix.txt in your next reply.

Edited by farbar, 27 February 2010 - 06:06 AM.


#4 MysticDragon

MysticDragon
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:22 AM

Posted 26 February 2010 - 09:19 PM

I appreciate your quick response to my post and your willingness to help all of us. I have enclosed the ComboFix log that you requested and I look forward to your next reply. As I said in my original post I have run a few other programs previously so I hope they don't interfere with whatever needs to be done to help me with my problem. I won't make any changes from now on unless you specifically request me to do so.

I do have to say as well that this laptop was given to me as a gift by someone who owned and used it before I got it. Therefore I don't have any discs needed if I have to format and re-install everything from scratch. I had to do that with my desktop computer as I got a backdoor virus and wasn't able to clean it completely.

Thanks once again for your help!



ComboFix 10-02-25.02 - Cheryl 02/25/2010 22:39:20.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.217 [GMT -5:00]
Running from: c:\documents and settings\Cheryl\Desktop\ComboFix.exe
AV: AVG Internet Security *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
FW: AVG Firewall *disabled* {8decf618-9569-4340-b34a-d78d28969b66}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\Cheryl\LOCALS~1\Temp\IadHide4.dll
c:\documents and settings\Cheryl\Local Settings\Temp\IadHide4.dll
c:\recycler\S-1-5-21-4248637238-1128673168-1010321132-1003
c:\windows\srchasst\nls302en.lex
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2010-01-26 to 2010-02-26 )))))))))))))))))))))))))))))))
.

