Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Search results redirected


  • This topic is locked This topic is locked
19 replies to this topic

#1 cotraveler

cotraveler

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 09 April 2010 - 11:04 PM

After searching with Google, sometimes when I click the resulting links, I am redirected through another site.

Also, not sure if it's related, but Google Chrome has stopped working, and I wasn't able to use the microsoft update site today.

I've run:
- Malewarebytes
- Combofix (I know, I know)
- Gooredfix
- Spybot S&D
- AVG
- Clamwin
- Bitdefender (online)
- Housecall (Trendmicro online)
- Panda Active scan (online)

None of the scans were ran at the same time, and AVG's active shield was disabled when using any other tool.

I tried to create a gmer log, but was unable to save the results. After a very long scan, the computer froze and would not let me save the log file(s). There were several entries on the screen from the scan though, including references to PCTools which I'm unfamiliar with.

Any help would be greatly appreciated.

Here is the dds log:


DDS (Ver_10-03-17.01) - NTFSx86 NETWORK
Run by Todd at 9:14:25.37 on Sun 04/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1729 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
D:\downloads\bleepingfiles\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Javaâ„¢ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\todd\startm~1\programs\startup\avgfre~1.lnk - c:\program files\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monito~1.lnk - c:\program files\apache software foundation\apache2.2\bin\ApacheMonitor.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196478317500
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196478728937
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\todd\applic~1\mozilla\firefox\profiles\0fr5x8wq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\todd\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\todd\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr
ef", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-9-19 130936]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-10 242696]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys --> c:\windows\system32\drivers\pavboot.sys [?]
S1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-10 216200]
S1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-10 29512]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-10-12 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 66632]
S2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-10 308064]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 12872]
S4 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2008-1-18 24635]

=============== Created Last 30 ================

2010-04-11 01:02:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-11 01:02:12 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-11 00:42:40 98816 ----a-w- c:\windows\sed.exe
2010-04-11 00:42:40 77312 ----a-w- c:\windows\MBR.exe
2010-04-11 00:42:40 261632 ----a-w- c:\windows\PEV.exe
2010-04-11 00:42:40 161792 ----a-w- c:\windows\SWREG.exe
2010-04-11 00:42:25 0 d-----w- C:\cotravelerCF
2010-04-11 00:39:58 0 d-----w- C:\freecoffee17331f
2010-04-11 00:11:30 0 d-----w- C:\freecoffee9916f
2010-04-10 22:45:07 0 d-----w- c:\program files\ESET
2010-04-10 18:02:19 701440 ----a-w- c:\windows\system32\cohelper.dll
2010-04-10 18:02:19 6789 ----a-w- c:\windows\system32\nvnrm.nvu
2010-04-10 18:02:19 5876 ----a-w- c:\windows\system32\drivers\nvphy.bin
2010-04-10 18:02:18 485920 ----a-w- c:\windows\system32\nvunrm.exe
2010-04-10 16:47:06 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-10 16:47:05 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-10 16:47:01 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-10 16:46:55 0 d-----w- c:\windows\system32\drivers\Avg
2010-04-10 16:27:40 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-10 16:27:02 0 d-----w- C:\freecoffee24757f
2010-04-10 16:26:48 0 d-----w- c:\docume~1\todd\applic~1\AVG9
2010-04-07 12:22:17 0 d-----w- C:\$AVG
2010-04-06 20:10:08 0 d-----w- c:\program files\Panda Security
2010-04-06 15:00:38 0 d-----w- c:\program files\AVG
2010-04-06 15:00:26 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-04-01 16:07:49 55089 ----a-w- c:\documents and settings\todd\.recently-used.xbel
2010-03-31 10:10:44 611840 -c----w- c:\windows\system32\dllcache\mstime.dll
2010-03-31 10:10:44 25600 -c----w- c:\windows\system32\dllcache\jsproxy.dll
2010-03-31 10:10:44 184320 -c----w- c:\windows\system32\dllcache\iepeers.dll
2010-03-31 10:10:43 916480 -c----w- c:\windows\system32\dllcache\wininet.dll
2010-03-31 10:10:43 387584 -c----w- c:\windows\system32\dllcache\iedkcs32.dll
2010-03-31 10:10:43 206848 -c----w- c:\windows\system32\dllcache\occache.dll
2010-03-31 10:10:43 173056 -c----w- c:\windows\system32\dllcache\ie4uinit.exe
2010-03-31 10:10:42 5944832 -c----w- c:\windows\system32\dllcache\mshtml.dll
2010-03-31 10:10:42 1469440 -c----w- c:\windows\system32\dllcache\inetcpl.cpl
2010-03-31 10:10:42 1209344 -c----w- c:\windows\system32\dllcache\urlmon.dll
2010-03-25 14:01:11 3251 ----a-w- c:\windows\system32\wbem\Outlook_01cacc23a02ad044.mof
2010-03-13 14:31:29 0 d-----w- c:\docume~1\alluse~1\applic~1\NVIDIA Corporation
2010-03-13 14:30:45 9047 ----a-w- c:\windows\system32\nvinfo.pb
2010-03-13 14:30:45 61440 ----a-w- c:\windows\system32\OpenCL.dll
2010-03-13 14:30:45 4104192 ----a-w- c:\windows\system32\nvcuda.dll
2010-03-13 14:30:45 4077672 ----a-w- c:\windows\system32\nvcuvenc.dll
2010-03-13 14:30:45 2259560 ----a-w- c:\windows\system32\nvcuvid.dll
2010-03-13 14:30:43 2283526 ----a-w- c:\windows\system32\nvdata.bin
2010-03-13 14:30:43 11632640 ----a-w- c:\windows\system32\nvcompiler.dll
2010-03-13 14:25:28 0 d-----w- c:\program files\SystemRequirementsLab

==================== Find3M ====================

2010-04-11 13:14:26 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-03-09 08:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 06:24:37 916480 ------w- c:\windows\system32\wininet.dll
2010-01-12 04:03:33 6359168 ----a-w- c:\windows\system32\nv4_disp.dll
2010-01-12 04:03:33 592488 ----a-w- c:\windows\system32\nvudisp.exe
2010-01-12 04:03:33 182888 ----a-w- c:\windows\system32\nvcodins.dll
2010-01-12 04:03:33 182888 ----a-w- c:\windows\system32\nvcod.dll
2010-01-12 04:03:33 14458880 ----a-w- c:\windows\system32\nvoglnt.dll
2010-01-12 04:03:33 1081344 ----a-w- c:\windows\system32\nvapi.dll
2010-01-12 03:17:44 278120 ----a-w- c:\windows\system32\nvmccs.dll
2010-01-12 03:17:44 154216 ----a-w- c:\windows\system32\nvsvc32.exe
2010-01-12 03:17:44 145000 ----a-w- c:\windows\system32\nvcolor.exe
2010-01-12 03:17:44 13666408 ----a-w- c:\windows\system32\nvcpl.dll
2010-01-12 03:17:44 110696 ----a-w- c:\windows\system32\nvmctray.dll
2010-01-12 03:17:40 81920 ----a-w- c:\windows\system32\nvwddi.dll
2009-12-26 01:51:59 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-12-26 01:51:59 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009122520091226\index.dat
2009-12-26 01:52:29 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 9:15:55.95 ===============


Here is what I did manage to get out of GMER today:

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-10 10:15:33
Windows 5.1.2600 Service Pack 3
Running: 4ertzdel.exe; Driver: C:DOCUME~1ToddLOCALS~1Tempkwriqpod.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xB7EB4514]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xB7EA3282]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xB7EA3474]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xB7EB4D00]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xB7EB4FB8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xB7EB33FA]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xB7EB5422]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xB7EB47D8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xB7EA2F32]

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C8C 80504528 8 Bytes JMP EA3474B7
.text C:WINDOWSsystem32DRIVERSnv4_mini.sys section is writeable [0xB71EC380, 0x550AF5, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:WINDOWSSystem32svchost.exe[1656] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:WINDOWSSystem32svchost.exe[1656] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:WINDOWSSystem32svchost.exe[1656] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C
.text C:WINDOWSSystem32svchost.exe[1656] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0186000A
.text C:WINDOWSSystem32svchost.exe[1656] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0185000A
.text C:Program FilesMozilla Firefoxfirefox.exe[3580] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0139000A
.text C:Program FilesMozilla Firefoxfirefox.exe[3580] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 013A000A
.text C:Program FilesMozilla Firefoxfirefox.exe[3580] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0138000C
.text C:WINDOWSExplorer.EXE[3712] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:WINDOWSExplorer.EXE[3712] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C0000A
.text C:WINDOWSExplorer.EXE[3712] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C

---- Devices - GMER 1.0.15 ----

AttachedDevice DriverTcpip DeviceIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice DriverTcpip DeviceTcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice DriverFtdisk DeviceHarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice DriverFtdisk DeviceHarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice DriverFtdisk DeviceHarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice DriverFtdisk DeviceHarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice DriverFtdisk DeviceHarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice DriverFtdisk DeviceHarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice DriverFtdisk DeviceHarddiskVolume4 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice DriverFtdisk DeviceHarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis)
AttachedDevice DriverTcpip DeviceUdp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice DriverTcpip DeviceRawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Devic

Merged posts. ~ OB

Attached Files


Edited by Orange Blossom, 11 April 2010 - 05:05 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 PM

Posted 12 April 2010 - 09:05 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log. I apologize for the delay.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

If for any reason you did not post a DDS log or GMER log please refer to this page and in step #6 and Step #7 and Step #8 for further instructions on downloading and running DDS & GMER. If you have any problems when running the tools or unable to produce a report for any reason, just let me know in your next reply.


For your next reply I would like to see:
-The DDS logs
---DDS.txt and Attach logs
-GMER log
-Description of any remaining problems you may still have.


With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 cotraveler

cotraveler
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 13 April 2010 - 11:55 AM

Hi ExtremeBoy,

Thank you for your attention.

Below is the information you asked for. GMER does halt my system in normal mode, but I was able to complete a scan in safemode. Even in safemode, I have to reboot to restore my computer to normal functionality after a GMER scan.

-Todd

Current Problems
(that I've noticed so far anyway)
  • Google search results - are redirected through seemingly random sites when clicked on
  • Google Chrome - does not work; eternal "Loading" of any page
  • Microsoft Update - site is inaccessible
  • "Connection Reset" - Error messages if I try to post to these forums from the infected computer only. This was the reason why incomplete logs were posted above. The browser would upload some of it, and then post an error message. I did post a better version of them from a different computer, but in a new topic, so they got deleted.
  • System File Protection - Today, I got a message on boot, that some system files were replaced with unrecognized ones and prompted me to insert my Windows CD. I did, and I didn't see any further messages about it.
New Logs

DDS.txtDDS (Ver_10-03-17.01) - NTFSx86
Run by Todd at 10:02:43.59 on Tue 04/13/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1300 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgcsrvx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Program Files\AVG\AVG9\avgtray.exe
D:\downloads\bleepingfiles\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\docume~1\todd\startm~1\programs\startup\avgfre~1.lnk - c:\program files\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monito~1.lnk - c:\program files\apache software foundation\apache2.2\bin\ApacheMonitor.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196478317500
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196478728937
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\todd\applic~1\mozilla\firefox\profiles\0fr5x8wq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\todd\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\todd\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-9-19 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-10 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-10 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-10 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-10-12 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 66632]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-10 308064]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys --> c:\windows\system32\drivers\pavboot.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 12872]
S4 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2008-1-18 24635]

