Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect problem presists


  • This topic is locked This topic is locked
82 replies to this topic

#1 chansen

chansen

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 07 April 2010 - 09:32 PM

I am starting this new log here. I thought I had this 'redirect' removed from earlier posts and help, but it is still here. Also there is a 'voice' that appears with no windows open or running(new problem).

Ran TFC program. I updated and ran MBAM and SAS in 'safe mode'. Updated and ran my A/V(Avast Free). Ran 'DeFogger', then ran DDS and GMER scans.

Below is the reports of the above.

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3958

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

4/6/2010 11:02:10 AM
mbam-log-2010-04-06 (11-02-10).txt

Scan type: Full scan (C:\|)
Objects scanned: 172229
Time elapsed: 28 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/06/2010 at 10:24 AM

Application Version : 4.35.1002

Core Rules Database Version : 4772
Trace Rules Database Version: 2584

Scan type : Complete Scan
Total Scan Time : 00:29:23

Memory items scanned : 623
Memory threats detected : 0
Registry items scanned : 6128
Registry threats detected : 0
File items scanned : 18725
File threats detected : 0


DDS (Ver_10-03-17.01) - NTFSx86
Run by Annie at 21:04:49.15 on Wed 04/07/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.671 [GMT -4:00]

AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}
AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\QuickTime\qttask .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\Documents and Settings\Annie\Desktop\dds.scr

============== Pseudo HJT Report ===============

uURLSearchHooks: H - No File
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [DLCDCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCDtime.dll,_RunDLLEntry@16
mRun: [Wxemuzifulo] rundll32.exe "c:\windows\ulolivihanofowac.dll",Startup
mRun: [USRpdA] c:\windows\system32\usrmlnka.exe runservices \device\3cpipe-USRpdA
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe" -atboottime
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\annie\applic~1\mozilla\firefox\profiles\ktpi2jvs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
FF - plugin: c:\documents and settings\annie\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\annie\application data\move networks\plugins\npqmp071505000010.dll
FF - plugin: c:\documents and settings\annie\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\annie\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\common files\motive\npMotive.dll
FF - plugin: c:\program files\google\google updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-3 162640]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-3 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-3 40384]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-3 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-4-3 40384]
R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

=============== Created Last 30 ================

2010-04-08 01:01:42 0 ----a-w- c:\documents and settings\annie\defogger_reenable
2010-04-07 15:38:45 75266 ----a-w- c:\docume~1\alluse~1\applic~1\l8s2OvN2.exe
2010-04-07 15:38:45 112 ----a-w- c:\docume~1\alluse~1\applic~1\67r5Xj.dat
2010-04-07 04:25:03 0 d-----w- c:\program files\ATT-PRT22-WISE
2010-04-07 04:25:01 0 d-----w- c:\program files\ATT
2010-04-07 04:09:09 30330584 ----a-w- C:\BellSouthIW.reg
2010-04-07 03:51:22 0 d-----w- c:\program files\BroadJump
2010-04-07 03:50:40 87040 ----a-w- c:\windows\system32\WebFlowIDPersist.dll
2010-04-07 03:50:40 37376 ----a-w- c:\windows\system32\ReportReader.dll
2010-04-07 03:50:39 40448 ----a-w- c:\windows\system32\BJAXSecurityManager.dll
2010-04-07 03:50:39 1073152 ----a-w- c:\windows\system32\ActiveUtils.dll
2010-04-07 03:50:38 86016 ----a-w- c:\windows\system32\BJInstaller.dll
2010-04-07 03:50:38 73728 ----a-w- c:\windows\system32\BinaryAggregator1.dll
2010-04-07 03:50:38 327680 ----a-w- c:\windows\system32\snmpaxctrl.dll
2010-04-07 03:50:17 30361210 ----a-w- C:\BellSouthIW.re~
2010-04-06 03:24:54 81920 ----a-w- c:\windows\system32\Startup.cpl
2010-04-06 01:27:56 38387 ----a-w- c:\documents and settings\annie\DoctorWeb.zip
2010-04-05 05:30:00 0 d-----w- c:\documents and settings\annie\DoctorWeb
2010-04-04 02:13:30 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-04-03 22:36:35 0 d-----w- c:\program files\ESET
2010-04-03 22:10:47 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-04-03 19:54:28 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-03 08:32:29 7680 --sha-w- c:\windows\Thumbs.db
2010-04-03 05:12:16 162 ---ha-w- C:\~$gistryfiles.reg
2010-04-03 04:42:14 0 d--h--w- c:\windows\PIF
2010-04-03 04:19:22 101932186 ----a-w- C:\registryfiles.reg
2010-04-02 23:21:33 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-02 22:37:46 120 ----a-w- c:\windows\Bjapuqugaro.dat
2010-04-02 22:37:46 0 ----a-w- c:\windows\Qjeru.bin
2010-03-28 23:07:31 0 d-----w- c:\program files\Veetle
2010-03-11 04:42:30 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

