Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Search redirects to bad site


  • This topic is locked This topic is locked
35 replies to this topic

#1 mecl

mecl

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 10 April 2010 - 09:15 PM

Hello,

Truly hope you can help me. I seem to have some kind of malware on my WinXP SP3 home computer. It started misbehaving about 2 days ago - strange processes in task manager, sites would pop up when in either IE8 or Firefox (I use both - mostly Firefox). I had Spybot Search & Destroy, Spyblaster & Avg Anti-Virus running but they did not seem to protect against whatever I got. For a while I could not seem to even run any programs but some-one got me an exe-fix that I ran & then the programs ran again.

All appears good now except -
1) Both IE8 and Firefox will intermittently bring up a strange website when I click on a Google Search result link or sometimes the site just comes up by itself
2) My DVD/CD drive behaves strangely - it no longer has the 'erase' command when you right-click on the drive in Explorer and all files in any CDs I put into the drive shows up as read-only even though they are on a RW CD and I cannot seem to remove the read-only attribute.

I installed Sophos Anti-virus and Anti-Rootkit but both scans did not detect any issues. Also ran several other anti-virus software like SUPERAntivirus.

Problems still exist though...

Following the guide, attached are the ATTACH.txt and the ark.txt (from gmer scan) and below is the DDS.txt contents.

Thank-you very much in advance for any assistance!

DDS (Ver_10-03-17.01) - NTFSx86
Run by michael at 21:01:35.80 on 2010-04-09
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_19
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1364 [GMT -7:00]

AV: Sophos Anti-Virus *On-access scanning enabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\michael\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
uStart Page = hxxp://en.canoe.ca/home.html
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {08E74C67-99A6-45C7-94DA-A397A8FD8082} - No File
BHO: Sophos Web Content Scanner: {39ea7695-b3f2-4c44-a4bc-297ada8fd235} - c:\program files\sophos\sophos anti-virus\SophosBHO.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoup~1.lnk - c:\program files\sophos\autoupdate\ALMon.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
Trusted Zone: ubc.ca\walnut.vdesk.ad
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/7/3/e7345c16-80aa-4488-ae10-9ac6be844f99/OGAControl.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {362C56AA-6E4F-40C7-A0B5-85501DBDAD77} - hxxp://i.dell.com/images/global/js/scanner/SysProExe.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://myvpn.ubc.ca/CACHE/stc/1/binaries/vpnweb.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxps://scan.safety.live.com/resource/download/scanner/en-us/wlscbase7617.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228953734616
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228953684043
DPF: {7C896371-4B7F-4B34-95B1-24851F5DED24} - hxxps://www.microsoft.com/resources/virtuallabs/ActiveX/VMRCActiveXClient.cab
DPF: {7FA319FB-FFB9-4089-87EB-63179244E6E6} - hxxps://rsvpn.ubc.ca/nortel_cacheable/NetDirect.cab
DPF: {82774781-8F4E-11D1-AB1C-0000F8773BF0} - hxxp://transfers.one.microsoft.com/FTM/TransferSource/grTransferCtrl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF}
DPF: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_19-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7}
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Handler: x-owacid - {0215258f-f0a8-49de-bf1b-0ff02eda8807} - c:\program files\microsoft\outlook web access smime client\mimectl.dll
AppInit_DLLs: c:\progra~1\sophos\sophos~1\SOPHOS~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\michael\applic~1\mozilla\firefox\profiles\idc08d7u.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.weatheroffice.gc.ca/city/pages/bc-74_metric_e.html#detailsf
FF - plugin: c:\documents and settings\michael\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2010-4-9 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2010-4-9 38528]
R2 HPPECP00;hppecp00;c:\windows\system32\drivers\hppecp00.sys [2006-1-17 42048]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\sophos\sophos anti-virus\SAVAdminService.exe [2010-4-9 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\sophos\sophos anti-virus\SavService.exe [2010-4-9 98304]
R2 Sophos AutoUpdate Service;Sophos AutoUpdate Service;c:\program files\sophos\autoupdate\ALsvc.exe [2009-9-11 172032]
R3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\68.tmp --> c:\windows\system32\68.tmp [?]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2006-1-12 92550]
RUnknown SASKUTIL;SASKUTIL; [x]
S3 Ctxusbr;Citrix USB Redirection Driver;c:\windows\system32\drivers\ctxusbr.sys --> c:\windows\system32\drivers\ctxusbr.sys [?]
S3 NetDirect;TAP-Win32 NetDirect Adapter;c:\windows\system32\drivers\NetDirect.sys [2006-10-30 24576]
S3 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2009-6-17 434864]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys --> c:\windows\system32\vsdatant.sys [?]
S3 WSUSBDMAN;VMware VDM Virtual Client USB Manager;c:\windows\system32\drivers\wsusbdman.sys --> c:\windows\system32\drivers\WSUSBDMAN.sys [?]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2010-4-9 14976]
UnknownUnknown SASDIFSV;SASDIFSV; [x]