=============== Created Last 30 ================

2010-04-13 14:01:14 8832 ----a-w- c:\windows\system32\drivers\OLD7.tmp
2010-04-13 14:01:13 8832 ----a-w- c:\windows\system32\drivers\OLD5.tmp
2010-04-12 15:48:01 98816 ----a-w- c:\windows\sed.exe
2010-04-12 15:48:01 77312 ----a-w- c:\windows\MBR.exe
2010-04-12 15:48:01 261632 ----a-w- c:\windows\PEV.exe
2010-04-12 15:48:01 161792 ----a-w- c:\windows\SWREG.exe
2010-04-12 15:45:21 0 d-----w- C:\cotravelerCF14057c
2010-04-11 13:23:21 0 ----a-w- c:\documents and settings\todd\defogger_reenable
2010-04-11 01:02:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-11 01:02:12 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-11 00:42:25 0 d-----w- C:\cotravelerCF
2010-04-11 00:39:58 0 d-----w- C:\freecoffee17331f
2010-04-11 00:11:30 0 d-----w- C:\freecoffee9916f
2010-04-10 22:45:07 0 d-----w- c:\program files\ESET
2010-04-10 18:02:19 701440 ----a-w- c:\windows\system32\cohelper.dll
2010-04-10 18:02:19 6789 ----a-w- c:\windows\system32\nvnrm.nvu
2010-04-10 18:02:19 5876 ----a-w- c:\windows\system32\drivers\nvphy.bin
2010-04-10 18:02:18 485920 ----a-w- c:\windows\system32\nvunrm.exe
2010-04-10 16:47:06 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-10 16:47:05 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-10 16:47:01 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-10 16:46:55 0 d-----w- c:\windows\system32\drivers\Avg
2010-04-10 16:27:40 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-10 16:27:02 0 d-----w- C:\freecoffee24757f
2010-04-10 16:26:48 0 d-----w- c:\docume~1\todd\applic~1\AVG9
2010-04-07 12:22:17 0 d-----w- C:\$AVG
2010-04-06 20:10:08 0 d-----w- c:\program files\Panda Security
2010-04-06 15:00:38 0 d-----w- c:\program files\AVG
2010-04-06 15:00:26 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-04-01 16:07:49 55089 ----a-w- c:\documents and settings\todd\.recently-used.xbel
2010-03-31 10:10:44 611840 -c----w- c:\windows\system32\dllcache\mstime.dll
2010-03-31 10:10:44 25600 -c----w- c:\windows\system32\dllcache\jsproxy.dll
2010-03-31 10:10:44 184320 -c----w- c:\windows\system32\dllcache\iepeers.dll
2010-03-31 10:10:43 916480 -c----w- c:\windows\system32\dllcache\wininet.dll
2010-03-31 10:10:43 387584 -c----w- c:\windows\system32\dllcache\iedkcs32.dll
2010-03-31 10:10:43 206848 -c----w- c:\windows\system32\dllcache\occache.dll
2010-03-31 10:10:43 173056 -c----w- c:\windows\system32\dllcache\ie4uinit.exe
2010-03-31 10:10:42 5944832 -c----w- c:\windows\system32\dllcache\mshtml.dll
2010-03-31 10:10:42 1469440 -c----w- c:\windows\system32\dllcache\inetcpl.cpl
2010-03-31 10:10:42 1209344 -c----w- c:\windows\system32\dllcache\urlmon.dll
2010-03-25 14:01:11 3251 ----a-w- c:\windows\system32\wbem\Outlook_01cacc23a02ad044.mof

==================== Find3M ====================

2010-04-13 14:02:58 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-03-09 08:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 06:24:37 916480 ------w- c:\windows\system32\wininet.dll
2009-12-26 01:51:59 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-12-26 01:51:59 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009122520091226\index.dat
2009-12-26 01:52:29 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 10:04:19.71 ===============


GMER Log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-13 12:36:58
Windows 5.1.2600 Service Pack 3
Running: 4ertzdel.exe; Driver: C:\DOCUME~1\Todd\LOCALS~1\Temp\kwriqpod.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF788C514]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF787B282]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF787B474]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF788CD00]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF788CFB8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF788B3FA]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF788D422]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF788C7D8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF787AF32]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1004] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[1004] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[1004] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\WINDOWS\System32\svchost.exe[1376] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1376] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1376] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Fastfat \Fat B74C2D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----


Attach.txtUNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume4
Install Date: 11/30/2007 9:58:33 PM
System Uptime: 4/12/2010 12:35:05 PM (22 hours ago)

Motherboard: EVGA | | 122-CK-NF68
Processor: Intel® Core™2 CPU 6600 @ 2.40GHz | Socket 775 | 2400/266mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 75 GiB total, 10.687 GiB free.
D: is FIXED (NTFS) - 466 GiB total, 392.906 GiB free.
E: is FIXED (NTFS) - 112 GiB total, 3.516 GiB free.
F: is CDROM (CDFS)
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&19933FE2&1&000
Manufacturer: NVIDIA
Name: NVIDIA nForce 10/100/1000 Mbps Ethernet #2
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV0373\4&19933FE2&1&000
Service: NVENETFD

==== System Restore Points ===================

RP99: 4/12/2010 11:47:59 AM - System Checkpoint

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 2 (SP2)
7-Zip 4.57
Acronis True Image WD Edition
Adobe Flash Player 10 Plugin
Adobe Shockwave Player 11.5
Amazon MP3 Downloader 1.0.5
Apache HTTP Server 2.2.8
Apple Application Support
Apple Mobile Device Support
Apple Software Update
AVG Free 9.0
AVI-GIF 2.1
Call of Duty® 2
Call of Duty® 2 Patch 1.3
Call of Duty® 4 - Modern Warfare™
Call of Duty® 4 - Modern Warfare™ 1.2 Patch
Call of Duty® 4 - Modern Warfare™ 1.4 Patch
Call of Duty® 4 - Modern Warfare™ 1.5 Multiplayer Patch
Call of Duty® 4 - Modern Warfare™ 1.5 Patch
CCleaner
cdrtfe 1.3
Critical Update for Windows Media Player 11 (KB959772)
Data Lifeguard Diagnostic for Windows
Eraser 5.85
ESET Online Scanner v3
Exact Audio Copy 0.99pb3
FileZilla Client 3.2.8.1
FLAC 1.2.1b (remove only)
FreeUndelete
GdsPlus 1.0
GIMP 2.4.2
GoldWave v5.19
Google Chrome
Google SketchUp 6
Google Talk (remove only)
Google Talk Plugin
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
iTunes
Java Auto Updater
Java™ 6 Update 19
LightScribe 1.4.136.1
Malwarebytes' Anti-Malware
MediaShout 3
MediaShout 3.5 Update
MediaShout3 Update 626
MediaShout3 Update 678
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Ultimate 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Word Viewer 2003
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Monkey's Audio
Mozilla Firefox (3.6.3)
Mozilla Thunderbird (2.0.0.9)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
No-IP.com DUC (remove only)
NVIDIA Drivers
NVIDIA nTune
NVIDIA nView Desktop Manager
NVIDIA PhysX
OGA Notifier 2.0.0048.0
OpenOffice.org 3.1
Panda ActiveScan 2.0
PHP 5.2.5
QuickTime
Realtek High Definition Audio Driver
Roxio Creator 9 XE
Roxio Drag-to-Disc
Roxio Update Manager
Security Update for 2007 Microsoft Office System (KB969559)
Security Update for 2007 Microsoft Office System (KB978380)
Security Update for Microsoft Office Excel 2007 (KB978382)
Security Update for Microsoft Office Outlook 2007 (KB972363)
Security Update for Microsoft Office PowerPoint 2007 (KB957789)
Security Update for Microsoft Office Publisher 2007 (KB969693)
Security Update for Microsoft Office system 2007 (972581)
Security Update for Microsoft Office system 2007 (KB974234)
Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
Sony DVD Architect Studio 4.5
Sony Vegas Movie Studio Platinum 8.0
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
System Requirements Lab
TeamSpeak 2 RC2
Trillian
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Microsoft Office InfoPath 2007 (KB976416)
Update for Microsoft Office Word 2007 (KB974631)
Update for Outlook 2007 Junk Email Filter (kb979895)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Ventrilo Client
Ventrilo Server
Vuze
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Resource Kit Tools - SubInAcl.exe
Windows XP Service Pack 3
World of Warcraft
Wow Web Stats Client v3.0
WowAceUpdater