==================== Find3M ====================

2010-04-06 01:22:32 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-05 19:09:40 42368 ----a-w- c:\windows\system32\drivers\agp440.sys
2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ----a-w- c:\windows\system32\corpol.dll
2010-02-09 02:57:28 127034 ------r- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
2001-11-23 04:08:20 712704 -c--a-w- c:\windows\inf\other\AUDIO3D.DLL

============= FINISH: 21:06:13.84 ===============


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-07 22:12:42
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Annie\LOCALS~1\Temp\fflyakoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xA17B1C56]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xA17B1B12]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xA17B20C6]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xA17B1FF0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xA17B16E8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xA17B1BEC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xA17B1628]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xA17B168C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xA17B1D0C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xA17B2194]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xA17B1CCC]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xA17B1E4C]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xA17BE4FE]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xA17BE322]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xA17BE45C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device -> \Driver\atapi \Device\Harddisk0\DR0 872F6AC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----

Attached Files



BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:46 PM

Posted 07 April 2010 - 10:05 PM

Hello chansen,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.

1.
Download and Run RKill
    Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

    Link 1
    Link 2
    Link 3
    Link 4

  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

Things to include in your next reply:
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 chansen

chansen
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 07 April 2010 - 10:22 PM

How do you disable or turn off MBAM, SAS and Avast A/V Free programs?

#4 chansen

chansen
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 07 April 2010 - 10:47 PM

Ignore the last post cause I realized that I am running 'Free' programs that do not run all the time.


Here is my rkill scan.

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Annie on 04/07/2010 at 23:44:56.


Processes terminated by Rkill or while it was running:


C:\Documents and Settings\Annie\Desktop\rkill.pif


Rkill completed on 04/07/2010 at 23:45:04.


#5 chansen

chansen
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 07 April 2010 - 11:25 PM

Downloaded and ran ComboFix. It prompted me to disable my Avast A/V Free and I did.

It had me install the Recovery Console from Mircosoft. I agreed to the Terms of Agreement and it started the scan.

It maybe scanned for 3-4 minutes and i got the dreaded 'Blue Screen'. It told me that there was a problem in 'mbr.sys' and needs to shut down to prevent damage to my computer and all drives.

I restarted my computer and as I did I saw, briefly, a black window with white text of the the following 'Recovery Console' and 'Windows XP Home'.

I did not find a ComboFix log file anywhere in C:.

#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:46 PM

Posted 08 April 2010 - 06:15 AM

Hello,

Go ahead and try and run Combofix again.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 chansen

chansen
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 08 April 2010 - 10:26 AM

Downloaded ComboFix from 'Link 2' and ran it. The first time I downloaded it from 'Link1'. Followed the steps you sent me from above(printed them out).

ComboFix load screen came up and loaded its software and ran for about the same 3-4 minutes and the 'dreaded blue screen' appeared with the same warning: mbr.sys

During the night I ran my Avast A/V in 'Safe Mode' and it found 12 infected files. I moved the files to the Virus Chest as instructed and rebooted my computer. It started right up with no problems and no 'dreaded blue screen'. But when I went on the internet and logged onto bleepingcomputer.com within 3 seconds another window appeared and was blank(redirect? or pop-up?)

This is getting very annoying. I do not want to cause any damage to my computer.

#8 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:46 PM

Posted 08 April 2010 - 07:19 PM

Hello,

QUOTE
This is getting very annoying. I do not want to cause any damage to my computer.

This is being caused by the infection your computer has. The blue screens from combofix is so it don't do something to kill your machine. We are just getting started tackling this infection. We still have many other tools and options to fight this infection. No need to kill your computer yet.

Hmm this is odd.
Lets delete the copy of Combofix from your desktop. Then download a fresh copy and try to run it in safemode.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details.


If Combofix still blue screens, then do the following. If Combofix works, no need for this step.

    1. Please download OTL from one of the following mirrors:
  • This is THE Mirror
    2. Save it to your desktop.
    3. Double click on the icon on your desktop.
    4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#9 chansen

chansen
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 08 April 2010 - 09:10 PM

Downloaded and ran ComboFix in Safe Mode. It worked this time and did not produce the 'dreaded blue screen'. It went through the whole scan. Below is the 'zipped' file of the ComboFix log.

Attached Files



#10 chansen

chansen
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 08 April 2010 - 09:23 PM

The redirects are still here. wacko.gif

#11 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:46 PM

Posted 08 April 2010 - 09:41 PM

Hello Chansen,

Please Copy and Paste your logs in to your reply unless told to attach them.


