Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

TDSS infection-I can't remove it!


  • This topic is locked This topic is locked
44 replies to this topic

#1 JimT343

JimT343

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 15 April 2010 - 01:30 AM

My computer is infected with what seems to be the tdss rootkit.

It all started when my PC got infected with the ave.exe scareware that pops up the "Windows
XP Security" windows, telling me I have all manner of evil spyware. I got rid of it with Malwarebytes Anti-Malware and fixexe.reg, but it has come back a couple of times. I was running McAfee real-time scanner and
ZoneAlarm at the time, but it slipped right past them. ZoneAlarm did stop ave.exe and
av.exe from accessing the internet, fortunately.

Ever since then, when I search in a search engine (Google, Bing, About.com, etc.) the
results appear normal but when I click on a link it takes me to some other page - it's
been taking me to the TurboTax site a lot, but there are a bunch of others. Internet
Explorer also pops up random windows to different sites, mostly www.onlyspecialoffers.info, at intervals - not little pop-up windows, but full windows.

I also can't access the Windows Update site or even do a search with
"windowsupdate" as the topic, as I get a "page not found" error. I can access the
website with my netbook, and the search engine (usually Google) with both computers,
so I know the sites are OK. Some antivirus sites also appear to be blocked with a
message that the site is a known malware site (hey look! it's a pot calling a kettle black!)
and of course, there is no option to proceed to the site anyway, as there would be with
a legitimate IE warning about a security certificate, for example.

UPDATE: It seems this virus is interfering with my posting this message. I can't get it
to post. I'm going to try again with my netbook, so if you're reading this, it worked. It
won't let me send an email through Hotmail with any reference to windowsupdate, either. I had to remove all references to it then put them back after I got the email on my netbook.

I've scanned my computer with numerous antivirus and antispyware programs without
success. I tried Avast, McAfee Security Center, MS Security Essentials, ComboFix,
Malwarebytes Anti-Malware, Trojan Remover, ThreatFire, Protean (sp?) Antivirus,
Sophos Anti-Rootkit, Spyware Doctor, and tdsskiller. wacko.gif

tdsskiller reports that atapi.sys is infected with tdss. NONE of the other programs
found anything.

tdsskiller says the infection will be cleaned on reboot. It's not.

I tried following Symantec's instructions for manually removing/replacing files and
registry entries. The problem is, I can't find any of the registry entries or TDSS files
they refer to. I searched the registry for tdss and found only one entry, in:

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]
"000"="tdssserv.sys"
"001"="6H1Vn1E4.exe"

I deleted this key.

Following Symantec's instructions, I used Windows Recovery Console with my
Windows install disk to replace atapi.sys, along with some other files Symantec
recommended. It didn't help. I also tried searching for files with "tdss" in the file name
while in the Recovery Console, and I couldn't find any.

I've attached the DSS logs, but I've had no luck with GMER. It causes my computer to
spontaneously reboot every time I run it. Am I doing something wrong with it?

EDIT: I managed to run GMER in Safe Mode, so I've attached the log file. When GMER finished, the dialog box said "The scan was stopped". Is that normal, or does it indicate the scan was stopped abnormally?