==== Event Viewer Messages From Past Week ========

4/6/2010 2:30:21 PM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
4/6/2010 11:55:53 AM, error: Service Control Manager [7031] - The AVG Free WatchDog service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.
4/6/2010 11:16:54 AM, error: Service Control Manager [7034] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s).
4/6/2010 11:14:22 AM, error: Service Control Manager [7034] - The NoIPDUCService service terminated unexpectedly. It has done this 1 time(s).
4/6/2010 10:42:29 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
4/6/2010 10:40:55 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Fips intelppm SASDIFSV SASKUTIL
4/12/2010 12:34:19 PM, warning: Windows File Protection [64008] - The protected system file c:\windows\system32\drivers\rasacd.sys could not be verified as valid because Windows File Protection is terminating. Use the SFC utility to verify the integrity of the file at a later time.
4/10/2010 9:56:30 AM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
4/10/2010 2:53:15 PM, information: Windows File Protection [64002] - File replacement was attempted on the protected system file rasacd.sys. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.0.
4/10/2010 2:37:53 PM, error: nvgts_2 [4] -
4/10/2010 2:34:16 PM, information: Windows File Protection [64018] - Windows File Protection file scan was cancelled by user interaction, user name is Todd.
4/10/2010 2:34:13 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\inetcomm.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5579.
4/10/2010 2:34:13 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\inetcomm.dll could not be restored to its original, valid version. The file version of the bad file is 6.0.2900.5579 The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:34:05 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\httpapi.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5891.
4/10/2010 2:34:05 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\httpapi.dll could not be restored to its original, valid version. The file version of the bad file is 5.1.2600.5891 The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:34:04 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\drivers\http.sys has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5891.
4/10/2010 2:34:04 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\drivers\http.sys could not be restored to its original, valid version. The file version of the bad file is 5.1.2600.5891 The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:34:00 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\gdi32.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5698.
4/10/2010 2:34:00 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\gdi32.dll could not be restored to its original, valid version. The file version of the bad file is 5.1.2600.5698 The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:33:59 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\fontsub.dll could not be restored to its original, valid version. The file version of the bad file is 5.1.2600.5888 The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:33:58 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\fontsub.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5888.
4/10/2010 2:33:58 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\extmgr.dll could not be restored to its original, valid version. The file version of the bad file is 7.0.6000.16876 The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:33:57 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\extmgr.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 7.0.6000.16876.
4/10/2010 2:33:57 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\es.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 2001.12.4414.706.
4/10/2010 2:33:57 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\es.dll could not be restored to its original, valid version. The file version of the bad file is 2001.12.4414.706 The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:33:55 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\drmv2clt.dll could not be restored to its original, valid version. The file version of the bad file is 11.0.5721.5145 The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:33:54 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\drmv2clt.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 11.0.5721.5145.
4/10/2010 2:33:53 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\dnsapi.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5625.
4/10/2010 2:33:53 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\dnsapi.dll could not be restored to its original, valid version. The file version of the bad file is 5.1.2600.5625 The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:33:52 PM, information: Windows File Protection [64004] - The protected system file c:\program files\common files\microsoft shared\triedit\dhtmled.ocx could not be restored to its original, valid version. The file version of the bad file is 6.1.0.9247 The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:33:51 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\program files\common files\microsoft shared\triedit\dhtmled.ocx has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 6.1.0.9247.
4/10/2010 2:33:49 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\csrsrv.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5915.
4/10/2010 2:33:49 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\csrsrv.dll could not be restored to its original, valid version. The file version of the bad file is 5.1.2600.5915 The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:33:45 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\cewmdm.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 11.0.5721.5145.
4/10/2010 2:33:45 PM, information: Windows File Protection [64004] - The protected system file rasacd.sys could not be restored to its original, valid version. The file version of the bad file is unknown The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:33:45 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\cewmdm.dll could not be restored to its original, valid version. The file version of the bad file is 11.0.5721.5145 The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:33:43 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\drivers\bthport.sys has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5620.
4/10/2010 2:33:43 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\drivers\bthport.sys could not be restored to its original, valid version. The file version of the bad file is 5.1.2600.5620 The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:33:42 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\blackbox.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 11.0.5721.5145.
4/10/2010 2:33:42 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\blackbox.dll could not be restored to its original, valid version. The file version of the bad file is 11.0.5721.5145 The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:33:41 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\avifil32.dll could not be restored to its original, valid version. The file version of the bad file is 5.1.2600.5908 The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:33:40 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\avifil32.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5908.
4/10/2010 2:33:39 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\atl.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 3.5.2284.2.
4/10/2010 2:33:39 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\atl.dll could not be restored to its original, valid version. The file version of the bad file is 3.5.2284.2 The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:33:38 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\asferror.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 11.0.5721.5145.
4/10/2010 2:33:38 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\asferror.dll could not be restored to its original, valid version. The file version of the bad file is 11.0.5721.5145 The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:33:37 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\drivers\afd.sys has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5657.
4/10/2010 2:33:37 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\drivers\afd.sys could not be restored to its original, valid version. The file version of the bad file is 5.1.2600.5657 The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:33:26 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\inf\unregmp2.exe has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 11.0.5721.5235.
4/10/2010 2:33:26 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\strmdll.dll could not be restored to its original, valid version. The file version of the bad file is 4.1.0.3938 The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:33:26 PM, information: Windows File Protection [64004] - The protected system file c:\windows\inf\unregmp2.exe could not be restored to its original, valid version. The file version of the bad file is 11.0.5721.5235 The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:33:25 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\strmdll.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 4.1.0.3938.
4/10/2010 2:33:16 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\program files\common files\system\msadc\msadce.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.3002.0.
4/10/2010 2:33:16 PM, information: Windows File Protection [64004] - The protected system file rasacd.sys could not be restored to its original, valid version. The file version of the bad file is 5.1.2600.0 The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:33:16 PM, information: Windows File Protection [64004] - The protected system file c:\program files\common files\system\msadc\msadce.dll could not be restored to its original, valid version. The file version of the bad file is 2.81.3002.0 The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:33:15 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\logagent.exe has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 11.0.5721.5251.
4/10/2010 2:33:15 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\logagent.exe could not be restored to its original, valid version. The file version of the bad file is 11.0.5721.5251 The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:33:15 PM, information: Windows File Protection [64004] - The protected system file c:\windows\system32\laprxy.dll could not be restored to its original, valid version. The file version of the bad file is 11.0.5721.5145 The specific error code is 0x000006b5 [The interface is unknown. ].
4/10/2010 2:33:14 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\laprxy.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 11.0.5721.5145.
4/10/2010 2:07:15 PM, information: Windows File Protection [64005] - The protected system file rasacd.sys was not restored to its original, valid version because the Windows File Protection restoration process was cancelled by user interaction, user name is Todd. The file version of the bad file is unknown.
4/10/2010 12:23:18 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86
4/10/2010 12:23:11 PM, error: Service Control Manager [7024] - The AVG Free WatchDog service terminated with service-specific error 3758161981 (0xE001003D).
4/10/2010 12:11:50 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
4/10/2010 11:01:08 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm pavboot SASDIFSV SASKUTIL
4/10/2010 11:00:21 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
4/10/2010 10:24:32 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: pavboot
4/10/2010 10:24:09 AM, error: NETLOGON [3095] - This computer is configured as a member of a workgroup, not as a member of a domain. The Netlogon service does not need to run in this configuration.
4/10/2010 10:23:57 AM, error: Ftdisk [49] - Configuring the Page file for crash dump failed. Make sure there is a page file on the boot partition and that is large enough to contain all physical memory.
4/10/2010 10:23:57 AM, error: Ftdisk [45] - The system could not sucessfully load the crash dump driver.
4/10/2010 1:14:37 PM, information: Windows File Protection [64017] - Windows File Protection file scan completed successfully.
4/10/2010 1:13:13 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\setup\msmqocm.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1111.
4/10/2010 1:13:13 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\setup\msmqocm.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1110.
4/10/2010 1:13:07 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqutil.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1111.
4/10/2010 1:13:07 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqutil.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1110.
4/10/2010 1:13:07 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqupgrd.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1110.
4/10/2010 1:13:06 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqupgrd.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1111.
4/10/2010 1:13:06 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqtrig.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1111.
4/10/2010 1:13:06 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqtrig.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1110.
4/10/2010 1:13:06 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqtgsvc.exe has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1111.
4/10/2010 1:13:06 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqtgsvc.exe has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1110.
4/10/2010 1:13:05 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqsvc.exe has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1111.
4/10/2010 1:13:05 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqsvc.exe has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1110.
4/10/2010 1:13:05 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqsnap.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1111.
4/10/2010 1:13:05 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqsnap.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1110.
4/10/2010 1:13:05 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqsec.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1110.
4/10/2010 1:13:04 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqsec.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1111.
4/10/2010 1:13:04 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqrtdep.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1111.
4/10/2010 1:13:04 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqrtdep.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1110.
4/10/2010 1:13:04 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqrt.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1111.
4/10/2010 1:13:04 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqrt.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1110.
4/10/2010 1:13:04 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqqm.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1110.
4/10/2010 1:13:03 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqqm.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1111.
4/10/2010 1:13:03 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqoa.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1111.
4/10/2010 1:13:03 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqoa.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1110.
4/10/2010 1:13:03 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqise.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1110.
4/10/2010 1:13:02 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqise.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1111.
4/10/2010 1:13:02 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqdscli.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1111.
4/10/2010 1:13:02 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqdscli.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1110.
4/10/2010 1:13:02 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqbkup.exe has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1111.
4/10/2010 1:13:02 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqbkup.exe has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1110.
4/10/2010 1:13:02 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqad.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1110.
4/10/2010 1:13:01 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\mqad.dll has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1111.
4/10/2010 1:13:01 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\drivers\mqac.sys has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1111.
4/10/2010 1:13:01 PM, information: Windows File Protection [64020] - Windows File Protection scan found that the system file c:\windows\system32\drivers\mqac.sys has a bad signature. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.0.1110.
4/10/2010 1:10:55 PM, information: Windows File Protection [64016] - Windows File Protection file scan was started.

==== End Of File ===========================

Edited by extremeboy, 13 April 2010 - 03:55 PM.
Removed [ code ] tags


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 PM

Posted 13 April 2010 - 03:58 PM

Hi cotraveler,

Many thanks for your detailed explanation. smile.gif

You're computer is seriouslly infected here. We'll need to deal with this, but first before we continue I would like you to do one thing as well as I want to ask you a question.

Backup Registry with ERUNT

This tool will create a complete backup of your registry. A backup is created to ensure we have backup so encase anything goes wrong we can deal with it. Do not delete these backups until we are finished.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

Question:

Do you have your Windows XP CD disk with you still? We may need it later on but also with all the Windows File Protector warning, it may indicate you have a patching virus on your system. We'll see.

Let's start with Combofix. Any warning/problems, let me know before continuing.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.



Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 cotraveler

cotraveler
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 13 April 2010 - 07:45 PM

Hi extremeboy,

You're very welcome for the detailed description thumbup2.gif Thank you very much for the help.
  • I backed up my registry with ERUNT.
  • Yes, I have the XP CD.
  • I disabled my only active anti-virus, AVG, and ran Combofix. The resulting log is as follows:

combofix.txt
ComboFix 10-04-13.02 - Todd 04/13/2010 17:14:29.11.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1476 [GMT -4:00]
Running from: c:\documents and settings\Todd\Desktop\ComboFix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((( Files Created from 2010-03-13 to 2010-04-13 )))))))))))))))))))))))))))))))
.

2010-04-13 21:09 . 2010-04-13 21:09 -------- d-----w- C:\goodjavaCF
2010-04-13 21:08 . 2010-04-13 21:08 -------- d-----w- c:\windows\LastGood
2010-04-13 21:07 . 2010-04-13 21:07 -------- d-----w- c:\program files\ERUNT
2010-04-12 15:45 . 2010-04-12 15:45 -------- d-----w- C:\cotravelerCF14057c
2010-04-11 01:02 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-11 01:02 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-11 00:42 . 2010-04-11 00:56 -------- d-----w- C:\cotravelerCF
2010-04-11 00:39 . 2010-04-11 00:40 -------- d-----w- C:\freecoffee17331f
2010-04-11 00:11 . 2010-04-11 00:30 -------- d-----w- C:\freecoffee9916f
2010-04-10 22:45 . 2010-04-10 22:45 -------- d-----w- c:\program files\ESET
2010-04-10 18:02 . 2009-07-01 15:54 701440 ----a-w- c:\windows\system32\cohelper.dll
2010-04-10 18:02 . 2009-06-01 05:11 5876 ----a-w- c:\windows\system32\drivers\nvphy.bin
2010-04-10 18:02 . 2009-07-01 04:42 485920 ----a-w- c:\windows\system32\nvunrm.exe
2010-04-10 16:47 . 2010-04-10 16:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-10 16:47 . 2010-04-10 16:47 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-10 16:47 . 2010-04-10 16:47 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-10 16:47 . 2010-04-10 16:47 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-10 16:46 . 2010-04-13 12:10 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-10 16:27 . 2010-04-10 16:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-10 16:27 . 2010-04-10 16:27 -------- d-----w- C:\freecoffee24757f
2010-04-10 16:26 . 2010-04-10 16:26 -------- d-----w- c:\documents and settings\Todd\Application Data\AVG9
2010-04-10 13:56 . 2010-04-10 13:57 90440 ----a-w- c:\documents and settings\Todd\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-08 10:04 . 2010-04-08 10:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-07 12:22 . 2010-04-07 12:22 -------- d-----w- C:\$AVG
2010-04-06 20:10 . 2010-04-06 20:10 -------- d-----w- c:\program files\Panda Security
2010-04-06 15:00 . 2010-04-06 15:00 -------- d-----w- c:\program files\AVG
2010-04-06 15:00 . 2010-04-10 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-06 12:06 . 2010-04-06 12:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-03-31 10:10 . 2010-02-25 06:24 611840 -c----w- c:\windows\system32\dllcache\mstime.dll
2010-03-31 10:10 . 2010-02-25 06:24 25600 -c----w- c:\windows\system32\dllcache\jsproxy.dll
2010-03-31 10:10 . 2010-02-25 06:24 184320 -c----w- c:\windows\system32\dllcache\iepeers.dll
2010-03-31 10:10 . 2010-02-25 06:24 916480 -c----w- c:\windows\system32\dllcache\wininet.dll
2010-03-31 10:10 . 2010-02-25 06:24 206848 -c----w- c:\windows\system32\dllcache\occache.dll
2010-03-31 10:10 . 2010-02-25 06:24 387584 -c----w- c:\windows\system32\dllcache\iedkcs32.dll
2010-03-31 10:10 . 2010-02-24 09:54 173056 -c----w- c:\windows\system32\dllcache\ie4uinit.exe
2010-03-31 10:10 . 2010-02-25 06:24 1209344 -c----w- c:\windows\system32\dllcache\urlmon.dll
2010-03-31 10:10 . 2010-02-25 06:24 5944832 -c----w- c:\windows\system32\dllcache\mshtml.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-13 21:25 . 2003-07-16 16:36 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-04-12 14:34 . 2007-12-01 05:23 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-11 20:22 . 2009-02-06 16:59 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-11 01:11 . 2008-04-21 22:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-11 01:02 . 2010-01-24 15:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-10 16:27 . 2007-12-01 05:10 -------- d-----w- c:\program files\Java
2010-04-10 16:26 . 2010-01-26 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-10 16:26 . 2007-12-01 03:55 -------- d-----w- c:\program files\Mozilla Firefox (old)
2010-04-06 18:30 . 2009-11-01 20:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-06 18:27 . 2009-11-01 20:15 117760 ----a-w- c:\documents and settings\Todd\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-06 18:25 . 2009-09-20 04:21 -------- d-----w- c:\program files\CCleaner
2010-04-05 16:43 . 2007-12-01 05:10 -------- d-----w- c:\program files\Common Files\Java
2010-04-01 16:07 . 2007-12-11 03:34 -------- d-----w- c:\documents and settings\Todd\Application Data\gtk-2.0
2010-03-26 16:02 . 2008-04-21 23:07 -------- d-----w- c:\program files\World of Warcraft
2010-03-17 17:56 . 2007-12-04 00:33 -------- d-----w- c:\documents and settings\Todd\Application Data\FileZilla
2010-03-13 14:32 . 2007-12-01 05:40 -------- d-----w- c:\program files\NVIDIA Corporation
2010-03-13 14:31 . 2010-03-13 14:31 -------- d-----w- c:\program files\AGEIA Technologies
2010-03-13 14:31 . 2009-02-19 18:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-13 14:31 . 2010-03-13 14:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-03-13 14:25 . 2010-03-13 14:25 -------- d-----w- c:\program files\SystemRequirementsLab
2010-03-13 14:25 . 2010-03-13 14:25 -------- d-----w- c:\documents and settings\Todd\Application Data\SystemRequirementsLab
2010-03-13 14:25 . 2010-03-13 14:25 290816 ----a-w- c:\documents and settings\Todd\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2010-03-13 14:25 . 2010-03-13 14:25 290816 ----a-w- c:\documents and settings\Todd\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2010-03-13 14:25 . 2010-03-13 14:25 290816 ----a-w- c:\documents and settings\Todd\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2010-03-13 14:25 . 2010-03-13 14:25 290816 ----a-w- c:\documents and settings\Todd\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2010-03-09 18:03 . 2010-03-09 18:00 -------- d-----w- c:\program files\Rawr v2.3.11
2010-03-09 08:28 . 2008-12-30 04:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-27 16:23 . 2010-02-27 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-02-25 06:24 . 2006-06-23 16:33 916480 ------w- c:\windows\system32\wininet.dll
2010-02-23 18:15 . 2010-02-23 14:48 -------- d-----w- c:\program files\Rawr v2.3.10
2010-01-18 00:04 . 2010-01-18 00:04 52224 ----a-w- c:\documents and settings\Todd\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-06-10 1326080]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-06-10 904840]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]