1.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

CODE
killall::

File::
c:\windows\system32\nsfwj2.dll
c:\windows\ulolivihanofowac.dll
c:\windows\Bjapuqugaro.dat
c:\windows\Qjeru.bin

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A794B62F-01A7-4F56-B1C7-4A568C1BECFF}]
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"FirewallOverride"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F4F5B58A-D3A6-4F85-B3EF-5642E8937E6F}]
[-HKEY_CLASSES_ROOT\CLSID\{F4F5B58A-D3A6-4F85-B3EF-5642E8937E6F}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Wxemuzifulo"=-

Renv::
c:\program files\Adobe\Reader 9.0\Reader\Reader_sl .exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart .exe
c:\program files\BroadJump\Client Foundation\CFD .exe
c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM .exe
c:\program files\Dell Photo AIO Printer 944\dlcdmon .exe
c:\program files\Dell Photo AIO Printer 944\memcard .exe
c:\program files\Java\jre6\bin\jusched .exe
c:\program files\QuickTime\qttask  .exe


Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

2.
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    CODE
    :file
    atapi.sys

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

3.
  • Download the file TDSSKiller.zip and extract it into a folder on the infected computer.
  • Double-click the file TDSSKiller.exe.
  • Wait for the scan and disinfection process to be over. You do not have to reboot the PC after the disinfection is over.
  • If nothing has been detected, the utility will conduct a search for hidden services. If such a service is detected, the utility will report its name with a prompt to remove it. Type delete to remove a service.
  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.

Things to include in your next reply:
Combofix.txt
Systemlook.txt
Tdds log
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#12 chansen

chansen
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 08 April 2010 - 11:09 PM

Had one pop-up window happen as I was going into Safe Mode to run the ComboFix tool. But nothing so far.

Here are the logs...


ComboFix 10-04-08.01 - Annie 04/08/2010 23:36:02.2.1 - x86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.811 [GMT -4:00]
Running from: c:\documents and settings\Annie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Annie\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\windows\Bjapuqugaro.dat"
"c:\windows\Qjeru.bin"
"c:\windows\system32\nsfwj2.dll"
"c:\windows\ulolivihanofowac.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Bjapuqugaro.dat
c:\windows\Qjeru.bin
c:\windows\system32\nsfwj2.dll

.
((((((((((((((((((((((((( Files Created from 2010-03-09 to 2010-04-09 )))))))))))))))))))))))))))))))
.