Here's the DSS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by Jim at 19:09:58.01 on Wed 04/14/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.250 [GMT
-7:00]
AV: avast! Antivirus *On-access scanning enabled* (Updated)
{7591DB91-41F0-48A3-B128-1A293FD8233D}
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
{84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated)
{BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
============== Running Processes ===============
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
c:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\SOUNDMAN.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient .exe
C:\Program Files\palmOne\HOTSYNC.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\PERMIS~1\bin\dm.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jim\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
============== Pseudo HJT Report ===============
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} -
c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer:
{3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all
users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} -
c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program
files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program
files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program
files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} -
c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} -
c:\program files\lastpass\LPBar.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} -
c:\program files\windows live\toolbar\wltcore.dll
TB: ZoneAlarm Spy Blocker: {f0d4b239-da4b-4daf-81e4-dfee4931a4aa} - c:\program
files\zonealarmsb\bar\1.bin\SPYBLOCK.DLL
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program
files\windows live\toolbar\wltcore.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program
files\lastpass\LPBar.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [cdloader] "c:\documents and settings\jim\application
data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide
-runkey
mRun: [QuickTime Task] "c:\program files\quicktime\qttask .exe"
-atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe"
-osboot
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\jim\startm~1\programs\startup\hotsyn~1.lnk - c:\program
files\palmone\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~2.lnk -
c:\program files\palmone\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\zoneal~1.lnk -
c:\program files\zone labs\zonealarm\zlclient .exe
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network
Diagnostic\xpnetdiag.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program
files\java\jre1.6.0_07\bin\ssv.dll
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} -
{95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -
{53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search &
destroy\SDHelper.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} -
hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplu
gin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} -
hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} -
hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} -
hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} -
hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c69
1085/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} -
hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -
hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.3.102.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} -
hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} -
hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
hxxp://by120fd.bay120.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} -
hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} -
hxxp://media.labs.live.com/all/ps/_code_/Photosynth.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -
hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.
cab?1171514215500
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} -
hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} -
hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.
cab?1171514206484
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -
hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} -
hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} -
hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} -
hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} -
hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} -
hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} -
hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} -
hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: {9CBFCC0D-5192-4EBF-9872-0621EE296BC2} =
208.67.222.222,208.67.220.220
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -
c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager:
{56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop
search\MSNLNamespaceMgr.dll
SEH: Microsoft AntiMalware ShellExecuteHook:
{091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\jim\applic~1\mozilla\firefox\profiles\mwdpz6d4.default\
FF - component: c:\documents and settings\all users\application
data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecorde
xt.dll
FF - component: c:\documents and settings\jim\application
data\mozilla\firefox\profiles\mwdpz6d4.default\extensions\support@lastpass.com\platf
orm\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\documents and settings\all users\application
data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla
firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPZoneSB.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant:
{20a82645-c095-46ed-80e3-08825760534b} -
c:\windows\microsoft.net\framework\v3.5\windows presentation
foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla
firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows",
false);
c:\program files\mozilla firefox\greprefs\all.js -
pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js -
pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js -
pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js -
pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm",
false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug",
false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight",
2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize",
1);
c:\program files\mozilla firefox\greprefs\all.js -
pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js -
pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight",
25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight",
5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js -
pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref"
, true);
c:\program files\mozilla firefox\greprefs\security-prefs.js -
pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js -
pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js -
pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js -
pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js -
pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js -
pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js -
pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js -
pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name",
"chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js -
pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description",
"chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add",
"addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36",
"getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js -
pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js -
pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js -
pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser",
false);
c:\program files\mozilla firefox\defaults\pref\firefox.js -
pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js -
pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js -
pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js -
pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2010-4-13 51984]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2010-4-13
59664]
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2007-1-8
11264]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-4-13 162640]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8
214664]
R1 MpFilter;Microsoft Malware Protection
Driver;c:\windows\system32\drivers\MpFilter.sys [2009-6-18 149040]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-6-20 353672]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-4-13 19024]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe
[2010-4-13 40384]
R2 McProxy;McAfee Proxy
Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2009-9-12 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe
[2009-9-12 144704]
R2 PermissionTVDownloadManager;PermissionTV Download Manager
Service;c:\progra~1\permis~1\bin\dm.exe [2008-12-26 213053]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\common
files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]
R2 ThreatFire;ThreatFire;c:\program files\threatfire\tfservice.exe service --> c:\program
files\threatfire\TFService.exe service [?]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe
-service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil
software\avast5\AvastSvc.exe [2010-4-13 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil
software\avast5\AvastSvc.exe [2010-4-13 40384]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-12
79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys
[2009-9-12 35272]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2010-4-13
33552]
S1 MpKslaf321c6a;MpKslaf321c6a;\??\c:\documents and settings\all users\application
data\microsoft\microsoft antimalware\definition
updates\{5abe4379-02a2-416e-9603-7f7367330b12}\mpkslaf321c6a.sys -->
c:\documents and settings\all users\application data\microsoft\microsoft
antimalware\definition
updates\{5abe4379-02a2-416e-9603-7f7367330b12}\MpKslaf321c6a.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program
files\google\update\GoogleUpdate.exe [2010-4-13 133104]
S2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe
[2006-11-3 13592]
S3 DrmRDriverV32;DrmRDriverV32;c:\windows\system32\drivers\DrmRDriverV32.sys
[2008-9-14 508544]
S3 DrmRVideo32;DrmRVideo32;c:\windows\system32\drivers\DrmRVideo32.sys
[2008-9-14 3768]
S3 iTurns;iTurns;c:\windows\system32\drivers\iTurns.sys [2008-7-18 25344]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys
[2009-9-12 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys
[2009-9-12 40552]
S4 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe
[2009-9-12 606736]
=============== Created Last 30 ================
2100-02-23 21:35:34 768 -c--a-w- c:\program files\x73_lut.dat
2100-02-08 23:03:54 53248 -c--a-w- c:\program
files\ACMonitor_X73.exe
2010-04-15 02:09:14 0 ----a-w- c:\documents and
settings\jim\defogger_reenable
2010-04-14 12:17:53 18816 ------w-
c:\windows\system32\SAVRKBootTasks.sys
2010-04-14 05:26:06 182912 ----a-w-
c:\windows\system32\drivers\ndis.sys
2010-04-14 05:25:00 616960 ----a-w-
c:\windows\system32\drivers\advapi32.dll
2010-04-14 05:24:34 95360 ----a-w-
c:\windows\system32\drivers\atapi.sys
2010-04-14 05:03:09 0 d-----w- c:\program files\Sophos
2010-04-14 02:17:59 0 d-----w-
c:\docume~1\alluse~1\applic~1\Alwil Software
2010-04-13 13:23:52 59664 ----a-w-
c:\windows\system32\drivers\TfSysMon.sys
2010-04-13 13:23:51 33552 ----a-w-
c:\windows\system32\drivers\TfNetMon.sys
2010-04-13 13:23:50 51984 ----a-w-
c:\windows\system32\drivers\TfFsMon.sys
2010-04-13 13:23:23 0 d-----w- c:\program files\ThreatFire
2010-04-13 13:23:23 0 d-----w-
c:\docume~1\alluse~1\applic~1\PC Tools
2010-04-13 02:41:58 364470272 ----a-w- C:\Backup 12 April
2010.bkf
2010-04-13 01:52:41 2728 ----a-w- C:\rollback.ini
2010-04-12 23:44:04 88916 --sha-w-
c:\windows\system32\drivers\fidbox.idx
2010-04-12 23:44:04 6558752 --sha-w-
c:\windows\system32\drivers\fidbox.dat
2010-04-12 23:44:04 5060 --sha-w-
c:\windows\system32\drivers\fidbox2.idx
2010-04-12 23:44:04 43296 --sha-w-
c:\windows\system32\drivers\fidbox2.dat
2010-04-12 23:32:39 77312 ----a-w-
c:\windows\system32\ztvunace26.dll
2010-04-12 23:32:39 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-04-12 23:32:39 69632 ----a-w-
c:\windows\system32\ztvcabinet.dll
2010-04-12 23:32:39 162304 ----a-w-
c:\windows\system32\ztvunrar36.dll
2010-04-12 23:32:39 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-04-12 23:29:18 0 d-----w- c:\program files\ParetoLogic
2010-04-12 23:29:18 0 d-----w- c:\program files\common
files\ParetoLogic
2010-04-12 23:29:18 0 d-----w-
c:\docume~1\alluse~1\applic~1\ParetoLogic
2010-04-12 22:03:50 0 d-sha-r- C:\cmdcons
2010-04-12 22:01:04 98816 ----a-w- c:\windows\sed.exe
2010-04-12 22:01:04 77312 ----a-w- c:\windows\MBR.exe
2010-04-12 22:01:04 261632 ----a-w- c:\windows\PEV.exe
2010-04-12 22:01:04 161792 ----a-w- c:\windows\SWREG.exe
2010-04-12 19:45:00 112 ----a-w-
c:\docume~1\alluse~1\applic~1\s6I1nLFY.dat
2010-04-04 06:53:33 0 d-----w-
c:\docume~1\jim\applic~1\Malwarebytes
2010-04-04 06:52:45 38224 ----a-w-
c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-04 06:52:41 0 d-----w-
c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-04 06:52:39 20824 ----a-w-
c:\windows\system32\drivers\mbam.sys
2010-04-04 06:52:37 0 d-----w- c:\program files\Malwarebytes'
Anti-Malware
2010-04-01 02:31:40 0 d-----w- c:\program files\common
files\xing shared
2010-04-01 02:26:21 0 d-----w-
c:\docume~1\jim\applic~1\OverDrive
2010-03-25 20:30:06 0 d-----w- c:\program files\Microsoft
Research
2010-03-23 00:09:24 0 d-----w- c:\program files\Plus!
2010-03-23 00:05:34 0 d-----w- c:\program files\Software Bisque
==================== Find3M ====================
2010-04-12 22:27:04 71170 ----a-w- c:\windows\fonts\YC28Xf.com_
2010-04-01 02:30:03 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-01 02:30:03 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-02-25 06:24:37 916480 ------w- c:\windows\system32\wininet.dll
2010-02-24 17:16:06 181632 ------w-
c:\windows\system32\MpSigStub.exe
2004-10-01 22:00:16 40960 ----a-w- c:\program
files\Uninstall_CDS.exe
2001-07-26 23:58:46 47 -c--a-w- c:\program
files\ACMonitor_X73.ini
2001-07-05 19:46:44 8116 -c--a-w- c:\program
files\OSLO3071b2.USB
2001-05-08 23:36:42 114688 -c--a-w- c:\program files\lxarscan.dll
2001-04-23 21:22:14 1437 -c--a-w- c:\program files\gtx73.ini
2008-09-12 10:08:30 32768 -csha-w-
c:\windows\system32\config\systemprofile\local
settings\history\history.ie5\mshist012008091220080913\index.dat
============= FINISH: 19:15:48.60 ===============