2010-02-25 04:28 . 2010-02-25 04:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Yahoo!
2010-02-24 22:00 . 2009-06-30 14:37 28552 ----a-w- c:\windows\system32\drivers\pavboot.sys
2010-02-24 21:58 . 2010-02-24 21:58 -------- d-----w- c:\program files\Panda Security
2010-02-24 21:20 . 2010-02-24 21:20 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-02-24 21:20 . 2010-02-24 21:20 -------- d-----w- c:\documents and settings\Cheryl\log
2010-02-22 21:28 . 2010-02-22 21:28 -------- d-----w- c:\documents and settings\Cheryl\Local Settings\Application Data\KodakGallery
2010-02-22 21:22 . 2010-02-22 21:22 -------- d-----w- c:\documents and settings\Cheryl\Application Data\Skinux
2010-02-22 21:07 . 2010-02-22 21:11 -------- d-----w- c:\program files\Common Files\Kodak
2010-02-22 21:01 . 2008-05-02 10:49 62976 -c----w- c:\windows\system32\dllcache\cdrom.sys
2010-02-22 21:01 . 2008-05-02 13:25 465920 -c----w- c:\windows\system32\dllcache\imapi2fs.dll
2010-02-22 21:01 . 2008-05-02 13:25 465920 ------w- c:\windows\system32\imapi2fs.dll
2010-02-22 21:01 . 2008-05-02 13:25 317952 -c----w- c:\windows\system32\dllcache\imapi2.dll
2010-02-22 21:01 . 2008-05-02 13:25 317952 ------w- c:\windows\system32\imapi2.dll
2010-02-22 21:01 . 2010-02-22 21:01 -------- d-----w- C:\479bde93127607378803098de361ce0f
2010-02-22 21:00 . 2010-02-22 21:03 -------- d-----w- c:\program files\Kodak
2010-02-22 20:49 . 2010-02-22 21:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Kodak
2010-02-19 22:35 . 2010-02-02 11:18 30024 ----a-w- c:\windows\system32\uxtuneup.dll
2010-02-19 22:24 . 2010-02-02 11:24 30536 ----a-w- c:\windows\system32\TURegOpt.exe
2010-02-19 22:22 . 2010-02-19 22:22 -------- d-----w- c:\documents and settings\Cheryl\Application Data\TuneUp Software
2010-02-19 22:22 . 2010-02-19 22:36 -------- d-----w- c:\program files\TuneUp Utilities 2010
2010-02-19 22:19 . 2010-02-19 22:22 -------- d-----w- c:\documents and settings\All Users\Application Data\TuneUp Software
2010-02-19 22:18 . 2010-02-19 22:18 -------- d-sh--w- c:\documents and settings\All Users\Application Data\{D3742F82-1C1A-4DCC-ABBD-0E7C3C0185CC}
2010-02-19 19:42 . 2010-02-19 19:42 -------- d-----w- c:\documents and settings\Cheryl\Application Data\Malwarebytes
2010-02-19 19:42 . 2010-01-07 21:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-19 19:42 . 2010-02-19 19:42 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2010-02-19 19:42 . 2010-02-19 19:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-19 19:42 . 2010-02-19 19:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-19 19:42 . 2010-01-07 21:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-12 21:24 . 2010-02-12 21:24 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-02-12 21:23 . 2010-02-12 21:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-02-12 21:23 . 2010-02-12 21:23 -------- d-----w- c:\documents and settings\Cheryl\Application Data\SUPERAntiSpyware.com
2010-02-12 21:21 . 2010-02-12 21:21 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-02-07 07:36 . 2010-02-07 05:13 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-02-07 05:15 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-02-07 05:14 . 2010-02-07 05:14 -------- dc----w- c:\windows\system32\DRVSTORE
2010-02-07 05:09 . 2010-02-07 05:09 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-02-07 05:07 . 2010-02-07 05:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-02-07 05:07 . 2010-02-07 05:07 -------- d-----w- c:\program files\Lavasoft
2010-02-06 02:22 . 2010-02-06 02:22 -------- d-----w- c:\documents and settings\Cheryl\Application Data\AVG8
2010-02-06 01:01 . 2010-02-06 01:01 -------- d-----w- c:\documents and settings\Cheryl\Local Settings\Application Data\AVG Security Toolbar
2010-02-06 00:35 . 2010-02-20 02:09 -------- d-----w- C:\$AVG8.VAULT$
2010-02-05 23:22 . 2010-02-05 23:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Downloaded Installations
2010-02-05 23:20 . 2010-02-05 23:20 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2010-02-05 23:20 . 2010-02-05 23:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2010-02-05 23:20 . 2010-02-05 23:20 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-02-05 23:20 . 2010-02-05 23:20 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-02-05 23:20 . 2010-02-05 23:20 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-02-05 23:20 . 2010-02-25 23:45 -------- d-----w- c:\windows\system32\drivers\Avg
2010-02-05 23:19 . 2010-02-20 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2010-02-05 23:17 . 2010-02-05 23:17 50968 ----a-w- c:\windows\system32\avgfwdx.dll
2010-02-05 23:17 . 2010-02-05 23:17 29208 ----a-w- c:\windows\system32\drivers\avgfwdx.sys
2010-02-05 23:17 . 2010-02-05 23:17 -------- d-----w- c:\program files\AVG
2010-02-05 23:17 . 2010-02-05 23:17 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2010-01-28 07:41 . 2009-06-07 21:24 180224 ----a-w- c:\windows\system32\xvidvfw.dll
2010-01-28 07:41 . 2009-06-07 21:16 819200 ----a-w- c:\windows\system32\xvidcore.dll
2010-01-28 07:41 . 2010-01-28 07:41 -------- d-----w- c:\program files\Xvid
2010-01-28 07:26 . 2010-02-06 00:07 -------- d-----w- c:\program files\IrfanView
2010-01-28 07:21 . 2010-01-28 07:21 -------- d-----w- c:\documents and settings\Cheryl\Local Settings\Application Data\WMTools Downloaded Files
2010-01-28 07:12 . 2010-01-28 07:12 -------- d-----w- c:\documents and settings\Cheryl\Application Data\InterVideo
2010-01-28 06:58 . 2010-01-28 06:58 -------- d-----w- c:\program files\Windows Media Connect 2
2010-01-28 06:55 . 2010-01-28 06:57 -------- d-----w- c:\windows\system32\drivers\UMDF
2010-01-28 06:55 . 2010-01-28 06:55 -------- d-----w- c:\windows\system32\LogFiles
2010-01-28 06:42 . 2010-01-28 06:42 -------- d-----w- c:\documents and settings\Cheryl\Application Data\Apple Computer
2010-01-28 06:35 . 2010-01-28 06:38 -------- d-----w- c:\program files\QuickTime
2010-01-28 06:35 . 2010-01-28 06:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-01-28 06:34 . 2010-01-28 06:34 -------- d-----w- c:\program files\Common Files\Apple
2010-01-28 06:33 . 2010-01-28 06:33 -------- d-----w- c:\documents and settings\Cheryl\Local Settings\Application Data\Apple
2010-01-28 06:33 . 2010-01-28 06:33 -------- d-----w- c:\program files\Apple Software Update
2010-01-28 06:33 . 2010-01-28 06:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-28 06:32 . 2010-01-28 06:32 -------- d-----w- c:\documents and settings\Cheryl\Local Settings\Application Data\Apple Computer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-25 04:34 . 2009-03-01 00:10 -------- d-----w- c:\documents and settings\Cheryl\Application Data\Yahoo!