2010-04-09 02:07 . 2010-04-09 02:07 5682 ----a-w- C:\ComboFix.zip
2010-04-08 16:58 . 2010-04-08 16:58 -------- d-----w- c:\program files\Common Files\Java
2010-04-08 16:58 . 2010-04-08 16:58 503808 ----a-w- c:\documents and settings\Annie\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3ce77787-n\msvcp71.dll
2010-04-08 16:58 . 2010-04-08 16:58 499712 ----a-w- c:\documents and settings\Annie\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3ce77787-n\jmc.dll
2010-04-08 16:58 . 2010-04-08 16:58 348160 ----a-w- c:\documents and settings\Annie\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-3ce77787-n\msvcr71.dll
2010-04-08 16:58 . 2010-04-08 16:58 61440 ----a-w- c:\documents and settings\Annie\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-78676c4a-n\decora-sse.dll
2010-04-08 16:58 . 2010-04-08 16:58 12800 ----a-w- c:\documents and settings\Annie\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-78676c4a-n\decora-d3d.dll
2010-04-08 04:12 . 2010-04-09 01:56 -------- d-----w- C:\System
2010-04-08 00:20 . 2010-04-08 00:20 -------- d-----w- c:\documents and settings\Administrator.ANNIE-FAE93B31D\Application Data\Malwarebytes
2010-04-07 15:38 . 2010-04-07 22:29 75266 ----a-w- c:\documents and settings\All Users\Application Data\l8s2OvN2.exe
2010-04-07 04:25 . 2010-04-07 04:25 -------- d-----w- c:\program files\ATT-PRT22-WISE
2010-04-07 04:25 . 2010-04-07 04:25 -------- d-----w- c:\program files\ATT
2010-04-07 04:09 . 2010-04-07 04:09 30330584 ----a-w- C:\BellSouthIW.reg
2010-04-07 03:51 . 2010-04-07 03:51 -------- d-----w- c:\program files\BroadJump
2010-04-07 03:50 . 2003-07-11 18:13 37376 ----a-w- c:\windows\system32\ReportReader.dll
2010-04-07 03:50 . 2003-07-11 18:12 87040 ----a-w- c:\windows\system32\WebFlowIDPersist.dll
2010-04-07 03:50 . 2003-07-15 16:37 1073152 ----a-w- c:\windows\system32\ActiveUtils.dll
2010-04-07 03:50 . 2003-07-11 18:19 40448 ----a-w- c:\windows\system32\BJAXSecurityManager.dll
2010-04-07 03:50 . 2003-07-15 16:38 73728 ----a-w- c:\windows\system32\BinaryAggregator1.dll
2010-04-07 03:50 . 2003-07-11 18:14 327680 ----a-w- c:\windows\system32\snmpaxctrl.dll
2010-04-07 03:50 . 2003-07-11 18:11 86016 ----a-w- c:\windows\system32\BJInstaller.dll
2010-04-05 05:30 . 2010-04-05 05:30 -------- d-----w- c:\documents and settings\Annie\DoctorWeb
2010-04-04 17:39 . 2010-04-04 17:39 -------- d-----w- c:\documents and settings\Administrator.ANNIE-FAE93B31D\DoctorWeb
2010-04-04 05:50 . 2010-04-04 05:50 52224 ----a-w- c:\documents and settings\Administrator.ANNIE-FAE93B31D\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-04 05:50 . 2010-04-04 05:50 117760 ----a-w- c:\documents and settings\Administrator.ANNIE-FAE93B31D\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-04 05:50 . 2010-04-04 05:50 -------- d-----w- c:\documents and settings\Administrator.ANNIE-FAE93B31D\Application Data\SUPERAntiSpyware.com
2010-04-04 02:13 . 2010-03-09 10:08 19024 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-04-04 02:13 . 2010-03-09 10:12 162640 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-04-04 02:13 . 2010-03-09 10:09 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-04-04 02:13 . 2010-03-09 10:12 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-04-04 02:13 . 2010-03-09 10:08 100432 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-04-04 02:13 . 2010-03-09 10:08 94800 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-04-04 02:13 . 2010-03-09 10:08 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-04-04 02:13 . 2010-03-09 10:24 38848 ----a-w- c:\windows\system32\avastSS.scr
2010-04-04 02:13 . 2010-03-09 10:24 153184 ----a-w- c:\windows\system32\aswBoot.exe
2010-04-04 02:13 . 2010-04-04 02:13 -------- d-----w- c:\program files\Alwil Software
2010-04-04 02:13 . 2010-04-04 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-03 22:36 . 2010-04-03 22:36 -------- d-----w- c:\program files\ESET
2010-04-03 22:11 . 2010-04-03 22:11 52224 ----a-w- c:\documents and settings\Annie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-03 22:11 . 2010-04-08 00:16 117760 ----a-w- c:\documents and settings\Annie\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-03 22:10 . 2010-04-03 22:10 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-04-03 19:54 . 2010-04-03 19:54 552 ----a-w- c:\windows\system32\d3d8caps.dat
2010-04-03 05:12 . 2010-04-03 05:12 162 ---ha-w- C:\~$gistryfiles.reg
2010-04-03 04:42 . 2010-04-03 04:42 -------- d--h--w- c:\windows\PIF
2010-04-02 23:21 . 2010-04-04 04:20 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-02 23:21 . 2010-04-03 19:54 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-03-28 23:07 . 2010-03-28 23:07 -------- d-----w- c:\program files\Veetle
2010-03-17 00:27 . 2010-03-17 00:27 -------- d-----w- c:\program files\Microsoft Silverlight
2010-03-11 04:42 . 2009-10-23 15:28 3558912 -c----w- c:\windows\system32\dllcache\moviemk.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-09 03:48 . 2009-09-05 00:49 -------- d-----w- c:\program files\Dl_cats
2010-04-09 03:35 . 2009-09-06 18:25 -------- d-----w- c:\program files\QuickTime
2010-04-09 03:35 . 2009-09-05 00:47 -------- d-----w- c:\program files\Dell Photo AIO Printer 944
2010-04-08 16:57 . 2009-09-06 17:19 -------- d-----w- c:\program files\Java
2010-04-08 15:33 . 2004-08-04 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-04-07 22:29 . 2010-04-07 15:38 112 ----a-w- c:\documents and settings\All Users\Application Data\67r5Xj.dat
2010-04-07 04:25 . 2009-09-13 03:47 -------- d-----w- c:\program files\Common Files\Motive
2010-04-07 04:25 . 2009-09-13 03:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Motive
2010-04-07 04:21 . 2009-09-06 17:20 -------- d-----w- c:\documents and settings\Annie\Application Data\LimeWire
2010-04-05 19:09 . 2009-09-01 23:23 42368 ------w- c:\windows\system32\drivers\agp440.sys
2010-04-04 16:59 . 2009-12-21 04:37 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 16:59 . 2010-02-19 04:26 5918776 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2010-04-03 22:11 . 2009-09-05 04:21 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-03 22:11 . 2009-09-05 04:21 -------- d-----w- c:\documents and settings\Annie\Application Data\SUPERAntiSpyware.com
2010-04-03 08:36 . 2009-10-07 01:11 -------- d-----w- c:\program files\Windows Media Connect 2
2010-04-03 08:36 . 2009-10-01 00:49 -------- d-----w- c:\program files\PhotoScape
2010-03-30 04:46 . 2009-12-21 04:37 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45 . 2009-12-21 04:37 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-17 08:07 . 2009-09-02 00:49 -------- d-----w- c:\program files\AVG
2010-03-11 12:38 . 2004-08-04 12:00 832512 ------w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2009-09-06 17:41 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2004-08-04 12:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-03-11 08:05 . 2009-09-02 18:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-09 08:28 . 2009-09-06 17:19 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-03-05 13:16 . 2010-03-05 13:16 -------- d-----w- c:\documents and settings\Annie\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2010-03-04 03:25 . 2009-11-06 04:02 -------- d-----w- c:\documents and settings\Annie\Application Data\U3
2010-02-09 02:58 . 2010-02-09 02:58 -------- d-----w- c:\documents and settings\Annie\Application Data\Logitech
2010-02-09 02:58 . 2009-09-07 02:13 -------- d-----w- c:\program files\Yahoo!
2010-02-09 02:57 . 2010-02-09 02:57 127034 ------r- c:\windows\bwUnin-8.1.1.50-8876480SL.exe
2010-02-09 02:57 . 2010-02-09 02:55 -------- d-----w- c:\program files\Logitech
2010-02-09 02:57 . 2009-09-02 01:44 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-09 02:55 . 2010-02-09 02:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Logitech
2010-02-09 02:55 . 2010-02-09 02:55 10134 ----a-r- c:\documents and settings\Annie\Application Data\Microsoft\Installer\{C89C8D86-4423-4A58-AA40-DD259ACE07C1}\ARPPRODUCTICON.exe
2010-02-09 02:55 . 2010-02-09 02:55 -------- d-----w- c:\program files\Common Files\Logitech
.