=============== Created Last 30 ================

2010-04-10 02:15:11 130104 ----a-w- c:\windows\system32\sdccoinstaller.dll
2010-04-10 02:14:23 0 d-----w- c:\program files\common files\Cisco Systems
2010-04-10 02:14:14 23552 ----a-w- c:\windows\system32\sophosboottasks.exe
2010-04-10 02:14:02 0 d-----w- c:\docume~1\alluse~1\applic~1\Sophos
2010-04-10 02:12:15 14976 ----a-w- c:\windows\system32\drivers\SophosBootDriver.sys
2010-04-10 02:11:47 38528 ----a-w- c:\windows\system32\drivers\savonaccessfilter.sys
2010-04-10 02:11:14 110848 ----a-w- c:\windows\system32\drivers\savonaccesscontrol.sys
2010-04-10 02:10:04 0 d-----w- c:\program files\Sophos
2010-04-10 02:09:40 0 d-----w- c:\temp\Sophos
2010-04-09 19:36:12 0 ----a-w- c:\documents and settings\michael\defogger_reenable
2010-04-09 15:24:50 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-09 15:24:38 0 d-----w- c:\docume~1\michael\applic~1\SUPERAntiSpyware.com
2010-04-09 04:49:23 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-09 04:16:07 0 d-----w- c:\program files\Microsoft Windows Vista Upgrade Advisor
2010-04-09 03:17:15 0 d-sha-r- C:\cmdcons
2010-04-09 02:25:53 3968 -c--a-w- c:\windows\system32\dllcache\brfiltup.sys
2010-04-09 02:25:53 12160 -c--a-w- c:\windows\system32\dllcache\brfiltlo.sys
2010-04-09 02:25:52 2944 -c--a-w- c:\windows\system32\dllcache\brfilt.sys
2010-04-09 02:25:52 12800 -c--a-w- c:\windows\system32\dllcache\brevif.dll
2010-04-09 02:25:51 9728 -c--a-w- c:\windows\system32\dllcache\brcoinst.dll
2010-04-09 02:25:51 19456 -c--a-w- c:\windows\system32\dllcache\brbidiif.dll
2010-04-09 02:25:36 102400 -c--a-w- c:\windows\system32\dllcache\binlsvc.dll
2010-04-09 02:23:57 24576 -c--a-w- c:\windows\system32\dllcache\agcgauge.ax
2010-04-09 01:57:22 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-09 01:57:22 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-08 22:21:13 0 dc-h--w- c:\windows\ie8
2010-04-05 17:03:53 0 d-----w- c:\windows\Performance
2010-04-03 07:05:50 0 d-----w- c:\temp\ProcessExplorer
2010-03-27 12:54:39 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}

==================== Find3M ====================

2010-04-09 17:38:15 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-02-25 06:24:37 916480 ------w- c:\windows\system32\wininet.dll
2008-05-10 14:45:28 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008051020080511\index.dat

============= FINISH: 21:02:47.42 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:56 AM

Posted 10 April 2010 - 10:13 PM

Hi, mecl smile.gif

Welcome.

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK. (If Vista, click on the Vista Orb and copy and paste the following into the Search field. (make sure you include the quotation marks) Then press Ctrl+Shift+Enter.)


    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • It may ask you to reboot the computer to complete the process. Allow it to do so.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 mecl

mecl
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 11 April 2010 - 10:00 AM

Hello JSntgRvr,

Thanks for the quick response!

Below is the TDSSKiller txt content. By the way, not sure it matters, my Sophos Anti-virus protection is off at this time - let me know when I can/should turn it back on.

Thanks very much!

07:44:25:576 2856 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
07:44:25:576 2856 ================================================================================
07:44:25:576 2856 SystemInfo:

07:44:25:576 2856 OS Version: 5.1.2600 ServicePack: 3.0
07:44:25:576 2856 Product type: Workstation
07:44:25:576 2856 ComputerName: MLD600-XPP
07:44:25:576 2856 UserName: michael
07:44:25:576 2856 Windows directory: C:\WINDOWS
07:44:25:576 2856 Processor architecture: Intel x86
07:44:25:576 2856 Number of processors: 1
07:44:25:576 2856 Page size: 0x1000
07:44:25:576 2856 Boot type: Normal boot
07:44:25:576 2856 ================================================================================
07:44:25:997 2856 UnloadDriverW: NtUnloadDriver error 2
07:44:25:997 2856 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
07:44:27:098 2856 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
07:44:27:098 2856 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
07:44:27:098 2856 wfopen_ex: Trying to KLMD file open
07:44:27:098 2856 wfopen_ex: File opened ok (Flags 2)
07:44:27:098 2856 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
07:44:27:098 2856 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
07:44:27:098 2856 wfopen_ex: Trying to KLMD file open
07:44:27:098 2856 wfopen_ex: File opened ok (Flags 2)
07:44:27:098 2856 Initialize success
07:44:27:098 2856
07:44:27:098 2856 Scanning Services ...
07:44:33:297 2856 Raw services enum returned 388 services
07:44:33:427 2856
07:44:33:427 2856 Scanning Kernel memory ...
07:44:33:427 2856 Devices to scan: 2
07:44:33:427 2856
07:44:33:427 2856 Driver Name: Disk
07:44:33:427 2856 IRP_MJ_CREATE : F763DBB0
07:44:33:427 2856 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
07:44:33:427 2856 IRP_MJ_CLOSE : F763DBB0
07:44:33:427 2856 IRP_MJ_READ : F7637D1F
07:44:33:427 2856 IRP_MJ_WRITE : F7637D1F
07:44:33:427 2856 IRP_MJ_QUERY_INFORMATION : 804FA88E
07:44:33:467 2856 IRP_MJ_SET_INFORMATION : 804FA88E
07:44:33:467 2856 IRP_MJ_QUERY_EA : 804FA88E
07:44:33:467 2856 IRP_MJ_SET_EA : 804FA88E
07:44:33:467 2856 IRP_MJ_FLUSH_BUFFERS : F76382E2
07:44:33:467 2856 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
07:44:33:467 2856 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
07:44:33:467 2856 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
07:44:33:467 2856 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
07:44:33:467 2856 IRP_MJ_DEVICE_CONTROL : F76383BB
07:44:33:467 2856 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28
07:44:33:467 2856 IRP_MJ_SHUTDOWN : F76382E2
07:44:33:467 2856 IRP_MJ_LOCK_CONTROL : 804FA88E
07:44:33:467 2856 IRP_MJ_CLEANUP : 804FA88E
07:44:33:467 2856 IRP_MJ_CREATE_MAILSLOT : 804FA88E
07:44:33:467 2856 IRP_MJ_QUERY_SECURITY : 804FA88E
07:44:33:467 2856 IRP_MJ_SET_SECURITY : 804FA88E
07:44:33:467 2856 IRP_MJ_POWER : F7639C82
07:44:33:467 2856 IRP_MJ_SYSTEM_CONTROL : F763E99E
07:44:33:467 2856 IRP_MJ_DEVICE_CHANGE : 804FA88E
07:44:33:467 2856 IRP_MJ_QUERY_QUOTA : 804FA88E
07:44:33:467 2856 IRP_MJ_SET_QUOTA : 804FA88E
07:44:33:628 2856 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
07:44:33:628 2856
07:44:33:628 2856 Driver Name: atapi
07:44:33:628 2856 IRP_MJ_CREATE : 8A84BAC8
07:44:33:628 2856 IRP_MJ_CREATE_NAMED_PIPE : 8A84BAC8
07:44:33:628 2856 IRP_MJ_CLOSE : 8A84BAC8
07:44:33:628 2856 IRP_MJ_READ : 8A84BAC8
07:44:33:628 2856 IRP_MJ_WRITE : 8A84BAC8
07:44:33:628 2856 IRP_MJ_QUERY_INFORMATION : 8A84BAC8
07:44:33:628 2856 IRP_MJ_SET_INFORMATION : 8A84BAC8
07:44:33:628 2856 IRP_MJ_QUERY_EA : 8A84BAC8
07:44:33:628 2856 IRP_MJ_SET_EA : 8A84BAC8
07:44:33:628 2856 IRP_MJ_FLUSH_BUFFERS : 8A84BAC8
07:44:33:628 2856 IRP_MJ_QUERY_VOLUME_INFORMATION : 8A84BAC8
07:44:33:628 2856 IRP_MJ_SET_VOLUME_INFORMATION : 8A84BAC8
07:44:33:628 2856 IRP_MJ_DIRECTORY_CONTROL : 8A84BAC8
07:44:33:628 2856 IRP_MJ_FILE_SYSTEM_CONTROL : 8A84BAC8
07:44:33:628 2856 IRP_MJ_DEVICE_CONTROL : 8A84BAC8
07:44:33:628 2856 IRP_MJ_INTERNAL_DEVICE_CONTROL : 8A84BAC8
07:44:33:628 2856 IRP_MJ_SHUTDOWN : 8A84BAC8
07:44:33:628 2856 IRP_MJ_LOCK_CONTROL : 8A84BAC8
07:44:33:628 2856 IRP_MJ_CLEANUP : 8A84BAC8
07:44:33:628 2856 IRP_MJ_CREATE_MAILSLOT : 8A84BAC8
07:44:33:628 2856 IRP_MJ_QUERY_SECURITY : 8A84BAC8
07:44:33:628 2856 IRP_MJ_SET_SECURITY : 8A84BAC8
07:44:33:628 2856 IRP_MJ_POWER : 8A84BAC8
07:44:33:628 2856 IRP_MJ_SYSTEM_CONTROL : 8A84BAC8
07:44:33:628 2856 IRP_MJ_DEVICE_CHANGE : 8A84BAC8
07:44:33:628 2856 IRP_MJ_QUERY_QUOTA : 8A84BAC8
07:44:33:628 2856 IRP_MJ_SET_QUOTA : 8A84BAC8
07:44:33:628 2856 Driver "atapi" infected by TDSS rootkit!
07:44:33:708 2856 C:\WINDOWS\system32\drivers\atapi.sys - Verdict: 1
07:44:33:708 2856 File "C:\WINDOWS\system32\drivers\atapi.sys" infected by TDSS rootkit ... 07:44:33:708 2856 Processing driver file: C:\WINDOWS\system32\drivers\atapi.sys
07:44:33:708 2856 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
07:44:36:532 2856 vfvi6
07:44:36:842 2856 !dsvbh1
07:45:01:638 2856 dsvbh2
07:45:01:648 2856 fdfb2
07:45:01:648 2856 Backup copy found, using it..
07:45:02:409 2856 will be cured on next reboot
07:45:02:409 2856 Reboot required for cure complete..
07:45:02:860 2856 Cure on reboot scheduled successfully
07:45:02:860 2856
07:45:02:860 2856 Completed
07:45:02:860 2856
07:45:02:860 2856 Results:
07:45:02:860 2856 Memory objects infected / cured / cured on reboot: 1 / 0 / 0
07:45:02:860 2856 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
07:45:02:860 2856 File objects infected / cured / cured on reboot: 1 / 0 / 1
07:45:02:860 2856
07:45:02:860 2856 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
07:45:02:860 2856 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
07:45:02:860 2856 UnloadDriverW: NtUnloadDriver error 1
07:45:02:860 2856 KLMD(ARK) unloaded successfully


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:56 AM

Posted 11 April 2010 - 11:18 AM

Restart the computer if you haven't done so after the above fix.