c:\documents and settings\Justine\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\documents and settings\Todd\Start Menu\Programs\Startup\
AVG Free Tray Icon.lnk - c:\program files\AVG\AVG9\avgtray.exe [2010-4-10 2064224]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-1-18 41041]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-10 16:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Todd^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\Todd\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 01:43 69632 ----a-r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2007-02-12 08:24 109304 ----a-w- c:\program files\Roxio\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2007-02-12 14:05 1121016 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-09-12 23:58 16264192 ----a-r- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-17 01:04 2879488 ----a-r- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"stllssvr"=3 (0x3)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"NoIPDUCService"=2 (0x2)
"Apache2.2"=3 (0x3)
"AcrSch2Svc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Documents and Settings\\Todd\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Todd\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/19/2009 11:33 PM 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/10/2010 12:47 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/10/2010 12:47 PM 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/12/2009 10:24 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 10:24 PM 66632]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/10/2010 12:46 PM 308064]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys --> c:\windows\system32\drivers\pavboot.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 10:24 PM 12872]
S4 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [1/18/2008 12:37 AM 24635]
.
Contents of the 'Scheduled Tasks' folder

2010-04-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-602162358-839522115-1003Core.job
- c:\documents and settings\Todd\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-01 20:27]

2010-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-602162358-839522115-1003UA.job
- c:\documents and settings\Todd\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-01 20:27]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
FF - ProfilePath - c:\documents and settings\Todd\Application Data\Mozilla\Firefox\Profiles\0fr5x8wq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Todd\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Todd\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-13 17:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll SCSIPORT.SYS >>UNKNOWN [0x89BA58B4]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xb810cf28
\Driver\ACPI -> ACPI.sys @ 0xb7f7fcb8
\Driver\atapi -> atapi.sys @ 0xb7f11852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: NVIDIA nForce 10/100/1000 Mbps Ethernet -> SendCompleteHandler -> NDIS.sys @ 0xb7d73bb0
PacketIndicateHandler -> NDIS.sys @ 0xb7d80a21
SendHandler -> NDIS.sys @ 0xb7d5e87b
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1064)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(1128)
c:\windows\system32\WININET.dll
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3844)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\hnetcfg.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-13 17:29:01
ComboFix-quarantined-files.txt 2010-04-13 21:28
ComboFix2.txt 2010-04-12 16:03

Pre-Run: 11,409,682,432 bytes free
Post-Run: 11,371,876,352 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=8 Sets=1,2,4,5,6,7,8
- - End Of File - - 4033EE303336C45E87BE3D7A8C86EFA3

Edited by cotraveler, 13 April 2010 - 08:40 PM.


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 PM

Posted 14 April 2010 - 08:03 PM

Hello.

Thanks for that information. It seems the main infection is still active we need to disable and remove that first.

I would like you to run GMER again with the following instructions please...

Download and Run GMER

We will use GMER to scan for rootkits.
  • Please download GMER from one of the following locations, and save it to your desktop:
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

  • Close any and all open programs, as this process may crash your computer.
  • Double click or on your desktop.
  • When you have done this, close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
  • Allow the gmer.sys driver to load if asked.

    If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system... Click NO.
  • In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
    • Registry
    • Show all (Don't miss this one! Must be unchecked)
  • Click on and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Then, let's run TDSSKiller...
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)


    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.
Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 cotraveler

cotraveler
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 18 April 2010 - 06:09 PM

extremeboy,

Thank you for the continued help. I tried running GMER in normal mode again before leaving for vacation. It made it through the scan but froze when I tried to choose a folder to save the log in. I will run another scan tonight and post tomorrow at the latest. Thank you for not closing the topic while I was away.

Todd

#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 PM

Posted 18 April 2010 - 07:00 PM

No problem.

Let me know once you get it. If it still doesn't work, let me know and we'll try something else.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 cotraveler

cotraveler
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 19 April 2010 - 12:45 PM

extremeboy,

Here are the new logs. Thank you again!

-Todd

GMER
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-19 12:54:35
Windows 5.1.2600 Service Pack 3
Running: o535x349.exe; Driver: C:\DOCUME~1\Todd\LOCALS~1\Temp\kwriqpod.sys


---- System - GMER 1.0.15 ----

SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF788C514]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF787B282]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF787B474]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF788CD00]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF788CFB8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF788B3FA]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF788D422]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF788C7D8]
SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF787AF32]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[628] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A
.text C:\WINDOWS\Explorer.EXE[628] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C0000A
.text C:\WINDOWS\Explorer.EXE[628] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C
.text C:\WINDOWS\System32\svchost.exe[1364] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0099000A
.text C:\WINDOWS\System32\svchost.exe[1364] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 009A000A
.text C:\WINDOWS\System32\svchost.exe[1364] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0098000C

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 tdrpman.sys (Acronis Try&Decide and Restore Points Volume Filter Driver/Acronis)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Fastfat \Fat B74C2D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----



TDSKiller
13:38:14:131 2612 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
13:38:14:131 2612 ================================================================================
13:38:14:131 2612 SystemInfo:

13:38:14:131 2612 OS Version: 5.1.2600 ServicePack: 3.0
13:38:14:131 2612 Product type: Workstation
13:38:14:131 2612 ComputerName: CHAMBERLAIN
13:38:14:131 2612 UserName: Todd
13:38:14:131 2612 Windows directory: C:\WINDOWS
13:38:14:131 2612 Processor architecture: Intel x86
13:38:14:131 2612 Number of processors: 2
13:38:14:131 2612 Page size: 0x1000
13:38:14:131 2612 Boot type: Normal boot
13:38:14:131 2612 ================================================================================
13:38:14:131 2612 UnloadDriverW: NtUnloadDriver error 2
13:38:14:131 2612 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
13:38:14:162 2612 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
13:38:14:162 2612 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:38:14:162 2612 wfopen_ex: Trying to KLMD file open
13:38:14:162 2612 wfopen_ex: File opened ok (Flags 2)
13:38:14:162 2612 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
13:38:14:162 2612 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:38:14:162 2612 wfopen_ex: Trying to KLMD file open
13:38:14:162 2612 wfopen_ex: File opened ok (Flags 2)
13:38:14:162 2612 Initialize success
13:38:14:162 2612
13:38:14:162 2612 Scanning Services ...
13:38:14:771 2612 Raw services enum returned 369 services
13:38:14:771 2612
13:38:14:771 2612 Scanning Kernel memory ...
13:38:14:787 2612 Devices to scan: 15
13:38:14:787 2612
13:38:14:787 2612 Driver Name: Disk
13:38:14:787 2612 IRP_MJ_CREATE : B810EBB0
13:38:14:787 2612 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:38:14:787 2612 IRP_MJ_CLOSE : B810EBB0
13:38:14:787 2612 IRP_MJ_READ : B8108D1F
13:38:14:787 2612 IRP_MJ_WRITE : B8108D1F
13:38:14:787 2612 IRP_MJ_QUERY_INFORMATION : 804F4562
13:38:14:787 2612 IRP_MJ_SET_INFORMATION : 804F4562
13:38:14:787 2612 IRP_MJ_QUERY_EA : 804F4562
13:38:14:787 2612 IRP_MJ_SET_EA : 804F4562
13:38:14:787 2612 IRP_MJ_FLUSH_BUFFERS : B81092E2
13:38:14:787 2612 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:38:14:787 2612 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:38:14:787 2612 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:38:14:787 2612 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:38:14:787 2612 IRP_MJ_DEVICE_CONTROL : B81093BB
13:38:14:787 2612 IRP_MJ_INTERNAL_DEVICE_CONTROL : B810CF28
13:38:14:787 2612 IRP_MJ_SHUTDOWN : B81092E2
13:38:14:787 2612 IRP_MJ_LOCK_CONTROL : 804F4562
13:38:14:787 2612 IRP_MJ_CLEANUP : 804F4562
13:38:14:787 2612 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:38:14:787 2612 IRP_MJ_QUERY_SECURITY : 804F4562
13:38:14:787 2612 IRP_MJ_SET_SECURITY : 804F4562
13:38:14:787 2612 IRP_MJ_POWER : B810AC82
13:38:14:787 2612 IRP_MJ_SYSTEM_CONTROL : B810F99E
13:38:14:787 2612 IRP_MJ_DEVICE_CHANGE : 804F4562
13:38:14:787 2612 IRP_MJ_QUERY_QUOTA : 804F4562
13:38:14:787 2612 IRP_MJ_SET_QUOTA : 804F4562
13:38:14:803 2612 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:38:14:803 2612
13:38:14:803 2612 Driver Name: Disk
13:38:14:803 2612 IRP_MJ_CREATE : B810EBB0
13:38:14:803 2612 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:38:14:803 2612 IRP_MJ_CLOSE : B810EBB0
13:38:14:803 2612 IRP_MJ_READ : B8108D1F
13:38:14:803 2612 IRP_MJ_WRITE : B8108D1F
13:38:14:803 2612 IRP_MJ_QUERY_INFORMATION : 804F4562
13:38:14:803 2612 IRP_MJ_SET_INFORMATION : 804F4562
13:38:14:803 2612 IRP_MJ_QUERY_EA : 804F4562
13:38:14:803 2612 IRP_MJ_SET_EA : 804F4562
13:38:14:803 2612 IRP_MJ_FLUSH_BUFFERS : B81092E2
13:38:14:803 2612 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:38:14:803 2612 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:38:14:803 2612 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:38:14:803 2612 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:38:14:803 2612 IRP_MJ_DEVICE_CONTROL : B81093BB
13:38:14:803 2612 IRP_MJ_INTERNAL_DEVICE_CONTROL : B810CF28
13:38:14:803 2612 IRP_MJ_SHUTDOWN : B81092E2
13:38:14:803 2612 IRP_MJ_LOCK_CONTROL : 804F4562
13:38:14:803 2612 IRP_MJ_CLEANUP : 804F4562
13:38:14:803 2612 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:38:14:803 2612 IRP_MJ_QUERY_SECURITY : 804F4562
13:38:14:803 2612 IRP_MJ_SET_SECURITY : 804F4562
13:38:14:803 2612 IRP_MJ_POWER : B810AC82
13:38:14:803 2612 IRP_MJ_SYSTEM_CONTROL : B810F99E
13:38:14:803 2612 IRP_MJ_DEVICE_CHANGE : 804F4562
13:38:14:803 2612 IRP_MJ_QUERY_QUOTA : 804F4562
13:38:14:803 2612 IRP_MJ_SET_QUOTA : 804F4562
13:38:14:803 2612 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:38:14:803 2612
13:38:14:803 2612 Driver Name: Disk
13:38:14:803 2612 IRP_MJ_CREATE : B810EBB0
13:38:14:803 2612 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:38:14:803 2612 IRP_MJ_CLOSE : B810EBB0
13:38:14:803 2612 IRP_MJ_READ : B8108D1F
13:38:14:803 2612 IRP_MJ_WRITE : B8108D1F
13:38:14:803 2612 IRP_MJ_QUERY_INFORMATION : 804F4562
13:38:14:803 2612 IRP_MJ_SET_INFORMATION : 804F4562
13:38:14:803 2612 IRP_MJ_QUERY_EA : 804F4562
13:38:14:803 2612 IRP_MJ_SET_EA : 804F4562
13:38:14:803 2612 IRP_MJ_FLUSH_BUFFERS : B81092E2
13:38:14:803 2612 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:38:14:803 2612 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:38:14:803 2612 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:38:14:803 2612 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:38:14:803 2612 IRP_MJ_DEVICE_CONTROL : B81093BB
13:38:14:803 2612 IRP_MJ_INTERNAL_DEVICE_CONTROL : B810CF28
13:38:14:803 2612 IRP_MJ_SHUTDOWN : B81092E2
13:38:14:803 2612 IRP_MJ_LOCK_CONTROL : 804F4562
13:38:14:803 2612 IRP_MJ_CLEANUP : 804F4562
13:38:14:803 2612 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:38:14:803 2612 IRP_MJ_QUERY_SECURITY : 804F4562
13:38:14:803 2612 IRP_MJ_SET_SECURITY : 804F4562
13:38:14:803 2612 IRP_MJ_POWER : B810AC82
13:38:14:818 2612 IRP_MJ_SYSTEM_CONTROL : B810F99E
13:38:14:818 2612 IRP_MJ_DEVICE_CHANGE : 804F4562
13:38:14:818 2612 IRP_MJ_QUERY_QUOTA : 804F4562
13:38:14:818 2612 IRP_MJ_SET_QUOTA : 804F4562
13:38:14:818 2612 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:38:14:818 2612
13:38:14:818 2612 Driver Name: Disk
13:38:14:818 2612 IRP_MJ_CREATE : B810EBB0
13:38:14:818 2612 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:38:14:818 2612 IRP_MJ_CLOSE : B810EBB0
13:38:14:818 2612 IRP_MJ_READ : B8108D1F
13:38:14:818 2612 IRP_MJ_WRITE : B8108D1F
13:38:14:818 2612 IRP_MJ_QUERY_INFORMATION : 804F4562
13:38:14:818 2612 IRP_MJ_SET_INFORMATION : 804F4562
13:38:14:818 2612 IRP_MJ_QUERY_EA : 804F4562
13:38:14:818 2612 IRP_MJ_SET_EA : 804F4562
13:38:14:818 2612 IRP_MJ_FLUSH_BUFFERS : B81092E2
13:38:14:818 2612 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:38:14:818 2612 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:38:14:818 2612 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:38:14:818 2612 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:38:14:818 2612 IRP_MJ_DEVICE_CONTROL : B81093BB
13:38:14:818 2612 IRP_MJ_INTERNAL_DEVICE_CONTROL : B810CF28
13:38:14:818 2612 IRP_MJ_SHUTDOWN : B81092E2
13:38:14:818 2612 IRP_MJ_LOCK_CONTROL : 804F4562
13:38:14:818 2612 IRP_MJ_CLEANUP : 804F4562
13:38:14:818 2612 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:38:14:818 2612 IRP_MJ_QUERY_SECURITY : 804F4562
13:38:14:818 2612 IRP_MJ_SET_SECURITY : 804F4562
13:38:14:818 2612 IRP_MJ_POWER : B810AC82
13:38:14:818 2612 IRP_MJ_SYSTEM_CONTROL : B810F99E
13:38:14:818 2612 IRP_MJ_DEVICE_CHANGE : 804F4562
13:38:14:818 2612 IRP_MJ_QUERY_QUOTA : 804F4562
13:38:14:818 2612 IRP_MJ_SET_QUOTA : 804F4562
13:38:14:818 2612 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:38:14:818 2612
13:38:14:818 2612 Driver Name: usbstor
13:38:14:818 2612 IRP_MJ_CREATE : B8475218
13:38:14:818 2612 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:38:14:818 2612 IRP_MJ_CLOSE : B8475218
13:38:14:818 2612 IRP_MJ_READ : B847523C
13:38:14:818 2612 IRP_MJ_WRITE : B847523C
13:38:14:818 2612 IRP_MJ_QUERY_INFORMATION : 804F4562
13:38:14:818 2612 IRP_MJ_SET_INFORMATION : 804F4562
13:38:14:818 2612 IRP_MJ_QUERY_EA : 804F4562
13:38:14:818 2612 IRP_MJ_SET_EA : 804F4562
13:38:14:818 2612 IRP_MJ_FLUSH_BUFFERS : 804F4562
13:38:14:818 2612 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:38:14:818 2612 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:38:14:818 2612 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:38:14:818 2612 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:38:14:818 2612 IRP_MJ_DEVICE_CONTROL : B8475180
13:38:14:818 2612 IRP_MJ_INTERNAL_DEVICE_CONTROL : B84709E6
13:38:14:818 2612 IRP_MJ_SHUTDOWN : 804F4562
13:38:14:818 2612 IRP_MJ_LOCK_CONTROL : 804F4562
13:38:14:818 2612 IRP_MJ_CLEANUP : 804F4562
13:38:14:818 2612 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:38:14:818 2612 IRP_MJ_QUERY_SECURITY : 804F4562
13:38:14:818 2612 IRP_MJ_SET_SECURITY : 804F4562
13:38:14:818 2612 IRP_MJ_POWER : B84745F0
13:38:14:818 2612 IRP_MJ_SYSTEM_CONTROL : B8472A6E
13:38:14:818 2612 IRP_MJ_DEVICE_CHANGE : 804F4562
13:38:14:818 2612 IRP_MJ_QUERY_QUOTA : 804F4562
13:38:14:818 2612 IRP_MJ_SET_QUOTA : 804F4562
13:38:14:850 2612 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
13:38:14:850 2612
13:38:14:850 2612 Driver Name: usbstor
13:38:14:850 2612 IRP_MJ_CREATE : B8475218
13:38:14:850 2612 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:38:14:850 2612 IRP_MJ_CLOSE : B8475218
13:38:14:850 2612 IRP_MJ_READ : B847523C
13:38:14:850 2612 IRP_MJ_WRITE : B847523C
13:38:14:850 2612 IRP_MJ_QUERY_INFORMATION : 804F4562
13:38:14:850 2612 IRP_MJ_SET_INFORMATION : 804F4562
13:38:14:850 2612 IRP_MJ_QUERY_EA : 804F4562
13:38:14:850 2612 IRP_MJ_SET_EA : 804F4562
13:38:14:850 2612 IRP_MJ_FLUSH_BUFFERS : 804F4562
13:38:14:850 2612 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:38:14:850 2612 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:38:14:850 2612 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:38:14:850 2612 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:38:14:850 2612 IRP_MJ_DEVICE_CONTROL : B8475180
13:38:14:850 2612 IRP_MJ_INTERNAL_DEVICE_CONTROL : B84709E6
13:38:14:850 2612 IRP_MJ_SHUTDOWN : 804F4562
13:38:14:850 2612 IRP_MJ_LOCK_CONTROL : 804F4562
13:38:14:850 2612 IRP_MJ_CLEANUP : 804F4562
13:38:14:850 2612 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:38:14:850 2612 IRP_MJ_QUERY_SECURITY : 804F4562
13:38:14:850 2612 IRP_MJ_SET_SECURITY : 804F4562
13:38:14:850 2612 IRP_MJ_POWER : B84745F0
13:38:14:850 2612 IRP_MJ_SYSTEM_CONTROL : B8472A6E
13:38:14:850 2612 IRP_MJ_DEVICE_CHANGE : 804F4562
13:38:14:850 2612 IRP_MJ_QUERY_QUOTA : 804F4562
13:38:14:850 2612 IRP_MJ_SET_QUOTA : 804F4562
13:38:14:881 2612 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
13:38:14:881 2612
13:38:14:881 2612 Driver Name: usbstor
13:38:14:881 2612 IRP_MJ_CREATE : B8475218
13:38:14:881 2612 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:38:14:881 2612 IRP_MJ_CLOSE : B8475218
13:38:14:881 2612 IRP_MJ_READ : B847523C
13:38:14:881 2612 IRP_MJ_WRITE : B847523C
13:38:14:881 2612 IRP_MJ_QUERY_INFORMATION : 804F4562
13:38:14:881 2612 IRP_MJ_SET_INFORMATION : 804F4562
13:38:14:881 2612 IRP_MJ_QUERY_EA : 804F4562
13:38:14:881 2612 IRP_MJ_SET_EA : 804F4562
13:38:14:881 2612 IRP_MJ_FLUSH_BUFFERS : 804F4562
13:38:14:881 2612 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:38:14:881 2612 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:38:14:881 2612 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:38:14:881 2612 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:38:14:881 2612 IRP_MJ_DEVICE_CONTROL : B8475180
13:38:14:881 2612 IRP_MJ_INTERNAL_DEVICE_CONTROL : B84709E6
13:38:14:881 2612 IRP_MJ_SHUTDOWN : 804F4562
13:38:14:881 2612 IRP_MJ_LOCK_CONTROL : 804F4562
13:38:14:881 2612 IRP_MJ_CLEANUP : 804F4562
13:38:14:881 2612 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:38:14:881 2612 IRP_MJ_QUERY_SECURITY : 804F4562
13:38:14:881 2612 IRP_MJ_SET_SECURITY : 804F4562
13:38:14:881 2612 IRP_MJ_POWER : B84745F0
13:38:14:881 2612 IRP_MJ_SYSTEM_CONTROL : B8472A6E
13:38:14:881 2612 IRP_MJ_DEVICE_CHANGE : 804F4562
13:38:14:881 2612 IRP_MJ_QUERY_QUOTA : 804F4562
13:38:14:881 2612 IRP_MJ_SET_QUOTA : 804F4562
13:38:14:881 2612 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
13:38:14:881 2612
13:38:14:881 2612 Driver Name: usbstor
13:38:14:881 2612 IRP_MJ_CREATE : B8475218
13:38:14:881 2612 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:38:14:881 2612 IRP_MJ_CLOSE : B8475218
13:38:14:881 2612 IRP_MJ_READ : B847523C
13:38:14:881 2612 IRP_MJ_WRITE : B847523C
13:38:14:881 2612 IRP_MJ_QUERY_INFORMATION : 804F4562
13:38:14:881 2612 IRP_MJ_SET_INFORMATION : 804F4562
13:38:14:881 2612 IRP_MJ_QUERY_EA : 804F4562
13:38:14:881 2612 IRP_MJ_SET_EA : 804F4562
13:38:14:881 2612 IRP_MJ_FLUSH_BUFFERS : 804F4562