((((((((((((((((((((((((((((( SnapShot@2010-04-09_01.57.24 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-09 03:47 . 2010-04-09 03:47 16384 c:\windows\temp\Perflib_Perfdata_384.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USRpdA"="c:\windows\SYSTEM32\USRmlnkA.exe RunServices \Device\3cpipe-USRpdA" [X]
"QuickTime Task"="c:\program files\QuickTime\qttask .exe -atboottime" [X]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 577536]
"DLCDCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-09-14 73728]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GrooveMonitor]
2008-10-25 15:44 31072 ----a-w- c:\program files\Microsoft Office\Office12\GrooveMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2004-05-12 19:18 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2004-02-12 17:38 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2009-05-27 01:06 4351216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-06 18:25 77824 ----a-w- c:\program files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-09-09 02:53 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"c:\\Program Files\\Camfrog\\Camfrog Video Chat\\Camfrog Video Chat.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/3/2010 10:13 PM 162640]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 11:15 AM 66632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/3/2010 10:13 PM 19024]
R3 dlcd_device;dlcd_device;c:\windows\system32\dlcdcoms.exe -service --> c:\windows\system32\dlcdcoms.exe -service [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 11:15 AM 12872]
.
Contents of the 'Scheduled Tasks' folder

2010-04-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-09-09 02:53]
.
.
------- Supplementary Scan -------
.
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
FF - ProfilePath - c:\documents and settings\Annie\Application Data\Mozilla\Firefox\Profiles\ktpi2jvs.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
FF - plugin: c:\documents and settings\Annie\Application Data\Move Networks\plugins\npqmp071701000002.dll
FF - plugin: c:\documents and settings\Annie\Application Data\Move Networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\Common Files\Motive\npMotive.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1698.5652\npCIDetect13.dll
FF - plugin: c:\program files\Veetle\Player\npvlc.dll
FF - plugin: c:\program files\Veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\Veetle\VLCBroadcast\npvbp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - truec:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-08 23:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x876CCAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7872f28
\Driver\ACPI -> ACPI.sys @ 0xf77e5cb8
\Driver\atapi -> atapi.sys @ 0xf779d852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: DAVICOM 9102-Based PCI Fast Ethernet Adapter -> SendCompleteHandler -> NDIS.sys @ 0xf767fbd4
PacketIndicateHandler -> NDIS.sys @ 0xf768ba21
SendHandler -> NDIS.sys @ 0xf767fd44
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(516)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(576)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3772)
c:\windows\system32\WININET.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Yahoo!\SoftwareUpdate\YahooAUService.exe
c:\windows\SOUNDMAN.EXE
c:\windows\SYSTEM32\USRmlnkA.exe
c:\windows\SYSTEM32\USRshutA.exe
c:\windows\SYSTEM32\USRmlnkA.exe
c:\windows\system32\dlcdcoms.exe
.
**************************************************************************
.
Completion time: 2010-04-08 23:54:49 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-09 03:54
ComboFix2.txt 2010-04-09 02:02