2010-02-25 04:27 . 2005-08-09 23:05 -------- d-----w- c:\program files\Yahoo!
2010-02-25 03:57 . 2005-12-25 00:49 -------- d-----w- c:\program files\Nikon
2010-02-22 20:59 . 2010-02-22 20:59 77824 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\ess\bindbins\bindbins.exe
2010-02-22 20:59 . 2010-02-22 20:59 225280 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\wtf\finish.exe
2010-02-22 20:52 . 2010-02-22 20:52 45056 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\sysfiles\kb945060\kb945060.exe
2010-02-22 20:51 . 2010-02-22 20:50 225280 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\wtf\start.exe
2010-02-22 20:50 . 2010-02-22 20:50 1187840 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_1e0001_46f807\EasyShrx.Dll
2010-02-22 20:49 . 2010-02-22 20:49 114688 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$Registration\KodakCameraAPI_8.2.30.1.dll
2010-02-19 21:56 . 2009-02-22 00:40 -------- d-----w- c:\documents and settings\Cheryl\Application Data\Azureus
2010-02-18 01:04 . 2009-02-22 00:36 -------- d-----w- c:\program files\Vuze
2010-02-17 23:27 . 2009-02-16 21:24 36968 ----a-w- c:\documents and settings\Cheryl\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-13 02:43 . 2010-02-12 21:25 117760 ----a-w- c:\documents and settings\Cheryl\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-02-12 21:25 . 2010-02-12 21:25 52224 ----a-w- c:\documents and settings\Cheryl\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-02-11 03:02 . 2005-08-09 21:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-11 03:02 . 2005-12-25 00:46 -------- d-----w- c:\program files\Common Files\Nikon
2010-02-07 05:13 . 2010-02-07 05:13 862040 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2010-02-07 05:13 . 2010-02-07 05:13 15880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2010-02-07 05:13 . 2010-02-07 05:13 206944 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2010-02-07 05:13 . 2010-02-07 05:13 390288 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2010-02-07 05:13 . 2010-02-07 05:13 537576 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\aawapi.dll
2010-02-07 05:13 . 2010-02-07 05:13 389784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2010-02-07 05:13 . 2010-02-07 05:13 163728 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\ShellExt.dll
2010-02-07 05:11 . 2010-02-07 05:11 6296864 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Resources.dll
2010-02-07 05:11 . 2010-02-07 05:11 327000 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\RPAPI.dll
2010-02-07 05:11 . 2010-02-07 05:11 87496 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2010-02-07 05:11 . 2010-02-07 05:11 933120 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\CEAPI.dll
2010-02-07 05:11 . 2010-02-07 05:11 3803208 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AutoLaunch.exe
2010-02-07 05:10 . 2010-02-07 05:10 816784 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2010-02-07 05:10 . 2010-02-07 05:10 823928 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2010-02-07 05:10 . 2010-02-07 05:10 1643272 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2010-02-07 05:10 . 2010-02-07 05:10 788880 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWTray.exe
2010-02-07 05:10 . 2010-02-07 05:10 1181328 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\AAWService.exe
2010-02-06 00:19 . 2009-02-25 01:01 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-02-06 00:18 . 2009-02-25 01:27 -------- d-----w- c:\program files\McAfee
2010-02-06 00:18 . 2009-02-25 01:26 -------- d-----w- c:\program files\Common Files\McAfee
2010-02-05 23:18 . 2010-02-06 00:25 730392 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgex.exe
2010-02-05 23:18 . 2010-02-06 00:25 100120 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgdumpx.exe
2010-02-05 23:18 . 2010-02-06 00:25 515864 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgvvx.dll
2010-02-05 23:18 . 2010-02-06 00:25 1262368 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgwd.dll
2010-02-05 23:18 . 2010-02-06 00:25 681240 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgsrmx.dll
2010-02-05 23:18 . 2010-02-06 00:25 530712 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgsched.dll
2010-02-05 23:18 . 2010-02-06 00:25 341272 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgsrmax.exe
2010-02-05 23:18 . 2010-02-06 00:25 761624 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgscanx.exe
2010-02-05 23:18 . 2010-02-06 00:25 339736 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgscanx.dll
2010-02-05 23:18 . 2010-02-06 00:25 836888 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgcfgx.dll
2010-02-05 23:18 . 2010-02-06 00:25 310552 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avglngx.dll
2010-02-05 23:17 . 2010-02-06 00:25 1033496 ----a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\avgssff.dll
2010-02-04 20:39 . 2009-02-21 04:14 2413 ----a-w- c:\documents and settings\All Users\Application Data\Intuit\QuickBooks 2009\qbbackup.sys
2010-02-01 20:41 . 2010-02-22 20:49 2635152 ----a-w- c:\documents and settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_1e0001_46f807\Setup.exe
2010-01-06 02:04 . 2010-01-06 02:04 -------- d-----w- c:\documents and settings\Cheryl\Application Data\Logitech
2010-01-06 02:01 . 2010-01-06 02:01 81920 ------r- c:\windows\bwUnin-6.1.4.68-8876480L.exe
2010-01-06 02:00 . 2010-01-06 01:57 -------- d-----w- c:\program files\Logitech
2010-01-06 01:57 . 2010-01-06 01:57 -------- d-----w- c:\program files\Common Files\Logitech
2010-01-05 10:00 . 2005-08-09 20:38 832512 ----a-w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2005-08-09 20:37 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2005-08-09 20:37 17408 ----a-w- c:\windows\system32\corpol.dll
2010-01-04 04:23 . 2010-01-04 04:23 -------- d-----w- c:\program files\MSXML 4.0
2009-12-31 16:50 . 2005-08-09 20:38 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 18:43 . 2005-08-09 21:15 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2005-08-09 20:37 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-07 14:10 . 2010-02-07 05:09 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2009-12-04 18:22 . 2005-08-09 20:38 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-11-25 18:02 1230080 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2009-11-25 1230080]