Download TFC by OldTimer to your desktop
  • Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • It will close all programs when run, so make sure you have saved all your work before you begin.
  • Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
  • Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.
------------------------------------------------------------------------

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

------------------------------------------------------------

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------
  4. Double click on combofix.exe & follow the prompts.
  5. Install the Recovery Console if prompted.
  6. When finished, it will produce a report for you.
  7. Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 mecl

mecl
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 11 April 2010 - 12:59 PM

Hello JSntgRvr,

It took a little while as I wanted to follow your instructions properly. I think I did everything you asked right & in right order.

Below are the mbam and combofix logs as requested in that order. What's next?

Thanks again!

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 3978

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

2010-04-11 10:23:49 AM
mbam-log-2010-04-11 (10-23-49).txt

Scan type: Quick scan
Objects scanned: 111904
Time elapsed: 6 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ComboFix 10-04-10.02 - michael 2010-04-11 10:31:36.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1531 [GMT -7:00]
Running from: c:\documents and settings\michael\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.

((((((((((((((((((((((((( Files Created from 2010-03-11 to 2010-04-11 )))))))))))))))))))))))))))))))
.

2010-04-11 17:16 . 2010-04-11 17:16 -------- d-----w- c:\documents and settings\michael\Application Data\Malwarebytes
2010-04-11 17:16 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-11 17:16 . 2010-04-11 17:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-11 17:16 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-10 02:24 . 2010-04-10 02:24 -------- d-----w- c:\documents and settings\michael\Local Settings\Application Data\Sophos
2010-04-10 02:15 . 2010-04-10 02:11 130104 ----a-w- c:\windows\system32\sdccoinstaller.dll
2010-04-10 02:14 . 2010-04-10 02:14 -------- d-----w- c:\program files\Common Files\Cisco Systems
2010-04-10 02:14 . 2010-04-10 02:14 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2010-04-10 02:14 . 2010-04-10 02:11 23552 ----a-w- c:\windows\system32\sophosboottasks.exe
2010-04-10 02:14 . 2010-04-10 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2010-04-10 02:12 . 2010-04-10 02:12 14976 ----a-w- c:\windows\system32\drivers\SophosBootDriver.sys
2010-04-10 02:11 . 2010-04-10 02:11 38528 ----a-w- c:\windows\system32\drivers\savonaccessfilter.sys
2010-04-10 02:11 . 2010-04-10 02:11 110848 ----a-w- c:\windows\system32\drivers\savonaccesscontrol.sys
2010-04-10 02:10 . 2010-04-10 03:23 -------- d-----w- c:\program files\Sophos
2010-04-10 02:09 . 2010-04-10 02:09 -------- d-----w- c:\temp\Sophos
2010-04-09 15:24 . 2010-04-09 15:24 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-09 15:24 . 2010-04-10 01:12 -------- d-----w- c:\documents and settings\michael\Application Data\SUPERAntiSpyware.com
2010-04-09 04:49 . 2010-04-09 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-09 04:16 . 2010-04-09 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Corporation
2010-04-09 04:16 . 2010-04-09 04:16 -------- d-----w- c:\program files\Microsoft Windows Vista Upgrade Advisor
2010-04-09 02:25 . 2001-08-17 20:12 3968 -c--a-w- c:\windows\system32\dllcache\brfiltup.sys
2010-04-09 02:25 . 2001-08-17 20:12 12160 -c--a-w- c:\windows\system32\dllcache\brfiltlo.sys
2010-04-09 02:25 . 2001-08-18 05:36 12800 -c--a-w- c:\windows\system32\dllcache\brevif.dll
2010-04-09 02:25 . 2001-08-17 20:12 2944 -c--a-w- c:\windows\system32\dllcache\brfilt.sys
2010-04-09 02:25 . 2001-08-18 05:36 9728 -c--a-w- c:\windows\system32\dllcache\brcoinst.dll
2010-04-09 02:25 . 2001-08-18 05:36 19456 -c--a-w- c:\windows\system32\dllcache\brbidiif.dll
2010-04-09 02:25 . 2001-08-18 05:36 102400 -c--a-w- c:\windows\system32\dllcache\binlsvc.dll
2010-04-09 02:23 . 2001-08-17 21:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2010-04-09 01:57 . 2010-04-09 01:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-08 22:21 . 2010-04-08 22:23 -------- dc-h--w- c:\windows\ie8
2010-04-08 20:14 . 2010-04-08 20:14 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-08 20:09 . 2010-04-08 20:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-04-05 17:03 . 2010-04-05 17:03 -------- d-----w- c:\windows\Performance
2010-04-05 17:03 . 2010-04-05 17:03 -------- d-----w- c:\documents and settings\michael\Local Settings\Application Data\Microsoft Corporation
2010-04-03 07:05 . 2010-04-03 07:06 -------- d-----w- c:\temp\ProcessExplorer
2010-04-03 06:43 . 2010-04-03 06:43 -------- d-----w- c:\documents and settings\michael\Local Settings\Application Data\Temp
2010-03-27 12:56 . 2010-03-27 12:57 -------- d-----w- c:\documents and settings\michael\Application Data\Apple Computer