Pre-Run: 86,138,318,848 bytes free
Post-Run: 86,089,723,904 bytes free

- - End Of File - - 3325797A055D600B530C9C99A8E74A4F


SystemLook v1.0 by jpshortstuff (11.01.10)
Log created at 23:58 on 08/04/2010 by Annie (Administrator - Elevation successful)

No Context: file

No Context: atapi.sys

-=End Of File=-


23:59:47:703 0924 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
23:59:47:703 0924 ================================================================================
23:59:47:703 0924 SystemInfo:

23:59:47:703 0924 OS Version: 5.1.2600 ServicePack: 3.0
23:59:47:703 0924 Product type: Workstation
23:59:47:703 0924 ComputerName: ANNIE-FAE93B31D
23:59:47:703 0924 UserName: Annie
23:59:47:703 0924 Windows directory: C:\WINDOWS
23:59:47:703 0924 Processor architecture: Intel x86
23:59:47:703 0924 Number of processors: 1
23:59:47:703 0924 Page size: 0x1000
23:59:47:718 0924 Boot type: Normal boot
23:59:47:718 0924 ================================================================================
23:59:47:718 0924 UnloadDriverW: NtUnloadDriver error 2
23:59:47:718 0924 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
23:59:47:734 0924 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
23:59:47:734 0924 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:59:47:734 0924 wfopen_ex: Trying to KLMD file open
23:59:47:734 0924 wfopen_ex: File opened ok (Flags 2)
23:59:47:734 0924 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
23:59:47:734 0924 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
23:59:47:734 0924 wfopen_ex: Trying to KLMD file open
23:59:47:734 0924 wfopen_ex: File opened ok (Flags 2)
23:59:47:734 0924 Initialize success
23:59:47:734 0924
23:59:47:734 0924 Scanning Services ...
23:59:48:078 0924 Raw services enum returned 339 services
23:59:48:093 0924
23:59:48:093 0924 Scanning Kernel memory ...
23:59:48:093 0924 Devices to scan: 4
23:59:48:093 0924
23:59:48:093 0924 Driver Name: Disk
23:59:48:093 0924 IRP_MJ_CREATE : F7874BB0
23:59:48:093 0924 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
23:59:48:093 0924 IRP_MJ_CLOSE : F7874BB0
23:59:48:093 0924 IRP_MJ_READ : F786ED1F
23:59:48:093 0924 IRP_MJ_WRITE : F786ED1F
23:59:48:093 0924 IRP_MJ_QUERY_INFORMATION : 804FA88E
23:59:48:093 0924 IRP_MJ_SET_INFORMATION : 804FA88E
23:59:48:093 0924 IRP_MJ_QUERY_EA : 804FA88E
23:59:48:093 0924 IRP_MJ_SET_EA : 804FA88E
23:59:48:093 0924 IRP_MJ_FLUSH_BUFFERS : F786F2E2
23:59:48:093 0924 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
23:59:48:093 0924 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
23:59:48:093 0924 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
23:59:48:093 0924 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
23:59:48:093 0924 IRP_MJ_DEVICE_CONTROL : F786F3BB
23:59:48:093 0924 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7872F28
23:59:48:093 0924 IRP_MJ_SHUTDOWN : F786F2E2
23:59:48:093 0924 IRP_MJ_LOCK_CONTROL : 804FA88E
23:59:48:093 0924 IRP_MJ_CLEANUP : 804FA88E
23:59:48:093 0924 IRP_MJ_CREATE_MAILSLOT : 804FA88E
23:59:48:093 0924 IRP_MJ_QUERY_SECURITY : 804FA88E
23:59:48:093 0924 IRP_MJ_SET_SECURITY : 804FA88E
23:59:48:093 0924 IRP_MJ_POWER : F7870C82
23:59:48:093 0924 IRP_MJ_SYSTEM_CONTROL : F787599E
23:59:48:093 0924 IRP_MJ_DEVICE_CHANGE : 804FA88E
23:59:48:093 0924 IRP_MJ_QUERY_QUOTA : 804FA88E
23:59:48:093 0924 IRP_MJ_SET_QUOTA : 804FA88E
23:59:48:140 0924 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
23:59:48:140 0924
23:59:48:140 0924 Driver Name: usbstor
23:59:48:140 0924 IRP_MJ_CREATE : 9E8E4218
23:59:48:140 0924 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
23:59:48:140 0924 IRP_MJ_CLOSE : 9E8E4218
23:59:48:140 0924 IRP_MJ_READ : 9E8E423C
23:59:48:140 0924 IRP_MJ_WRITE : 9E8E423C
23:59:48:140 0924 IRP_MJ_QUERY_INFORMATION : 804FA88E
23:59:48:140 0924 IRP_MJ_SET_INFORMATION : 804FA88E
23:59:48:140 0924 IRP_MJ_QUERY_EA : 804FA88E
23:59:48:140 0924 IRP_MJ_SET_EA : 804FA88E
23:59:48:140 0924 IRP_MJ_FLUSH_BUFFERS : 804FA88E
23:59:48:140 0924 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
23:59:48:140 0924 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
23:59:48:140 0924 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
23:59:48:140 0924 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
23:59:48:140 0924 IRP_MJ_DEVICE_CONTROL : 9E8E4180
23:59:48:140 0924 IRP_MJ_INTERNAL_DEVICE_CONTROL : 9E8DF9E6
23:59:48:140 0924 IRP_MJ_SHUTDOWN : 804FA88E
23:59:48:140 0924 IRP_MJ_LOCK_CONTROL : 804FA88E
23:59:48:140 0924 IRP_MJ_CLEANUP : 804FA88E
23:59:48:140 0924 IRP_MJ_CREATE_MAILSLOT : 804FA88E