[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe" [2010-01-06 20480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-29 344064]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 688218]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2005-09-21 1093632]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2004-09-07 1077301]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-10-21 29696]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2010-02-06 2043160]
"AVGIDS"="c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSUI.exe" [2009-07-22 1600008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - c:\program files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2010-1-5 450560]
Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\KEM.exe [2010-1-5 581632]
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2005-8-9 155648]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-02-05 23:20 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Notebook Maximizer"=c:\program files\Notebook Maximizer\maximizer_startup.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2009\\QBDBMgrN.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\backWeb-8876480.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=

R3 Avgfwfd;AVG network filter service;c:\windows\system32\DRIVERS\avgfwdx.sys [2010-02-05 29208]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2010-01-05 7408]
R3 VBus;Virtual Bus;c:\windows\system32\DRIVERS\NkVBus.sys [2005-06-17 17664]
S0 AVGIDSErHr;AVGIDSErHr;c:\windows\System32\Drivers\AVGIDSErHr.sys [2009-07-22 25608]
S0 AvgRkx86;avgrkx86.sys;c:\windows\System32\Drivers\avgrkx86.sys [2010-02-05 12552]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-12-02 64288]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2009-06-30 28552]
S1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\System32\Drivers\avgldx86.sys [2010-02-05 335240]
S1 AvgTdiX;AVG8 Network Redirector;c:\windows\System32\Drivers\avgtdix.sys [2010-02-05 108552]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2010-01-05 9968]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.sys [2010-01-05 74480]
S2 ANISERVICE;Airgo Networks NIC Service;c:\windows\System32\aniServ.exe [2004-08-11 143360]
S2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [2010-02-05 908056]
S2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [2010-02-06 297752]
S2 avgfws8;AVG8 Firewall;c:\progra~1\AVG\AVG8\avgfws8.exe [2010-02-06 1370488]
S2 AVGIDSAgent;AVGIDSAgent;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSAgent.exe AVGIDSAgent [x]
S2 AVGIDSWatcher;AVGIDSWatcher;c:\program files\AVG\AVG8\IdentityProtection\agent\Bin\AVGIDSWatcher.exe [2009-07-22 571912]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2010-02-07 1181328]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesService32.exe [2010-02-02 1043784]
S3 Avgfwdx;Avgfwdx;c:\windows\system32\DRIVERS\avgfwdx.sys [2010-02-05 29208]
S3 AVGIDSDriver;AVGIDSDriver;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSDriver.sys [2009-07-22 121352]
S3 AVGIDSFilter;AVGIDSFilter;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSFilter.sys [2009-07-22 30216]
S3 AVGIDSShim;AVGIDSShim;c:\program files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys [2009-07-22 27232]
S3 HSFHWATI;HSFHWATI;c:\windows\system32\DRIVERS\HSFHWATI.sys [2005-04-01 211200]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesDriver32.sys [2009-10-14 10064]


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp
.
Contents of the 'Scheduled Tasks' folder

2010-02-26 c:\windows\Tasks\Ad-Aware Update (Daily 1).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 05:10]

2010-02-26 c:\windows\Tasks\Ad-Aware Update (Daily 2).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 05:10]

2010-02-26 c:\windows\Tasks\Ad-Aware Update (Daily 3).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 05:10]

2010-02-26 c:\windows\Tasks\Ad-Aware Update (Daily 4).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 05:10]

2010-02-26 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 05:10]