2010-03-27 12:54 . 2010-03-27 12:55 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-27 12:51 . 2010-04-09 19:33 -------- d-----w- c:\program files\Common Files\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 14:46 . 2001-08-23 12:00 96512 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-09 19:56 . 2007-04-06 14:13 -------- d-----w- c:\program files\DivX
2010-04-09 15:08 . 2006-01-31 22:58 -------- d-----w- c:\program files\Common Files\Java
2010-04-09 01:57 . 2010-04-09 01:57 503808 ----a-w- c:\documents and settings\michael\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6dd033c6-n\msvcp71.dll
2010-04-09 01:57 . 2010-04-09 01:57 499712 ----a-w- c:\documents and settings\michael\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6dd033c6-n\jmc.dll
2010-04-09 01:57 . 2010-04-09 01:57 348160 ----a-w- c:\documents and settings\michael\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6dd033c6-n\msvcr71.dll
2010-04-09 01:57 . 2010-04-09 01:57 61440 ----a-w- c:\documents and settings\michael\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3ff33051-n\decora-sse.dll
2010-04-09 01:57 . 2010-04-09 01:57 12800 ----a-w- c:\documents and settings\michael\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3ff33051-n\decora-d3d.dll
2010-04-09 01:56 . 2006-01-31 22:59 -------- d-----w- c:\program files\Java
2010-04-09 01:07 . 2006-01-18 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-08 16:21 . 2009-12-24 16:32 -------- d-----w- c:\documents and settings\michael\Application Data\Skype
2010-04-08 15:24 . 2009-12-24 16:36 -------- d-----w- c:\documents and settings\michael\Application Data\skypePM
2010-04-04 17:08 . 2007-04-21 03:07 -------- d-----w- c:\program files\IrfanView
2010-04-03 06:57 . 2008-03-01 13:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-10 16:43 . 2009-04-03 11:44 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2010-03-10 15:17 . 2006-01-31 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-02 15:38 . 2010-03-02 15:38 -------- d-----w- c:\program files\Windows Live
2010-03-02 15:38 . 2010-03-02 15:38 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-03-02 15:35 . 2010-03-02 15:35 -------- d-----w- c:\program files\Common Files\Windows Live
2010-02-25 06:24 . 2001-08-23 12:00 916480 ------w- c:\windows\system32\wininet.dll
2010-01-17 15:53 . 2006-01-12 21:52 86327 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-9-11 245760]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 23:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 16:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2004-09-13 19:33 155648 ----a-w- c:\program files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2004-06-03 09:50 204800 ----a-w- c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
2000-01-14 18:39 34304 ----a-w- c:\windows\system32\dtmonx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 18:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2010-04-09 7:11 PM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2010-04-09 7:11 PM 38528]
R2 HPPECP00;hppecp00;c:\windows\system32\drivers\hppecp00.sys [2006-01-17 9:34 AM 42048]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2010-04-09 7:10 PM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [2010-04-09 7:10 PM 98304]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2006-01-12 4:04 PM 92550]
S3 Ctxusbr;Citrix USB Redirection Driver;c:\windows\system32\DRIVERS\ctxusbr.sys --> c:\windows\system32\DRIVERS\ctxusbr.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\68.tmp --> c:\windows\system32\68.tmp [?]
S3 NetDirect;TAP-Win32 NetDirect Adapter;c:\windows\system32\drivers\NetDirect.sys [2006-10-30 1:25 PM 24576]
S3 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-06-17 1:17 PM 434864]
S3 WSUSBDMAN;VMware VDM Virtual Client USB Manager;c:\windows\system32\DRIVERS\WSUSBDMAN.sys --> c:\windows\system32\DRIVERS\WSUSBDMAN.sys [?]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2010-04-09 7:12 PM 14976]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-24 00:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
uStart Page = hxxp://en.canoe.ca/home.html
uInternet Settings,ProxyOverride = *.local
Trusted Zone: ubc.ca\walnut.vdesk.ad
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://myvpn.ubc.ca/CACHE/stc/1/binaries/vpnweb.cab
DPF: {7FA319FB-FFB9-4089-87EB-63179244E6E6} - hxxps://rsvpn.ubc.ca/nortel_cacheable/NetDirect.cab
FF - ProfilePath - c:\documents and settings\michael\Application Data\Mozilla\Firefox\Profiles\idc08d7u.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.weatheroffice.gc.ca/city/pages/bc-74_metric_e.html#detailsf
FF - plugin: c:\documents and settings\michael\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys
MSConfigStartUp-BitTorrent DNA - c:\program files\DNA\btdna.exe
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
MSConfigStartUp-QuickTime Task - c:\program files\QuickTime\QTTask.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-11 10:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A82CAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a8852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Dell TrueMobile 1300 WLAN Mini-PCI Card -> SendCompleteHandler -> NDIS.sys @ 0xf7441bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7430a0d
SendHandler -> NDIS.sys @ 0xf7444b40
user & kernel MBR OK