23:59:48:140 0924 IRP_MJ_QUERY_SECURITY : 804FA88E
23:59:48:140 0924 IRP_MJ_SET_SECURITY : 804FA88E
23:59:48:140 0924 IRP_MJ_POWER : 9E8E35F0
23:59:48:140 0924 IRP_MJ_SYSTEM_CONTROL : 9E8E1A6E
23:59:48:140 0924 IRP_MJ_DEVICE_CHANGE : 804FA88E
23:59:48:140 0924 IRP_MJ_QUERY_QUOTA : 804FA88E
23:59:48:140 0924 IRP_MJ_SET_QUOTA : 804FA88E
23:59:48:140 0924 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
23:59:48:140 0924
23:59:48:140 0924 Driver Name: Disk
23:59:48:140 0924 IRP_MJ_CREATE : F7874BB0
23:59:48:140 0924 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
23:59:48:140 0924 IRP_MJ_CLOSE : F7874BB0
23:59:48:140 0924 IRP_MJ_READ : F786ED1F
23:59:48:140 0924 IRP_MJ_WRITE : F786ED1F
23:59:48:140 0924 IRP_MJ_QUERY_INFORMATION : 804FA88E
23:59:48:140 0924 IRP_MJ_SET_INFORMATION : 804FA88E
23:59:48:140 0924 IRP_MJ_QUERY_EA : 804FA88E
23:59:48:140 0924 IRP_MJ_SET_EA : 804FA88E
23:59:48:140 0924 IRP_MJ_FLUSH_BUFFERS : F786F2E2
23:59:48:140 0924 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
23:59:48:140 0924 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
23:59:48:140 0924 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
23:59:48:140 0924 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
23:59:48:140 0924 IRP_MJ_DEVICE_CONTROL : F786F3BB
23:59:48:140 0924 IRP_MJ_INTERNAL_DEVICE_CONTROL : F7872F28
23:59:48:140 0924 IRP_MJ_SHUTDOWN : F786F2E2
23:59:48:140 0924 IRP_MJ_LOCK_CONTROL : 804FA88E
23:59:48:140 0924 IRP_MJ_CLEANUP : 804FA88E
23:59:48:140 0924 IRP_MJ_CREATE_MAILSLOT : 804FA88E
23:59:48:140 0924 IRP_MJ_QUERY_SECURITY : 804FA88E
23:59:48:140 0924 IRP_MJ_SET_SECURITY : 804FA88E
23:59:48:140 0924 IRP_MJ_POWER : F7870C82
23:59:48:140 0924 IRP_MJ_SYSTEM_CONTROL : F787599E
23:59:48:140 0924 IRP_MJ_DEVICE_CHANGE : 804FA88E
23:59:48:140 0924 IRP_MJ_QUERY_QUOTA : 804FA88E
23:59:48:140 0924 IRP_MJ_SET_QUOTA : 804FA88E
23:59:48:140 0924 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
23:59:48:140 0924
23:59:48:140 0924 Driver Name: atapi
23:59:48:140 0924 IRP_MJ_CREATE : 876CCAC8
23:59:48:140 0924 IRP_MJ_CREATE_NAMED_PIPE : 876CCAC8
23:59:48:140 0924 IRP_MJ_CLOSE : 876CCAC8
23:59:48:140 0924 IRP_MJ_READ : 876CCAC8
23:59:48:140 0924 IRP_MJ_WRITE : 876CCAC8
23:59:48:140 0924 IRP_MJ_QUERY_INFORMATION : 876CCAC8
23:59:48:140 0924 IRP_MJ_SET_INFORMATION : 876CCAC8
23:59:48:140 0924 IRP_MJ_QUERY_EA : 876CCAC8
23:59:48:140 0924 IRP_MJ_SET_EA : 876CCAC8
23:59:48:140 0924 IRP_MJ_FLUSH_BUFFERS : 876CCAC8
23:59:48:140 0924 IRP_MJ_QUERY_VOLUME_INFORMATION : 876CCAC8
23:59:48:140 0924 IRP_MJ_SET_VOLUME_INFORMATION : 876CCAC8
23:59:48:140 0924 IRP_MJ_DIRECTORY_CONTROL : 876CCAC8
23:59:48:140 0924 IRP_MJ_FILE_SYSTEM_CONTROL : 876CCAC8
23:59:48:140 0924 IRP_MJ_DEVICE_CONTROL : 876CCAC8
23:59:48:140 0924 IRP_MJ_INTERNAL_DEVICE_CONTROL : 876CCAC8
23:59:48:140 0924 IRP_MJ_SHUTDOWN : 876CCAC8
23:59:48:140 0924 IRP_MJ_LOCK_CONTROL : 876CCAC8
23:59:48:140 0924 IRP_MJ_CLEANUP : 876CCAC8
23:59:48:140 0924 IRP_MJ_CREATE_MAILSLOT : 876CCAC8
23:59:48:140 0924 IRP_MJ_QUERY_SECURITY : 876CCAC8
23:59:48:140 0924 IRP_MJ_SET_SECURITY : 876CCAC8
23:59:48:140 0924 IRP_MJ_POWER : 876CCAC8
23:59:48:140 0924 IRP_MJ_SYSTEM_CONTROL : 876CCAC8
23:59:48:140 0924 IRP_MJ_DEVICE_CHANGE : 876CCAC8
23:59:48:140 0924 IRP_MJ_QUERY_QUOTA : 876CCAC8
23:59:48:140 0924 IRP_MJ_SET_QUOTA : 876CCAC8
23:59:48:140 0924 Driver "atapi" infected by TDSS rootkit!
23:59:48:156 0924 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
23:59:48:156 0924 File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... 23:59:48:156 0924 Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
23:59:48:156 0924 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
23:59:48:281 0924 vfvi6
23:59:48:359 0924 !dsvbh1
23:59:48:703 0924 dsvbh2
23:59:48:703 0924 fdfb2
23:59:48:703 0924 Backup copy found, using it..
23:59:48:718 0924 will be cured on next reboot
23:59:48:718 0924 Reboot required for cure complete..
23:59:48:718 0924 Cure on reboot scheduled successfully
23:59:48:718 0924
23:59:48:718 0924 Completed
23:59:48:718 0924
23:59:48:718 0924 Results:
23:59:48:718 0924 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
23:59:48:718 0924 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
23:59:48:718 0924 File objects infected / cured / cured on reboot: 1 / 0 / 1
23:59:48:718 0924
23:59:48:718 0924 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
23:59:48:718 0924 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
23:59:48:718 0924 UnloadDriverW: NtUnloadDriver error 1
23:59:48:718 0924 KLMD(ARK) unloaded successfully