2010-01-28 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-02-22 c:\windows\Tasks\Automatic maintenance.job
- c:\program files\TuneUp Utilities 2010\OneClickStarter.exe [2010-02-02 11:28]

2010-02-26 c:\windows\Tasks\Automatic troubleshooting.job
- c:\program files\TuneUp Utilities 2010\TuneUpSystemStatusCheck.exe [2010-02-02 11:28]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.dejazzd.com/my_jazzd/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mWindow Title = By D&E Jazzd
uInternet Settings,ProxyOverride = localhost
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: intu-help-qb2 - {84D77A00-41B5-4b8b-8ADF-86486D72E749} - c:\program files\Intuit\QuickBooks 2009\HelpAsyncPluggableProtocol.dll
FF - ProfilePath - c:\documents and settings\Cheryl\Application Data\Mozilla\Firefox\Profiles\3c5ge7w1.default\
FF - prefs.js: browser.startup.homepage - hxxp://my.earthlink.net/
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - prefs.js: network.proxy.type - 1
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPJPI150_02.dll
FF - plugin: c:\program files\Java\jre1.5.0_02\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
FF - user.js: browser.blink_allowed - false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-25 22:52
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x84F2A8C8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7714f28
\Driver\ACPI -> ACPI.sys @ 0xf7687cb8
\Driver\atapi -> atapi.sys @ 0xf7624b3a
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a05a9
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: -> SendCompleteHandler -> 0x0
PacketIndicateHandler -> 0x0
SendHandler -> 0x0
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(3440)
c:\windows\system32\WININET.dll
c:\program files\Logitech\SetPoint\lgscroll.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\ArcSoft\Software Suite\PhotoImpression\share\pihook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Logitech\SetPoint\KHALMNPR.EXE
c:\windows\system32\acs.exe
c:\program files\AVG\AVG8\IdentityProtection\agent\bin\AVGIDSMonitor.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\progra~1\AVG\AVG8\avgam.exe
c:\windows\system32\DVDRAMSV.exe
c:\progra~1\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\program files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\AVG\AVG8\avgcsrvx.exe
c:\windows\system32\wbem\unsecapp.exe
c:\windows\system32\wscntfy.exe
c:\program files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-02-25 23:07:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-26 04:07

Pre-Run: 18,120,478,720 bytes free
Post-Run: 18,308,988,928 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 82CB71AA7663BDAE07AB88D1644D4E03


#5 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:22 AM

Posted 27 February 2010 - 06:23 AM

Well done. thumbup2.gif
  1. We are going to run this special tool.
    • Please download TDSSKiller.zip and save it to your desktop.
    • Extract the zip file to your desktop.
    • Mame sure TDSSKiller.exe is not in a folder.
      The exe file should be placed on the desktop, it looks like
    • Go to Start => Run copy and paste the following command in the Run box and click enter:

      "%userprofile%\desktop\TDSSKiller.exe" -l report.txt -v

    • When it finished press any key to continue and let reboot if needed.
    • Please post the report.txt created on your desktop.

  2. Reboot the computer now once even if TDSSKiller needed a reboot.

  3. Please run Notepad (start > All Programs > Accessories > Notepad) and copy and paste the text in the code box (without the word CODE) into a new file:


    CODE
    @ECHO OFF
    mbr.exe -t
    sc query type= driver group= "SCSI Miniport" > Log.txt
    type mbr.log >>log.txt
    Start Log.txt

    • Go to the File menu at the top of the Notepad and select Save as.
    • Select Save in: desktop
    • Fill in File name: look.bat
    • Save as type: All file types (*.*)
    • Click save.
    • Close the Notepad.
    • Locate look.bat on the desktop. It should look like this:
    • Double-click to run it.
    • A notepad opens, copy and paste the content (log.txt) to your reply.


#6 MysticDragon

MysticDragon
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:22 AM

Posted 27 February 2010 - 07:16 PM

Below is the contents of the "report.txt" file requested in the first part of your instructions:

18:19:58:015 3452 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25
18:19:58:015 3452 ================================================================================
18:19:58:015 3452 SystemInfo:

18:19:58:015 3452 OS Version: 5.1.2600 ServicePack: 3.0
18:19:58:015 3452 Product type: Workstation
18:19:58:015 3452 ComputerName: TOSHIBA-USER
18:19:58:015 3452 UserName: Cheryl
18:19:58:015 3452 Windows directory: C:\WINDOWS
18:19:58:015 3452 Processor architecture: Intel x86
18:19:58:015 3452 Number of processors: 1
18:19:58:015 3452 Page size: 0x1000
18:19:58:015 3452 Boot type: Normal boot
18:19:58:015 3452 ================================================================================
18:19:58:109 3452 UnloadDriverW: NtUnloadDriver error 2
18:19:58:109 3452 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
18:19:58:968 3452 Initialize success
18:19:58:968 3452
18:19:58:968 3452 Scanning Services ...
18:19:58:968 3452 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
18:19:59:375 3452 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:19:59:375 3452 wfopen_ex: Trying to KLMD file open
18:19:59:375 3452 wfopen_ex: File opened ok (Flags 2)
18:19:59:375 3452 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
18:20:00:031 3452 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:20:00:031 3452 wfopen_ex: Trying to KLMD file open
18:20:00:031 3452 wfopen_ex: File opened ok (Flags 2)
18:20:01:031 3452 GetAdvancedServicesInfo: Raw services enum returned 368 services
18:20:01:031 3452 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
18:20:01:031 3452 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
18:20:01:031 3452
18:20:01:031 3452 Scanning Kernel memory ...
18:20:01:031 3452 Devices to scan: 2
18:20:01:031 3452
18:20:01:031 3452 Driver Name: Disk
18:20:01:031 3452 IRP_MJ_CREATE : F7716BB0
18:20:01:031 3452 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E
18:20:01:031 3452 IRP_MJ_CLOSE : F7716BB0
18:20:01:031 3452 IRP_MJ_READ : F7710D1F
18:20:01:031 3452 IRP_MJ_WRITE : F7710D1F
18:20:01:031 3452 IRP_MJ_QUERY_INFORMATION : 804FA87E
18:20:01:031 3452 IRP_MJ_SET_INFORMATION : 804FA87E
18:20:01:031 3452 IRP_MJ_QUERY_EA : 804FA87E
18:20:01:031 3452 IRP_MJ_SET_EA : 804FA87E
18:20:01:031 3452 IRP_MJ_FLUSH_BUFFERS : F77112E2
18:20:01:031 3452 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E
18:20:01:031 3452 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E
18:20:01:031 3452 IRP_MJ_DIRECTORY_CONTROL : 804FA87E
18:20:01:031 3452 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E
18:20:01:031 3452 IRP_MJ_DEVICE_CONTROL : F77113BB
18:20:01:031 3452 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7714F28
18:20:01:031 3452 IRP_MJ_SHUTDOWN : F77112E2
18:20:01:031 3452 IRP_MJ_LOCK_CONTROL : 804FA87E
18:20:01:031 3452 IRP_MJ_CLEANUP : 804FA87E
18:20:01:031 3452 IRP_MJ_CREATE_MAILSLOT : 804FA87E
18:20:01:031 3452 IRP_MJ_QUERY_SECURITY : 804FA87E
18:20:01:031 3452 IRP_MJ_SET_SECURITY : 804FA87E
18:20:01:031 3452 IRP_MJ_POWER : F7712C82
18:20:01:031 3452 IRP_MJ_SYSTEM_CONTROL : F771799E
18:20:01:031 3452 IRP_MJ_DEVICE_CHANGE : 804FA87E
18:20:01:031 3452 IRP_MJ_QUERY_QUOTA : 804FA87E
18:20:01:031 3452 IRP_MJ_SET_QUOTA : 804FA87E
18:20:01:062 3452 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code
18:20:01:062 3452 sion
18:20:01:078 3452 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:20:01:078 3452
18:20:01:078 3452 Driver Name: atapi
18:20:01:078 3452 IRP_MJ_CREATE : F7624B3A
18:20:01:078 3452 IRP_MJ_CREATE_NAMED_PIPE : F7624B3A
18:20:01:078 3452 IRP_MJ_CLOSE : F7624B3A
18:20:01:078 3452 IRP_MJ_READ : F7624B3A
18:20:01:078 3452 IRP_MJ_WRITE : F7624B3A
18:20:01:078 3452 IRP_MJ_QUERY_INFORMATION : F7624B3A
18:20:01:078 3452 IRP_MJ_SET_INFORMATION : F7624B3A
18:20:01:078 3452 IRP_MJ_QUERY_EA : F7624B3A
18:20:01:078 3452 IRP_MJ_SET_EA : F7624B3A
18:20:01:078 3452 IRP_MJ_FLUSH_BUFFERS : F7624B3A
18:20:01:078 3452 IRP_MJ_QUERY_VOLUME_INFORMATION : F7624B3A
18:20:01:078 3452 IRP_MJ_SET_VOLUME_INFORMATION : F7624B3A
18:20:01:078 3452 IRP_MJ_DIRECTORY_CONTROL : F7624B3A
18:20:01:078 3452 IRP_MJ_FILE_SYSTEM_CONTROL : F7624B3A
18:20:01:078 3452 IRP_MJ_DEVICE_CONTROL : F7624B3A
18:20:01:078 3452 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7624B3A
18:20:01:078 3452 IRP_MJ_SHUTDOWN : F7624B3A
18:20:01:078 3452 IRP_MJ_LOCK_CONTROL : F7624B3A
18:20:01:078 3452 IRP_MJ_CLEANUP : F7624B3A
18:20:01:078 3452 IRP_MJ_CREATE_MAILSLOT : F7624B3A
18:20:01:078 3452 IRP_MJ_QUERY_SECURITY : F7624B3A
18:20:01:078 3452 IRP_MJ_SET_SECURITY : F7624B3A
18:20:01:078 3452 IRP_MJ_POWER : F7624B3A
18:20:01:078 3452 IRP_MJ_SYSTEM_CONTROL : F7624B3A
18:20:01:078 3452 IRP_MJ_DEVICE_CHANGE : F7624B3A
18:20:01:078 3452 IRP_MJ_QUERY_QUOTA : F7624B3A
18:20:01:078 3452 IRP_MJ_SET_QUOTA : F7624B3A
18:20:01:109 3452 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
18:20:01:109 3452 TDL3_IrpHookDetect: New IrpHandler addr: 84F578C8
18:20:01:109 3452 ihd: 10, FFDF0308, 510, 134, 3, 120, 0
18:20:01:109 3452 Driver "atapi" Irp handler infected by TDSS rootkit ... 18:20:01:109 3452 cured
18:20:01:109 3452 siohd: 0
18:20:01:125 3452 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected
18:20:01:125 3452 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 18:20:01:125 3452 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys
18:20:01:125 3452 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
18:20:01:421 3452 vfvi6
18:20:01:625 3452 !dsvbh1
18:20:02:531 3452 dsvbh2
18:20:02:531 3452 fdfb2
18:20:02:531 3452 Backup copy found, using it..
18:20:02:734 3452 will be cured on next reboot
18:20:02:734 3452 Reboot required for cure complete..
18:20:02:796 3452 Cure on reboot scheduled successfully
18:20:02:796 3452
18:20:02:796 3452 Completed
18:20:02:796 3452
18:20:02:796 3452 Results:
18:20:02:796 3452 Memory objects infected / cured / cured on reboot: 1 / 1 / 0
18:20:02:796 3452 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
18:20:02:796 3452 File objects infected / cured / cured on reboot: 1 / 0 / 1
18:20:02:796 3452
18:20:02:796 3452 UnloadDriverW: NtUnloadDriver error 1
18:20:02:796 3452 KLMD_Unload: UnloadDriverW(klmd21) error 1
18:20:02:796 3452 KLMD(ARK) unloaded successfully