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\68.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2025429265-746137067-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(976)
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2580)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP Client 2.0\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Sophos\AutoUpdate\ALsvc.exe
.
**************************************************************************
.
Completion time: 2010-04-11 10:51:54 - machine was rebooted
ComboFix-quarantined-files.txt 2010-04-11 17:51

Pre-Run: 20,204,204,032 bytes free
Post-Run: 20,084,736,000 bytes free

- - End Of File - - 78AA25D50CDFA74170458E91BB53EA49


#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:56 AM

Posted 11 April 2010 - 03:22 PM

Go to Start -> Run, type CMD and click OK. At the prompt copy and paste the following commands and press Enter

SC Delete MEMSWEEP2
SC Delete Ctxusbr
SC Delete WSUSBDMAN
Exit


Please run the F-Secure Online Scanner
  • For information click Here.
  • Allow the installation of the Add-ons and Accept the License Agreement.
  • Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 mecl

mecl
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 12 April 2010 - 12:08 AM

Hello again,

Ran F-Secure. It says it found 3 problems but only 1.

Thanks for the help!

Here's the copy/paste of report -

Scanning Report
Sunday, April 11, 2010 21:13:42 - 22:03:24
Computer name: MLD600-XPP
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\


--------------------------------------------------------------------------------

3 malware found
TrackingCookie.Webtrends (spyware)
System (Disinfected)
Suspicious:W32/Malware!Gemini (virus)
C:\SOFTWARE\PAZERA_FREE_MP4_TO_AVI_CONVERTER\MP4TOAVI.EXE (Not cleaned & Submitted)
Suspicious:W32/Malware!Gemini (virus)
C:\SOFTWARE\PAZERA_FREE_FLV_TO_AVI_CONVERTER\FLVTOAVI.EXE (Not cleaned & Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 36689
System: 3710
Not scanned: 7
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
Not cleaned: 2
Submitted: 2
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\DOCUMENTS AND SETTINGS\MICHAEL\LOCAL SETTINGS\TEMP\HSPERFDATA_MICHAEL\3656

--------------------------------------------------------------------------------

Options
Scanning engines:
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use advanced heuristics

--------------------------------------------------------------------------------

Copyright 1998-2009 Product support | Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name. This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:56 AM

Posted 12 April 2010 - 12:46 AM

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
QUOTE
File::
C:\SOFTWARE\PAZERA_FREE_MP4_TO_AVI_CONVERTER\MP4TOAVI.EXE
C:\SOFTWARE\PAZERA_FREE_FLV_TO_AVI_CONVERTER\FLVTOAVI.EXE




Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 mecl

mecl
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 12 April 2010 - 09:32 AM

Hello JSntgRvr,

Below is latest ComboFix report. Just a note in case it matters - after I dragged the file into ComboFix, ComboFix updated its version and then relaunched itself...

Appreciate your time & help!

ComboFix 10-04-11.06 - michael 2010-04-12 6:16.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1538 [GMT -7:00]
Running from: c:\documents and settings\michael\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\michael\Desktop\CFScript.txt
AV: Sophos Anti-Virus *On-access scanning disabled* (Updated) {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}

FILE ::
"c:\software\PAZERA_FREE_FLV_TO_AVI_CONVERTER\FLVTOAVI.EXE"
"c:\software\PAZERA_FREE_MP4_TO_AVI_CONVERTER\MP4TOAVI.EXE"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\software\PAZERA_FREE_FLV_TO_AVI_CONVERTER\FLVTOAVI.EXE
c:\software\PAZERA_FREE_MP4_TO_AVI_CONVERTER\MP4TOAVI.EXE

.
((((((((((((((((((((((((( Files Created from 2010-03-12 to 2010-04-12 )))))))))))))))))))))))))))))))
.