13:38:14:881 2612 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:38:14:881 2612 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:38:14:881 2612 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:38:14:881 2612 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:38:14:881 2612 IRP_MJ_DEVICE_CONTROL : B8475180
13:38:14:881 2612 IRP_MJ_INTERNAL_DEVICE_CONTROL : B84709E6
13:38:14:881 2612 IRP_MJ_SHUTDOWN : 804F4562
13:38:14:881 2612 IRP_MJ_LOCK_CONTROL : 804F4562
13:38:14:881 2612 IRP_MJ_CLEANUP : 804F4562
13:38:14:881 2612 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:38:14:881 2612 IRP_MJ_QUERY_SECURITY : 804F4562
13:38:14:881 2612 IRP_MJ_SET_SECURITY : 804F4562
13:38:14:881 2612 IRP_MJ_POWER : B84745F0
13:38:14:881 2612 IRP_MJ_SYSTEM_CONTROL : B8472A6E
13:38:14:881 2612 IRP_MJ_DEVICE_CHANGE : 804F4562
13:38:14:881 2612 IRP_MJ_QUERY_QUOTA : 804F4562
13:38:14:881 2612 IRP_MJ_SET_QUOTA : 804F4562
13:38:14:881 2612 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
13:38:14:881 2612
13:38:14:881 2612 Driver Name: Disk
13:38:14:881 2612 IRP_MJ_CREATE : B810EBB0
13:38:14:881 2612 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:38:14:881 2612 IRP_MJ_CLOSE : B810EBB0
13:38:14:881 2612 IRP_MJ_READ : B8108D1F
13:38:14:881 2612 IRP_MJ_WRITE : B8108D1F
13:38:14:881 2612 IRP_MJ_QUERY_INFORMATION : 804F4562
13:38:14:881 2612 IRP_MJ_SET_INFORMATION : 804F4562
13:38:14:881 2612 IRP_MJ_QUERY_EA : 804F4562
13:38:14:881 2612 IRP_MJ_SET_EA : 804F4562
13:38:14:881 2612 IRP_MJ_FLUSH_BUFFERS : B81092E2
13:38:14:881 2612 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:38:14:881 2612 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:38:14:881 2612 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:38:14:881 2612 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:38:14:881 2612 IRP_MJ_DEVICE_CONTROL : B81093BB
13:38:14:881 2612 IRP_MJ_INTERNAL_DEVICE_CONTROL : B810CF28
13:38:14:881 2612 IRP_MJ_SHUTDOWN : B81092E2
13:38:14:881 2612 IRP_MJ_LOCK_CONTROL : 804F4562
13:38:14:881 2612 IRP_MJ_CLEANUP : 804F4562
13:38:14:881 2612 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:38:14:881 2612 IRP_MJ_QUERY_SECURITY : 804F4562
13:38:14:881 2612 IRP_MJ_SET_SECURITY : 804F4562
13:38:14:881 2612 IRP_MJ_POWER : B810AC82
13:38:14:881 2612 IRP_MJ_SYSTEM_CONTROL : B810F99E
13:38:14:881 2612 IRP_MJ_DEVICE_CHANGE : 804F4562
13:38:14:881 2612 IRP_MJ_QUERY_QUOTA : 804F4562
13:38:14:881 2612 IRP_MJ_SET_QUOTA : 804F4562
13:38:14:896 2612 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:38:14:896 2612
13:38:14:896 2612 Driver Name: Disk
13:38:14:896 2612 IRP_MJ_CREATE : B810EBB0
13:38:14:896 2612 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:38:14:896 2612 IRP_MJ_CLOSE : B810EBB0
13:38:14:896 2612 IRP_MJ_READ : B8108D1F
13:38:14:896 2612 IRP_MJ_WRITE : B8108D1F
13:38:14:896 2612 IRP_MJ_QUERY_INFORMATION : 804F4562
13:38:14:896 2612 IRP_MJ_SET_INFORMATION : 804F4562
13:38:14:896 2612 IRP_MJ_QUERY_EA : 804F4562
13:38:14:896 2612 IRP_MJ_SET_EA : 804F4562
13:38:14:896 2612 IRP_MJ_FLUSH_BUFFERS : B81092E2
13:38:14:896 2612 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:38:14:896 2612 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:38:14:896 2612 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:38:14:896 2612 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:38:14:896 2612 IRP_MJ_DEVICE_CONTROL : B81093BB
13:38:14:896 2612 IRP_MJ_INTERNAL_DEVICE_CONTROL : B810CF28
13:38:14:896 2612 IRP_MJ_SHUTDOWN : B81092E2
13:38:14:896 2612 IRP_MJ_LOCK_CONTROL : 804F4562
13:38:14:896 2612 IRP_MJ_CLEANUP : 804F4562
13:38:14:896 2612 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:38:14:896 2612 IRP_MJ_QUERY_SECURITY : 804F4562
13:38:14:896 2612 IRP_MJ_SET_SECURITY : 804F4562
13:38:14:896 2612 IRP_MJ_POWER : B810AC82
13:38:14:896 2612 IRP_MJ_SYSTEM_CONTROL : B810F99E
13:38:14:896 2612 IRP_MJ_DEVICE_CHANGE : 804F4562
13:38:14:896 2612 IRP_MJ_QUERY_QUOTA : 804F4562
13:38:14:896 2612 IRP_MJ_SET_QUOTA : 804F4562
13:38:14:896 2612 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:38:14:896 2612
13:38:14:896 2612 Driver Name: Disk
13:38:14:896 2612 IRP_MJ_CREATE : B810EBB0
13:38:14:896 2612 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:38:14:896 2612 IRP_MJ_CLOSE : B810EBB0
13:38:14:896 2612 IRP_MJ_READ : B8108D1F
13:38:14:896 2612 IRP_MJ_WRITE : B8108D1F
13:38:14:896 2612 IRP_MJ_QUERY_INFORMATION : 804F4562
13:38:14:896 2612 IRP_MJ_SET_INFORMATION : 804F4562
13:38:14:896 2612 IRP_MJ_QUERY_EA : 804F4562
13:38:14:896 2612 IRP_MJ_SET_EA : 804F4562
13:38:14:896 2612 IRP_MJ_FLUSH_BUFFERS : B81092E2
13:38:14:896 2612 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:38:14:896 2612 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:38:14:896 2612 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:38:14:896 2612 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:38:14:896 2612 IRP_MJ_DEVICE_CONTROL : B81093BB
13:38:14:896 2612 IRP_MJ_INTERNAL_DEVICE_CONTROL : B810CF28
13:38:14:896 2612 IRP_MJ_SHUTDOWN : B81092E2
13:38:14:896 2612 IRP_MJ_LOCK_CONTROL : 804F4562
13:38:14:896 2612 IRP_MJ_CLEANUP : 804F4562
13:38:14:896 2612 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:38:14:896 2612 IRP_MJ_QUERY_SECURITY : 804F4562
13:38:14:896 2612 IRP_MJ_SET_SECURITY : 804F4562
13:38:14:896 2612 IRP_MJ_POWER : B810AC82
13:38:14:896 2612 IRP_MJ_SYSTEM_CONTROL : B810F99E
13:38:14:896 2612 IRP_MJ_DEVICE_CHANGE : 804F4562
13:38:14:896 2612 IRP_MJ_QUERY_QUOTA : 804F4562
13:38:14:896 2612 IRP_MJ_SET_QUOTA : 804F4562
13:38:14:896 2612 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:38:14:896 2612
13:38:14:896 2612 Driver Name: Disk
13:38:14:896 2612 IRP_MJ_CREATE : B810EBB0
13:38:14:896 2612 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:38:14:896 2612 IRP_MJ_CLOSE : B810EBB0
13:38:14:896 2612 IRP_MJ_READ : B8108D1F
13:38:14:896 2612 IRP_MJ_WRITE : B8108D1F
13:38:14:896 2612 IRP_MJ_QUERY_INFORMATION : 804F4562
13:38:14:896 2612 IRP_MJ_SET_INFORMATION : 804F4562
13:38:14:896 2612 IRP_MJ_QUERY_EA : 804F4562
13:38:14:896 2612 IRP_MJ_SET_EA : 804F4562
13:38:14:896 2612 IRP_MJ_FLUSH_BUFFERS : B81092E2
13:38:14:896 2612 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:38:14:896 2612 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:38:14:896 2612 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:38:14:896 2612 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:38:14:896 2612 IRP_MJ_DEVICE_CONTROL : B81093BB
13:38:14:896 2612 IRP_MJ_INTERNAL_DEVICE_CONTROL : B810CF28
13:38:14:896 2612 IRP_MJ_SHUTDOWN : B81092E2
13:38:14:896 2612 IRP_MJ_LOCK_CONTROL : 804F4562
13:38:14:896 2612 IRP_MJ_CLEANUP : 804F4562
13:38:14:896 2612 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:38:14:896 2612 IRP_MJ_QUERY_SECURITY : 804F4562
13:38:14:896 2612 IRP_MJ_SET_SECURITY : 804F4562
13:38:14:896 2612 IRP_MJ_POWER : B810AC82
13:38:14:896 2612 IRP_MJ_SYSTEM_CONTROL : B810F99E
13:38:14:896 2612 IRP_MJ_DEVICE_CHANGE : 804F4562
13:38:14:896 2612 IRP_MJ_QUERY_QUOTA : 804F4562
13:38:14:896 2612 IRP_MJ_SET_QUOTA : 804F4562
13:38:14:912 2612 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
13:38:14:912 2612
13:38:14:912 2612 Driver Name: nvgts
13:38:14:912 2612 IRP_MJ_CREATE : 89BA2AC8
13:38:14:912 2612 IRP_MJ_CREATE_NAMED_PIPE : 89BA2AC8
13:38:14:912 2612 IRP_MJ_CLOSE : 89BA2AC8
13:38:14:912 2612 IRP_MJ_READ : 89BA2AC8
13:38:14:912 2612 IRP_MJ_WRITE : 89BA2AC8
13:38:14:912 2612 IRP_MJ_QUERY_INFORMATION : 89BA2AC8
13:38:14:912 2612 IRP_MJ_SET_INFORMATION : 89BA2AC8
13:38:14:912 2612 IRP_MJ_QUERY_EA : 89BA2AC8
13:38:14:912 2612 IRP_MJ_SET_EA : 89BA2AC8
13:38:14:912 2612 IRP_MJ_FLUSH_BUFFERS : 89BA2AC8
13:38:14:912 2612 IRP_MJ_QUERY_VOLUME_INFORMATION : 89BA2AC8
13:38:14:912 2612 IRP_MJ_SET_VOLUME_INFORMATION : 89BA2AC8
13:38:14:912 2612 IRP_MJ_DIRECTORY_CONTROL : 89BA2AC8
13:38:14:912 2612 IRP_MJ_FILE_SYSTEM_CONTROL : 89BA2AC8
13:38:14:912 2612 IRP_MJ_DEVICE_CONTROL : 89BA2AC8
13:38:14:912 2612 IRP_MJ_INTERNAL_DEVICE_CONTROL : 89BA2AC8
13:38:14:912 2612 IRP_MJ_SHUTDOWN : 89BA2AC8
13:38:14:912 2612 IRP_MJ_LOCK_CONTROL : 89BA2AC8
13:38:14:912 2612 IRP_MJ_CLEANUP : 89BA2AC8
13:38:14:912 2612 IRP_MJ_CREATE_MAILSLOT : 89BA2AC8
13:38:14:912 2612 IRP_MJ_QUERY_SECURITY : 89BA2AC8
13:38:14:912 2612 IRP_MJ_SET_SECURITY : 89BA2AC8
13:38:14:912 2612 IRP_MJ_POWER : 89BA2AC8
13:38:14:912 2612 IRP_MJ_SYSTEM_CONTROL : 89BA2AC8
13:38:14:912 2612 IRP_MJ_DEVICE_CHANGE : 89BA2AC8
13:38:14:912 2612 IRP_MJ_QUERY_QUOTA : 89BA2AC8
13:38:14:912 2612 IRP_MJ_SET_QUOTA : 89BA2AC8
13:38:14:912 2612 Driver "nvgts" infected by TDSS rootkit!
13:38:14:912 2612 C:\WINDOWS\system32\DRIVERS\nvgts.sys - Verdict: 1
13:38:14:912 2612 File "C:\WINDOWS\system32\DRIVERS\nvgts.sys" infected by TDSS rootkit ... 13:38:14:912 2612 Processing driver file: C:\WINDOWS\system32\DRIVERS\nvgts.sys
13:38:14:912 2612 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
13:38:14:943 2612 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\OemDir\*) error 3
13:38:14:959 2612 !fdfb7
13:38:14:959 2612 !vfvi8
13:38:14:959 2612 !vdf6
13:38:14:959 2612 Backup copy not found, trying to cure infected file..
13:38:14:959 2612 C:\WINDOWS\system32\DRIVERS\nvgts.sys - Verdict: Cure failed (0)
13:38:14:959 2612 cure failed
13:38:14:959 2612
13:38:14:959 2612 Driver Name: nvgts
13:38:14:959 2612 IRP_MJ_CREATE : B7EAE44C
13:38:14:959 2612 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:38:14:959 2612 IRP_MJ_CLOSE : B7EAE44C
13:38:14:959 2612 IRP_MJ_READ : 804F4562
13:38:14:959 2612 IRP_MJ_WRITE : 804F4562
13:38:14:959 2612 IRP_MJ_QUERY_INFORMATION : 804F4562
13:38:14:959 2612 IRP_MJ_SET_INFORMATION : 804F4562
13:38:14:959 2612 IRP_MJ_QUERY_EA : 804F4562
13:38:14:959 2612 IRP_MJ_SET_EA : 804F4562
13:38:14:959 2612 IRP_MJ_FLUSH_BUFFERS : 804F4562
13:38:14:959 2612 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:38:14:959 2612 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:38:14:959 2612 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:38:14:959 2612 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:38:14:959 2612 IRP_MJ_DEVICE_CONTROL : B7EAE44C
13:38:14:959 2612 IRP_MJ_INTERNAL_DEVICE_CONTROL : B7EAE44C
13:38:14:959 2612 IRP_MJ_SHUTDOWN : 804F4562
13:38:14:959 2612 IRP_MJ_LOCK_CONTROL : 804F4562
13:38:14:959 2612 IRP_MJ_CLEANUP : 804F4562
13:38:14:959 2612 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:38:14:959 2612 IRP_MJ_QUERY_SECURITY : 804F4562
13:38:14:959 2612 IRP_MJ_SET_SECURITY : 804F4562
13:38:14:959 2612 IRP_MJ_POWER : B7EAE44C
13:38:14:959 2612 IRP_MJ_SYSTEM_CONTROL : B7EAE44C
13:38:14:959 2612 IRP_MJ_DEVICE_CHANGE : 804F4562
13:38:14:959 2612 IRP_MJ_QUERY_QUOTA : 804F4562
13:38:14:959 2612 IRP_MJ_SET_QUOTA : 804F4562
13:38:14:975 2612 C:\WINDOWS\system32\DRIVERS\nvgts.sys - Verdict: 1
13:38:14:975 2612
13:38:14:975 2612 Driver Name: nvgts
13:38:14:975 2612 IRP_MJ_CREATE : B7EAE44C
13:38:14:975 2612 IRP_MJ_CREATE_NAMED_PIPE : 804F4562
13:38:14:975 2612 IRP_MJ_CLOSE : B7EAE44C
13:38:14:975 2612 IRP_MJ_READ : 804F4562
13:38:14:975 2612 IRP_MJ_WRITE : 804F4562
13:38:14:975 2612 IRP_MJ_QUERY_INFORMATION : 804F4562
13:38:14:975 2612 IRP_MJ_SET_INFORMATION : 804F4562
13:38:14:975 2612 IRP_MJ_QUERY_EA : 804F4562
13:38:14:975 2612 IRP_MJ_SET_EA : 804F4562
13:38:14:975 2612 IRP_MJ_FLUSH_BUFFERS : 804F4562
13:38:14:975 2612 IRP_MJ_QUERY_VOLUME_INFORMATION : 804F4562
13:38:14:975 2612 IRP_MJ_SET_VOLUME_INFORMATION : 804F4562
13:38:14:975 2612 IRP_MJ_DIRECTORY_CONTROL : 804F4562
13:38:14:975 2612 IRP_MJ_FILE_SYSTEM_CONTROL : 804F4562
13:38:14:975 2612 IRP_MJ_DEVICE_CONTROL : B7EAE44C
13:38:14:975 2612 IRP_MJ_INTERNAL_DEVICE_CONTROL : B7EAE44C
13:38:14:975 2612 IRP_MJ_SHUTDOWN : 804F4562
13:38:14:975 2612 IRP_MJ_LOCK_CONTROL : 804F4562
13:38:14:975 2612 IRP_MJ_CLEANUP : 804F4562
13:38:14:975 2612 IRP_MJ_CREATE_MAILSLOT : 804F4562
13:38:14:975 2612 IRP_MJ_QUERY_SECURITY : 804F4562
13:38:14:975 2612 IRP_MJ_SET_SECURITY : 804F4562
13:38:14:975 2612 IRP_MJ_POWER : B7EAE44C
13:38:14:975 2612 IRP_MJ_SYSTEM_CONTROL : B7EAE44C
13:38:14:975 2612 IRP_MJ_DEVICE_CHANGE : 804F4562
13:38:14:975 2612 IRP_MJ_QUERY_QUOTA : 804F4562
13:38:14:975 2612 IRP_MJ_SET_QUOTA : 804F4562
13:38:14:975 2612 C:\WINDOWS\system32\DRIVERS\nvgts.sys - Verdict: 1
13:38:14:975 2612
13:38:14:975 2612 Completed
13:38:14:975 2612
13:38:14:975 2612 Results:
13:38:14:975 2612 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
13:38:14:975 2612 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
13:38:14:975 2612 File objects infected / cured / cured on reboot: 1 / 0 / 0
13:38:14:975 2612
13:38:14:975 2612 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
13:38:14:975 2612 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
13:38:14:990 2612 KLMD(ARK) unloaded successfully