And here is the contents of the "log.txt" file you requested:

SERVICE_NAME: atapi
DISPLAY_NAME: Standard IDE/ESDI Hard Disk Controller
TYPE : 1 KERNEL_DRIVER
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
kernel: MBR read successfully
user & kernel MBR OK

Thanks again for your help with this! :D
ttfn
Mystic.

#7 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:22 AM

Posted 01 March 2010 - 06:25 AM

Apologies for the delay.

The rootkit is taken care of. thumbup2.gif
  1. Optional:Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This changed from what we know in 2006 read this article:

    http://www.clickz.com/news/article.php/3561546

    I suggest you uninstall the following program via Add or Remove Programs if your are using it:

    Viewpoint Media Player.

    If you uninstalled it also remove the folder in bold: C:\Program Files\Viewpoint

  2. Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
    • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
    • Look for "JDK 6 Update 18 (JDK or JRE)".
    • Click the Download JRE button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Read the License Agreement, and then check the box that says: "Accept License Agreement".
    • Click Continue and the page will refresh.
    • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
    • Close any programs you may have running - especially your web browser.
    Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u18-windows-i586.exe to install the newest version.

  3. This small application you may want to keep and use to keep the computer clean.
    Download CCleaner from here http://www.ccleaner.com/
    • Run the installer to install the application.
    • When it gives you the option to install Yahoo toolbar uncheck the box next to it.
    • Run CCleaner. (make sure under Windows tab all the boxes of Internet Explorer and Windows explorer are checked. Under System check Empty Recycle Bin and Temporary Files. Under Application tab all the boxes should be checked).
    • Click Run Cleaner.
    • Close CCleaner.

      Note: Please don't use the registry cleaner of CCleaner or any other registry cleaner unless you know what you are doing.