2010-04-12 04:13 . 2010-04-12 04:13 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-04-11 17:16 . 2010-04-11 17:16 -------- d-----w- c:\documents and settings\michael\Application Data\Malwarebytes
2010-04-11 17:16 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-11 17:16 . 2010-04-11 17:16 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-11 17:16 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-10 02:24 . 2010-04-10 02:24 -------- d-----w- c:\documents and settings\michael\Local Settings\Application Data\Sophos
2010-04-10 02:15 . 2010-04-10 02:11 130104 ----a-w- c:\windows\system32\sdccoinstaller.dll
2010-04-10 02:14 . 2010-04-10 02:14 -------- d-----w- c:\program files\Common Files\Cisco Systems
2010-04-10 02:14 . 2010-04-10 02:14 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2010-04-10 02:14 . 2010-04-10 02:11 23552 ----a-w- c:\windows\system32\sophosboottasks.exe
2010-04-10 02:14 . 2010-04-10 02:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2010-04-10 02:12 . 2010-04-10 02:12 14976 ----a-w- c:\windows\system32\drivers\SophosBootDriver.sys
2010-04-10 02:11 . 2010-04-10 02:11 38528 ----a-w- c:\windows\system32\drivers\savonaccessfilter.sys
2010-04-10 02:11 . 2010-04-10 02:11 110848 ----a-w- c:\windows\system32\drivers\savonaccesscontrol.sys
2010-04-10 02:10 . 2010-04-10 03:23 -------- d-----w- c:\program files\Sophos
2010-04-10 02:09 . 2010-04-10 02:09 -------- d-----w- c:\temp\Sophos
2010-04-09 15:24 . 2010-04-09 15:24 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-09 15:24 . 2010-04-10 01:12 -------- d-----w- c:\documents and settings\michael\Application Data\SUPERAntiSpyware.com
2010-04-09 04:49 . 2010-04-09 04:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-09 04:16 . 2010-04-09 04:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Corporation
2010-04-09 04:16 . 2010-04-09 04:16 -------- d-----w- c:\program files\Microsoft Windows Vista Upgrade Advisor
2010-04-09 02:25 . 2001-08-17 20:12 3968 -c--a-w- c:\windows\system32\dllcache\brfiltup.sys
2010-04-09 02:25 . 2001-08-17 20:12 12160 -c--a-w- c:\windows\system32\dllcache\brfiltlo.sys
2010-04-09 02:25 . 2001-08-18 05:36 12800 -c--a-w- c:\windows\system32\dllcache\brevif.dll
2010-04-09 02:25 . 2001-08-17 20:12 2944 -c--a-w- c:\windows\system32\dllcache\brfilt.sys
2010-04-09 02:25 . 2001-08-18 05:36 9728 -c--a-w- c:\windows\system32\dllcache\brcoinst.dll
2010-04-09 02:25 . 2001-08-18 05:36 19456 -c--a-w- c:\windows\system32\dllcache\brbidiif.dll
2010-04-09 02:25 . 2001-08-18 05:36 102400 -c--a-w- c:\windows\system32\dllcache\binlsvc.dll
2010-04-09 02:23 . 2001-08-17 21:07 101888 -c--a-w- c:\windows\system32\dllcache\adpu160m.sys
2010-04-09 01:57 . 2010-04-09 01:57 503808 ----a-w- c:\documents and settings\michael\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6dd033c6-n\msvcp71.dll
2010-04-09 01:57 . 2010-04-09 01:57 499712 ----a-w- c:\documents and settings\michael\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6dd033c6-n\jmc.dll
2010-04-09 01:57 . 2010-04-09 01:57 348160 ----a-w- c:\documents and settings\michael\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-6dd033c6-n\msvcr71.dll
2010-04-09 01:57 . 2010-04-09 01:57 61440 ----a-w- c:\documents and settings\michael\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3ff33051-n\decora-sse.dll
2010-04-09 01:57 . 2010-04-09 01:57 12800 ----a-w- c:\documents and settings\michael\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-3ff33051-n\decora-d3d.dll
2010-04-09 01:57 . 2010-04-09 01:57 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-04-08 22:21 . 2010-04-08 22:23 -------- dc-h--w- c:\windows\ie8
2010-04-08 20:14 . 2010-04-08 20:14 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-04-08 20:09 . 2010-04-08 20:09 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-04-05 17:03 . 2010-04-05 17:03 -------- d-----w- c:\windows\Performance
2010-04-05 17:03 . 2010-04-05 17:03 -------- d-----w- c:\documents and settings\michael\Local Settings\Application Data\Microsoft Corporation
2010-04-03 07:05 . 2010-04-03 07:06 -------- d-----w- c:\temp\ProcessExplorer
2010-04-03 06:43 . 2010-04-03 06:43 -------- d-----w- c:\documents and settings\michael\Local Settings\Application Data\Temp
2010-03-27 12:56 . 2010-03-27 12:57 -------- d-----w- c:\documents and settings\michael\Application Data\Apple Computer
2010-03-27 12:54 . 2010-03-27 12:55 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-03-27 12:51 . 2010-04-09 19:33 -------- d-----w- c:\program files\Common Files\Apple