#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 PM

Posted 20 April 2010 - 06:47 PM

Hello.

Okay, TDSSKiller, didn't remove it. However, I see the driver that requires attention.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    CODE
    TDL::
    C:\WINDOWS\system32\DRIVERS\nvgts.sys
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Let me know how it goes and post the log once done.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 cotraveler

cotraveler
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 21 April 2010 - 08:01 AM

Hi extremeboy,

Thanks! At least some of the symptoms appear to have been healed by that last scan, so I am attempting to post this from the infected computer.

When I first dragged the script into CF, it said some files could not be created and instructed me to reboot. After I did so, CF seemed to run normally, found rootkit activity, and rebooted at least once more. The resulting log is pasted below.

Symptom Updates:
  • Google Search Results - I haven't tested this one
  • Google Chrome - opened normally and successfully loaded a page
  • Microsoft Update - I visited the site, but didn't run any updates (just checking to see if it could load)
  • "Connection Reset" - If the entire log posts below, then this has resolved
  • System File Protection - I have not seen this happen again so far since the scan

-Todd

ComboFix.txt
ComboFix 10-04-19.08 - Todd 04/20/2010 23:58:56.12.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1587 [GMT -4:00]
Running from: c:\documents and settings\Todd\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Todd\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\DRIVERS\nvgts.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
Infected copy of c:\windows\system32\DRIVERS\nvgts.sys was found and disinfected
Restored copy from - Kitty ate it tongue.gif
Infected copy of c:\windows\system32\drivers\rasacd.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2010-04-20 17:36 . 2010-04-21 02:04 0 ----a-w- c:\documents and settings\Todd\Local Settings\Application Data\prvlcl.dat
2010-04-20 17:15 . 2010-04-20 17:18 -------- d-----w- C:\I386
2010-04-13 21:09 . 2010-04-13 21:09 -------- d-----w- C:\goodjavaCF
2010-04-13 21:07 . 2010-04-13 21:07 -------- d-----w- c:\program files\ERUNT
2010-04-12 15:45 . 2010-04-12 15:45 -------- d-----w- C:\cotravelerCF14057c
2010-04-11 01:02 . 2010-03-30 04:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-11 01:02 . 2010-03-30 04:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-11 00:42 . 2010-04-11 00:56 -------- d-----w- C:\cotravelerCF
2010-04-11 00:39 . 2010-04-11 00:40 -------- d-----w- C:\freecoffee17331f
2010-04-11 00:11 . 2010-04-11 00:30 -------- d-----w- C:\freecoffee9916f
2010-04-10 22:45 . 2010-04-10 22:45 -------- d-----w- c:\program files\ESET
2010-04-10 18:02 . 2009-07-01 15:54 701440 ----a-w- c:\windows\system32\cohelper.dll
2010-04-10 18:02 . 2009-06-01 05:11 5876 ----a-w- c:\windows\system32\drivers\nvphy.bin
2010-04-10 18:02 . 2009-07-01 04:42 485920 ----a-w- c:\windows\system32\nvunrm.exe
2010-04-10 16:47 . 2010-04-10 16:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-10 16:47 . 2010-04-10 16:47 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-10 16:47 . 2010-04-10 16:47 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-10 16:47 . 2010-04-10 16:47 29512 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2010-04-10 16:46 . 2010-04-20 12:58 -------- d-----w- c:\windows\system32\drivers\Avg
2010-04-10 16:27 . 2010-04-10 16:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-04-10 16:27 . 2010-04-10 16:27 -------- d-----w- C:\freecoffee24757f
2010-04-10 16:26 . 2010-04-10 16:26 -------- d-----w- c:\documents and settings\Todd\Application Data\AVG9
2010-04-10 13:56 . 2010-04-10 13:57 90440 ----a-w- c:\documents and settings\Todd\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-08 10:04 . 2010-04-08 10:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-07 12:22 . 2010-04-07 12:22 -------- d-----w- C:\$AVG
2010-04-06 20:10 . 2010-04-06 20:10 -------- d-----w- c:\program files\Panda Security
2010-04-06 15:00 . 2010-04-06 15:00 -------- d-----w- c:\program files\AVG
2010-04-06 15:00 . 2010-04-10 16:44 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9
2010-04-06 12:06 . 2010-04-06 12:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2010-03-31 10:10 . 2010-02-25 06:24 611840 -c----w- c:\windows\system32\dllcache\mstime.dll
2010-03-31 10:10 . 2010-02-25 06:24 25600 -c----w- c:\windows\system32\dllcache\jsproxy.dll
2010-03-31 10:10 . 2010-02-25 06:24 184320 -c----w- c:\windows\system32\dllcache\iepeers.dll
2010-03-31 10:10 . 2010-02-25 06:24 916480 -c----w- c:\windows\system32\dllcache\wininet.dll
2010-03-31 10:10 . 2010-02-25 06:24 206848 -c----w- c:\windows\system32\dllcache\occache.dll
2010-03-31 10:10 . 2010-02-25 06:24 387584 -c----w- c:\windows\system32\dllcache\iedkcs32.dll
2010-03-31 10:10 . 2010-02-24 09:54 173056 -c----w- c:\windows\system32\dllcache\ie4uinit.exe
2010-03-31 10:10 . 2010-02-25 06:24 1209344 -c----w- c:\windows\system32\dllcache\urlmon.dll
2010-03-31 10:10 . 2010-02-25 06:24 5944832 -c----w- c:\windows\system32\dllcache\mshtml.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 03:43 . 2003-07-16 16:36 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-04-19 17:38 . 2010-01-26 17:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-19 14:56 . 2009-02-06 16:59 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-12 14:34 . 2007-12-01 05:23 -------- d-----w- c:\program files\Common Files\Adobe
2010-04-11 01:11 . 2008-04-21 22:42 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-11 01:02 . 2010-01-24 15:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-10 16:27 . 2007-12-01 05:10 -------- d-----w- c:\program files\Java
2010-04-10 16:26 . 2007-12-01 03:55 -------- d-----w- c:\program files\Mozilla Firefox (old)
2010-04-06 18:30 . 2009-11-01 20:15 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-04-06 18:27 . 2009-11-01 20:15 117760 ----a-w- c:\documents and settings\Todd\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-06 18:25 . 2009-09-20 04:21 -------- d-----w- c:\program files\CCleaner
2010-04-05 16:43 . 2007-12-01 05:10 -------- d-----w- c:\program files\Common Files\Java
2010-04-01 16:07 . 2007-12-11 03:34 -------- d-----w- c:\documents and settings\Todd\Application Data\gtk-2.0
2010-03-26 16:02 . 2008-04-21 23:07 -------- d-----w- c:\program files\World of Warcraft
2010-03-17 17:56 . 2007-12-04 00:33 -------- d-----w- c:\documents and settings\Todd\Application Data\FileZilla
2010-03-13 14:32 . 2007-12-01 05:40 -------- d-----w- c:\program files\NVIDIA Corporation
2010-03-13 14:31 . 2010-03-13 14:31 -------- d-----w- c:\program files\AGEIA Technologies
2010-03-13 14:31 . 2009-02-19 18:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-03-13 14:31 . 2010-03-13 14:31 -------- d-----w- c:\documents and settings\All Users\Application Data\NVIDIA Corporation
2010-03-13 14:25 . 2010-03-13 14:25 -------- d-----w- c:\program files\SystemRequirementsLab
2010-03-13 14:25 . 2010-03-13 14:25 -------- d-----w- c:\documents and settings\Todd\Application Data\SystemRequirementsLab
2010-03-13 14:25 . 2010-03-13 14:25 290816 ----a-w- c:\documents and settings\Todd\Application Data\SystemRequirementsLab\SRLProxy_nvd_4.dll
2010-03-13 14:25 . 2010-03-13 14:25 290816 ----a-w- c:\documents and settings\Todd\Application Data\SystemRequirementsLab\SRLProxy_nvd_3.dll
2010-03-13 14:25 . 2010-03-13 14:25 290816 ----a-w- c:\documents and settings\Todd\Application Data\SystemRequirementsLab\SRLProxy_nvd_2.dll
2010-03-13 14:25 . 2010-03-13 14:25 290816 ----a-w- c:\documents and settings\Todd\Application Data\SystemRequirementsLab\SRLProxy_nvd_1.dll
2010-03-10 06:15 . 2003-07-16 16:43 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 18:03 . 2010-03-09 18:00 -------- d-----w- c:\program files\Rawr v2.3.11
2010-03-09 08:28 . 2008-12-30 04:39 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-27 16:23 . 2010-02-27 16:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-02-25 06:24 . 2006-06-23 16:33 916480 ------w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2009-12-25 23:17 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-23 18:15 . 2010-02-23 14:48 -------- d-----w- c:\program files\Rawr v2.3.10
2010-02-16 14:08 . 2009-12-25 23:17 2146304 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2009-12-25 23:17 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33 . 2009-11-20 16:02 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2009-12-25 23:17 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIDIA nTune"="c:\program files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-05 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-09-21 305440]
"TrueImageMonitor.exe"="c:\program files\Acronis\TrueImageHome\TrueImageMonitor.exe" [2009-06-10 1326080]
"AcronisTimounterMonitor"="c:\program files\Acronis\TrueImageHome\TimounterMonitor.exe" [2009-06-10 904840]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2010-01-12 13666408]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2010-01-12 110696]