  4. AVG 8 is outdated. You need protection from an updated Antivirus.

    Visit http://free.avg.com/download?prd=afe to download AVG 9 setup file to your desktop. Don't install it yet.
    • Go to Add/Remove programs and uninstall AVG 8.
    • Reboot.
    • Double click the downloaded setup file to Install AVG 9 then update it.
    • On the left side click Computer scanner and select Scan whole computer.
    • When the scan finished under Result Overview tap at the end of scan result click Export overview to file
    • Select File Type: All files Name:scan.txt and save it on your desktop.
    • Under Warnings tap press Remove all unhealed infections. Then close the application.
    • Copy/paste the content of scan.txt located on your desktop to your reply.

  5. Also let me know how is your computer running.


#8 MysticDragon

MysticDragon
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:22 AM

Posted 01 March 2010 - 09:14 PM

Thanks for the reply.. I am replying to let you know that I am still paying attention but due to problems with my DSL I won't be able to download any large files until at least Wed. They gave me some crappy story about me needing a new modem and some other such nonsense... so I am currently on dial-up and have limited time (10 hours per month).

I will reply as soon as I can with what you requested (the new version of AVG full scan report) as soon as I get my new modem set up on here. They (my ISP) told me that he over-nighted the modem and it should be here tomorrow or Wed. so that's the date I'm expecting to get back online, however it might be up to a week depending on when it's delivered.

Please don't close this topic just yet if I don't reply soon and I thank you for your patience with this.

ttfn
Mystic.

#9 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:22 AM

Posted 02 March 2010 - 03:06 AM

Hi Mystic,

Thanks for letting me know. No worries, we will keep it open.

#10 MysticDragon

MysticDragon
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:22 AM

Posted 04 March 2010 - 09:51 PM

thumbup.gif

Thanks for your patience... and for your help with my problems on here. You don't know how much I appreciate all that you, and every one of the volunteers on here do for all of us! clapping.gif

I am typing this on my new laptop as I'm still scanning the other one that you were helping me with and I will post the AVG report just as soon as it completes. I will be giving the old laptop to my husband to use on the road for his job so I wanted to make sure that it was clean and free of infections before I gave it to him. The last thing that I have to do for him is get more memory as it only has 512MB RAM installed. I'm gonna max it out at the 2GB level... he should notice a HUGE difference in the speeding up of the accessing of programs and the initial startup of the computer.

Aside from all that BS that you really didn't need to know the computer is running fine now... no more redirects and with all the cleaning that I've been doing on it besides what you've suggested it's getting a little faster too. Still have more work to do though. I'm hoping that by next Monday he'll be able to take it with him to work and be able to use it to it's full capacity without any unnecessary interruptions.... thanks to you mostly :D

In my next post is the results of the AVG 9 scan... I ended up getting the full version as I really like the program. If you have any other suggestions to help in making the laptop run faster I'd appreciate it! thumbup2.gif

ttfn
Mystic.



#11 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:22 AM

Posted 04 March 2010 - 10:03 PM

thumbup.gif

You are most welcome. smile.gif

Upgrading the RAM is the best thing to make the laptop run faster.

#12 MysticDragon

MysticDragon
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:22 AM

Posted 04 March 2010 - 10:16 PM

Ok, it finally finished scanning so here is the results... exactly like I was hoping and expecting.

"Scan ""Scan whole computer"" was finished."
"No infection was found during this scan"
"Folders selected for scanning:";"Scan whole computer"
"Scan started:";"Thursday, March 04, 2010, 9:16:08 PM"
"Scan finished:";"Thursday, March 04, 2010, 10:06:15 PM (50 minute(s) 7 second(s))"
"Total object scanned:";"177841"
"User who launched the scan:";"Cheryl"


Thanks again,
ttfn
Mystic.


#13 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:22 AM

Posted 04 March 2010 - 10:44 PM

It looks good. thumbup2.gif
  1. To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_enable which will appear on your desktop.

    Your Emulation drivers are now re-enabled.

    Note: You have to be logged in to the same account when you disabled the drivers.

  2. It is important to uninstall ComboFix.

    Go to Start => Run => copy and paste next command in the field then hit enter:

    ComboFix /Uninstall

    This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

    It makes a clean Restore Point and clears all the old restore points in order to prevent possible reinfection from an old one through system restore.

  3. You may remove any tool or log we used.

Happy Surfing Mystic. smile.gif

#14 MysticDragon

MysticDragon
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:12:22 AM

Posted 05 March 2010 - 02:09 AM

OK... all done!!

Thanks again for all your help! Now I gotta clean off all the crap I don't need and we'll be golden!

ttfn
Mystic.

#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,719 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:22 AM

Posted 05 March 2010 - 10:10 AM

You are most welcome. smile.gif

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users