#13 chansen

chansen
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 09 April 2010 - 01:25 PM

Here is the 4/9/10 SAS Quick Scan Log for SAS. It found something, but when I ran MBAM it did not find anything.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 04/09/2010 at 02:02 PM

Application Version : 4.35.1002

Core Rules Database Version : 4788
Trace Rules Database Version: 2600

Scan type : Quick Scan
Total Scan Time : 00:09:52

Memory items scanned : 455
Memory threats detected : 0
Registry items scanned : 409
Registry threats detected : 0
File items scanned : 5853
File threats detected : 1

Trojan.RootKit/Gen
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\L8S2OVN2.EXE


#14 chansen

chansen
  • Topic Starter

  • Members
  • 88 posts
  • OFFLINE
  •  
  • Local time:08:46 PM

Posted 09 April 2010 - 07:50 PM

I am still having those annoying 'Redirects' and 'Pop-Up Windows'.

#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:06:46 PM

Posted 09 April 2010 - 11:54 PM

Hello,

Are those redirects in Internet Explorer of Firefox or both?


    1. Please download OTL from one of the following mirrors:
  • This is THE Mirror
    2. Save it to your desktop.
    3. Double click on the icon on your desktop.
    4. Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT

    5. Push the Quick Scan button.
    6. Two reports will open, copy and paste them in a reply here:
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users