c:\documents and settings\Justine\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

c:\documents and settings\Todd\Start Menu\Programs\Startup\
AVG Free Tray Icon.lnk - c:\program files\AVG\AVG9\avgtray.exe [2010-4-10 2064224]
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Monitor Apache Servers.lnk - c:\program files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2008-1-18 41041]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-04-10 16:47 12464 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^Todd^Start Menu^Programs^Startup^OpenOffice.org 2.3.lnk]
path=c:\documents and settings\Todd\Start Menu\Programs\Startup\OpenOffice.org 2.3.lnk
backup=c:\windows\pss\OpenOffice.org 2.3.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-04 01:43 69632 ----a-r- c:\windows\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2007-02-12 08:24 109304 ----a-w- c:\program files\Roxio\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-11-11 04:08 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2007-02-12 14:05 1121016 ----a-w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2006-09-12 23:58 16264192 ----a-r- c:\windows\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2006-05-17 01:04 2879488 ----a-r- c:\windows\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"stllssvr"=3 (0x3)
"RoxMediaDB9"=3 (0x3)
"RoxLiveShare9"=2 (0x2)
"Roxio Upnp Server 9"=2 (0x2)
"Roxio UPnP Renderer 9"=3 (0x3)
"NoIPDUCService"=2 (0x2)
"Apache2.2"=3 (0x3)
"AcrSch2Svc"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Ventrilo\\Ventrilo.exe"=
"c:\\Documents and Settings\\Todd\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Todd\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG9\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [9/19/2009 11:33 PM 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [4/10/2010 12:47 PM 216200]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/10/2010 12:47 PM 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [10/12/2009 10:24 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [10/12/2009 10:24 PM 66632]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [4/10/2010 12:46 PM 308064]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys --> c:\windows\system32\drivers\pavboot.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [10/12/2009 10:24 PM 12872]
S4 Apache2.2;Apache2.2;c:\program files\Apache Software Foundation\Apache2.2\bin\httpd.exe [1/18/2008 12:37 AM 24635]
.
Contents of the 'Scheduled Tasks' folder

2010-04-20 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-602162358-839522115-1003Core.job
- c:\documents and settings\Todd\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-01 20:27]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-682003330-602162358-839522115-1003UA.job
- c:\documents and settings\Todd\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-08-01 20:27]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
FF - ProfilePath - c:\documents and settings\Todd\Application Data\Mozilla\Firefox\Profiles\0fr5x8wq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\Todd\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Todd\Local Settings\Application Data\Google\Update\1.2.183.7\npGoogleOneClick8.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-21 00:07
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(1120)
c:\windows\system32\relog_ap.dll

- - - - - - - > 'explorer.exe'(3772)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\AVG\AVG9\avgchsvx.exe
c:\program files\AVG\AVG9\avgrsx.exe
c:\program files\AVG\AVG9\avgcsrvx.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\NVIDIA Corporation\nTune\nTuneService.exe
c:\program files\AVG\AVG9\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
.
**************************************************************************
.
Completion time: 2010-04-21 00:14:03 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-21 04:14
ComboFix2.txt 2010-04-13 21:29
ComboFix3.txt 2010-04-12 16:03

Pre-Run: 10,337,718,272 bytes free
Post-Run: 10,241,658,880 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=8 Sets=1,2,4,5,6,7,8
- - End Of File - - BE38787C018385E2B3EEE7C62FEB8A5E




#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 PM

Posted 21 April 2010 - 02:52 PM

Great! That's good.

It seems those drivers have been dealt with, let's continue with an online scan.

Run Scan with Kaspersky

Please do a scan with Kaspersky Online Scanner. Please note: Kaspersky requires Java Runtime Environment (JRE) be installed before scanning for malware, as ActiveX is no longer being used.)

If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Open the Kaspersky WebScanner
    page.
  • Click on the button on the main page.
  • The program will launch and fill in the Information section on the left.
  • Read the "Requirements and Limitations" then press the button.
  • The program will begin downloading the latest program and definition files. It may take a while so please be patient and let it finish.
  • Once the files have been downloaded, click on the ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the button, if you made any changes.
  • Now under the Scan section on the left:

    Select My Computer
  • The program will now start and scan your system. This will run for a while, be patient and let it finish.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
You can refer to this animation by sundavis if needed.

Take a new DDS run afterward and post back with both the DDS and Attach logs in your next reply. Also, let me know how your computer is running and if you have any more problems, issues or symptoms left.

Thanks.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 cotraveler

cotraveler
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 22 April 2010 - 06:41 AM

Hi extremeboy,

Here are the results from the scans.

-Todd

Kapersky
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, April 22, 2010
Operating system: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Wednesday, April 21, 2010 20:27:33
Records in database: 3962586
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan statistics
Objects scanned 129188
Threats found 1
Infected objects found 2
Suspicious objects found 0
Scan duration 02:38:41

File name Threat Threats count
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\rasacd.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\System Volume Information\_restore{6DA41F9E-FCB2-4FD6-9DCC-1C92B22783DE}\RP103\A0024857.sys Infected: Rootkit.Win32.TDSS.ap 1
Selected area has been scanned.


DDS

DDS (Ver_10-03-17.01) - NTFSx86
Run by Todd at 7:35:40.12 on Thu 04/22/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1262 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
svchost.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Program Files\AVG\AVG9\avgtray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre6\bin\java.exe
D:\downloads\bleepingfiles\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [NVIDIA nTune] "c:\program files\nvidia corporation\ntune\nTuneCmd.exe" clear
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
StartupFolder: c:\docume~1\todd\startm~1\programs\startup\avgfre~1.lnk - c:\program files\avg\avg9\avgtray.exe
StartupFolder: c:\docume~1\todd\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monito~1.lnk - c:\program files\apache software foundation\apache2.2\bin\ApacheMonitor.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Trusted Zone: microsoft.com\update
Trusted Zone: microsoft.com\windowsupdate
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1196478317500
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1196478728937
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\todd\applic~1\mozilla\firefox\profiles\0fr5x8wq.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - component: c:\program files\avg\avg9\firefox\components\avgssff.dll
FF - plugin: c:\documents and settings\todd\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\todd\local settings\application data\google\update\1.2.183.7\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-9-19 130936]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2010-4-10 216200]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2010-4-10 29512]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2010-4-10 242696]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-10-12 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-10-12 66632]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-4-10 308064]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys --> c:\windows\system32\drivers\pavboot.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-10-12 12872]
S4 Apache2.2;Apache2.2;c:\program files\apache software foundation\apache2.2\bin\httpd.exe [2008-1-18 24635]

=============== Created Last 30 ================

2010-04-21 03:40:40 0 d-----w- C:\ComboFix
2010-04-20 17:15:05 0 d-----w- C:\I386
2010-04-13 21:11:27 77312 ----a-w- c:\windows\MBR.exe
2010-04-13 21:11:26 98816 ----a-w- c:\windows\sed.exe
2010-04-13 21:11:26 261632 ----a-w- c:\windows\PEV.exe
2010-04-13 21:11:26 161792 ----a-w- c:\windows\SWREG.exe
2010-04-13 21:09:29 0 d-----w- C:\goodjavaCF
2010-04-12 15:45:21 0 d-----w- C:\cotravelerCF14057c
2010-04-11 13:23:21 0 ----a-w- c:\documents and settings\todd\defogger_reenable
2010-04-11 01:02:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-11 01:02:12 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-11 00:42:25 0 d-----w- C:\cotravelerCF
2010-04-11 00:39:58 0 d-----w- C:\freecoffee17331f
2010-04-11 00:11:30 0 d-----w- C:\freecoffee9916f
2010-04-10 22:45:07 0 d-----w- c:\program files\ESET
2010-04-10 18:02:19 701440 ----a-w- c:\windows\system32\cohelper.dll
2010-04-10 18:02:19 6789 ----a-w- c:\windows\system32\nvnrm.nvu
2010-04-10 18:02:19 5876 ----a-w- c:\windows\system32\drivers\nvphy.bin
2010-04-10 18:02:18 485920 ----a-w- c:\windows\system32\nvunrm.exe
2010-04-10 16:47:06 12464 ----a-w- c:\windows\system32\avgrsstx.dll
2010-04-10 16:47:05 242696 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-04-10 16:47:01 216200 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-04-10 16:46:55 0 d-----w- c:\windows\system32\drivers\Avg
2010-04-10 16:27:40 0 d-----w- c:\windows\system32\wbem\Repository
2010-04-10 16:27:02 0 d-----w- C:\freecoffee24757f
2010-04-10 16:26:48 0 d-----w- c:\docume~1\todd\applic~1\AVG9
2010-04-07 12:22:17 0 d-----w- C:\$AVG
2010-04-06 20:10:08 0 d-----w- c:\program files\Panda Security
2010-04-06 15:00:38 0 d-----w- c:\program files\AVG
2010-04-06 15:00:26 0 d-----w- c:\docume~1\alluse~1\applic~1\avg9
2010-04-01 16:07:49 55089 ----a-w- c:\documents and settings\todd\.recently-used.xbel
2010-03-31 10:10:44 611840 -c----w- c:\windows\system32\dllcache\mstime.dll
2010-03-31 10:10:44 25600 -c----w- c:\windows\system32\dllcache\jsproxy.dll
2010-03-31 10:10:44 184320 -c----w- c:\windows\system32\dllcache\iepeers.dll
2010-03-31 10:10:43 916480 -c----w- c:\windows\system32\dllcache\wininet.dll
2010-03-31 10:10:43 387584 -c----w- c:\windows\system32\dllcache\iedkcs32.dll
2010-03-31 10:10:43 206848 -c----w- c:\windows\system32\dllcache\occache.dll
2010-03-31 10:10:43 173056 -c----w- c:\windows\system32\dllcache\ie4uinit.exe
2010-03-31 10:10:42 5944832 -c----w- c:\windows\system32\dllcache\mshtml.dll
2010-03-31 10:10:42 1469440 -c----w- c:\windows\system32\dllcache\inetcpl.cpl
2010-03-31 10:10:42 1209344 -c----w- c:\windows\system32\dllcache\urlmon.dll
2010-03-25 14:01:11 3251 ----a-w- c:\windows\system32\wbem\Outlook_01cacc23a02ad044.mof

==================== Find3M ====================

2010-04-21 03:43:28 8832 ----a-w- c:\windows\system32\drivers\rasacd.sys
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-09 08:28:20 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-25 06:24:37 916480 ------w- c:\windows\system32\wininet.dll
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2009-12-26 01:51:59 245760 --sha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-12-26 01:51:59 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009122520091226\index.dat
2009-12-26 01:52:29 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat

============= FINISH: 7:36:27.62 ===============


Attach
(attached)

Attached Files



#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:57 PM

Posted 22 April 2010 - 08:31 PM

Hello,

That's looking good. How's your computer running?

Kaspersky just detected 2 items of where one is just a combofix quarantine item and the other is a system restore point. Those will be removed and dealt with once we uninstall Combofix.

Update your Java.

Update Java to Version 6 Update 20

Your version of Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) Version 6 and save it to your desktop.
  • Look for "JDK 6 Update 20 (JDK or JRE)".
  • Click the "Download JRE" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Under Required Files, check the box for Windows Offline Installation, click the link below it and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button and follow the onscreen instructions for the Java uninstaller.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • If using Windows Vista and the installer refuses to launch due to insufficient user permissions, then Run As Administrator.
  • When the Java Setup - Welcome window opens, click the Install > button.
  • If offered to install a Toolbar, just uncheck the box before continuing unless you want it.
-- Starting with Java 6u10, the uninstaller incorporated in each new release uses Enhanced Auto update to automatically remove the previous version when updating to a later update release. It will not remove older versions, so they will need to be removed manually.
-- Java is updated frequently. If you want to be automatically notified of future updates, just turn on the Java Automatic Update feature and you will not have to remember to update when Java releases a new version.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 cotraveler

cotraveler
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:57 PM

Posted 22 April 2010 - 10:02 PM

Hi,

I have not experienced any of the original symptoms. Everything seems great so far. Thank you so much!

I uninstalled and re-installed Java per your instructions.

-Todd




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users