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-11 19:24 . 2006-01-12 16:25 10240 ----a-w- c:\windows\system32\drivers\compbatt.sys
2010-04-11 14:46 . 2001-08-23 12:00 96512 ------w- c:\windows\system32\drivers\atapi.sys
2010-04-09 19:56 . 2007-04-06 14:13 -------- d-----w- c:\program files\DivX
2010-04-09 15:08 . 2006-01-31 22:58 -------- d-----w- c:\program files\Common Files\Java
2010-04-09 01:56 . 2006-01-31 22:59 -------- d-----w- c:\program files\Java
2010-04-09 01:07 . 2006-01-18 21:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-08 16:21 . 2009-12-24 16:32 -------- d-----w- c:\documents and settings\michael\Application Data\Skype
2010-04-08 15:24 . 2009-12-24 16:36 -------- d-----w- c:\documents and settings\michael\Application Data\skypePM
2010-04-04 17:08 . 2007-04-21 03:07 -------- d-----w- c:\program files\IrfanView
2010-04-03 06:57 . 2008-03-01 13:24 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-03-10 16:43 . 2009-04-03 11:44 -------- d-----w- c:\documents and settings\All Users\Application Data\VMware
2010-03-10 15:17 . 2006-01-31 20:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-03-02 15:38 . 2010-03-02 15:38 -------- d-----w- c:\program files\Windows Live
2010-03-02 15:38 . 2010-03-02 15:38 -------- d-----w- c:\program files\Windows Live SkyDrive
2010-03-02 15:35 . 2010-03-02 15:35 -------- d-----w- c:\program files\Common Files\Windows Live
2010-02-25 06:24 . 2001-08-23 12:00 916480 ------w- c:\windows\system32\wininet.dll
2010-01-17 15:53 . 2006-01-12 21:52 86327 ----a-w- c:\windows\PCHEALTH\HELPCTR\OfflineCache\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-9-11 245760]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2009-12-11 23:57 948672 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-12-18 16:58 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
2004-09-13 19:33 155648 ----a-w- c:\program files\Apoint\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2004-06-03 09:50 204800 ----a-w- c:\program files\Microsoft IntelliPoint\point32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
2000-01-14 18:39 34304 ----a-w- c:\windows\system32\dtmonx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-02-18 18:43 248040 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\WCESCOMM.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\NetMeeting\\conf.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [2010-04-09 7:11 PM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [2010-04-09 7:11 PM 38528]
R2 HPPECP00;hppecp00;c:\windows\system32\drivers\hppecp00.sys [2006-01-17 9:34 AM 42048]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2010-04-09 7:10 PM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [2010-04-09 7:10 PM 98304]
R3 OZSCR;O2Micro SmartCardBus Smartcard Reader;c:\windows\system32\drivers\ozscr.sys [2006-01-12 4:04 PM 92550]
S3 Ctxusbr;Citrix USB Redirection Driver;c:\windows\system32\DRIVERS\ctxusbr.sys --> c:\windows\system32\DRIVERS\ctxusbr.sys [?]
S3 NetDirect;TAP-Win32 NetDirect Adapter;c:\windows\system32\drivers\NetDirect.sys [2006-10-30 1:25 PM 24576]
S3 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [2009-06-17 1:17 PM 434864]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [2010-04-09 7:12 PM 14976]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2007-08-24 00:34 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}&ie={inputEncoding}&oe={outputEncoding}&startIndex={startIndex?}&startPage={startPage}
uStart Page = hxxp://en.canoe.ca/home.html
uInternet Settings,ProxyOverride = *.local
Trusted Zone: ubc.ca\walnut.vdesk.ad
DPF: {55963676-2F5E-4BAF-AC28-CF26AA587566} - hxxps://myvpn.ubc.ca/CACHE/stc/1/binaries/vpnweb.cab
DPF: {7FA319FB-FFB9-4089-87EB-63179244E6E6} - hxxps://rsvpn.ubc.ca/nortel_cacheable/NetDirect.cab
FF - ProfilePath - c:\documents and settings\michael\Application Data\Mozilla\Firefox\Profiles\idc08d7u.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.weatheroffice.gc.ca/city/pages/bc-74_metric_e.html#detailsf
FF - plugin: c:\documents and settings\michael\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-12 06:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A83FAC8]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a8852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805a0598
ParseProcedure -> ntoskrnl.exe @ 0x8056ea15
NDIS: Dell TrueMobile 1300 WLAN Mini-PCI Card -> SendCompleteHandler -> NDIS.sys @ 0xf7441bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7430a0d
SendHandler -> NDIS.sys @ 0xf7444b40
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2025429265-746137067-839522115-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(916)
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(976)
c:\windows\system32\WININET.dll
.
Completion time: 2010-04-12 06:31:19
ComboFix-quarantined-files.txt 2010-04-12 13:31
ComboFix2.txt 2010-04-11 17:51

Pre-Run: 19,726,028,800 bytes free
Post-Run: 19,876,032,512 bytes free

- - End Of File - - A44E973AF161DB1318F9A09ED6579C01


#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:56 AM

Posted 12 April 2010 - 11:19 AM

How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 mecl

mecl
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 12 April 2010 - 11:52 AM

Hello JSntgRvr,

Well all was looking good for a while in Firefox, but then up came another tab for a website I did not ask for - http://a67990067.cn/nVj0tgeP673qkZo870b135...bbb0cf1a387235A

Tried IE8 a little bit too but nothing popped up there. Shall I keep trying with IE8?

Thanks again..



#12 mecl

mecl
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 12 April 2010 - 01:52 PM

Just a quick update - yup redirect problem also still exists with IE8 - bad site popped up in new window while testing IE browser. Darn it!

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:56 AM

Posted 12 April 2010 - 02:54 PM

Please run GMER once again and post its report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 mecl

mecl
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:02:56 AM

Posted 12 April 2010 - 04:25 PM

Hello JSntgRvr,

Here's the latest gmer log.

Thanks much...

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-04-12 14:24:00
Windows 5.1.2600 Service Pack 3
Running: 421xo1sj.exe; Driver: C:\DOCUME~1\michael\LOCALS~1\Temp\fxlyikow.sys


---- System - GMER 1.0.15 ----

Code \??\C:\DOCUME~1\michael\LOCALS~1\Temp\catchme.sys pIofCallDriver

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs savonaccessfilter.sys (SAV On-access and HIPS for Windows XP (x86)/Sophos Plc)
AttachedDevice \FileSystem\Ntfs \Ntfs InCDrec.SYS (InCD File System Recognizer/Nero AG)

Device -> \Driver\atapi \Device\Harddisk0\DR0 8A83FAC8

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,925 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:56 AM

Posted 12 April 2010 - 06:47 PM

Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Standard Registry to All
    • Under File Scans, change File age to 30
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.*
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles

  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.
    • Please post the contents of these files in your next reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users