I also have the ComboFix log and TDSSkiller log if you want me to post them.
I'd really appreciate any and all help. I'm about ready to reformat my hard drive, and
that would suck. crazy.gif

Attached Files


Edited by JimT343, 15 April 2010 - 09:05 PM.


BC AdBot (Login to Remove)

 


#2 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 18 April 2010 - 05:31 PM

Hi,

My name is Extremeboy (or EB for short), and I will be helping you with your log. I apologize for the delay.

If you still require assistance we would like to see the current condition of your system so please post a new set of DDS Logs as well as a GMER log and a description of any remaining problems or symptoms you may still have please.

It's a new TDL3 rootkit infection here, we'll deal with it once I see the new logs.

With Regards,
Extremeboy

Edited by extremeboy, 18 April 2010 - 05:31 PM.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#3 JimT343

JimT343
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 19 April 2010 - 09:02 AM

Hi EB,

I understand the delay, and I appreciate your help. Judging from what I see on the forums, this rootkit is a bother for a lot of people.

The symptoms are still the same-hijacked search results, I can't access Windows Update, and I have had another go-round with the ave.exe and av.exe "Windows XP Antivirus" scareware.

EDIT: I forgot to add, that in IE8, I can mostly overcome the search engine redirects by right-clicking on a link and clicking "Open in new tab". In Firefox, though, I'm pretty much hosed unless I either click the link 4-6 times or copy and paste the link into the address bar. I can't get Google Chrome to work at all, but I don't know if that's the rootkit or my computer. I never tried running it before; it came with one of the many antivirus programs I've been trying out to get rid of this thing.

Here are the new logs. I'm still not sure that GMER runs properly, even in safe mode-this time, it ended with a pop up dialog box saying some program (I'm sorry, I didn't write it down) couldn't execute, and asking if I wanted to run an antivirus program, rather than the message I got before (that the scan was stopped). I just get a BSOD with no error messages if I try to run a GMER scan in regular mode.

Here is the new DDS log, and the other new DDS log and the new GMER log are attached. I ran all of these yesterday as soon as I saw your post.

Thanks again for the help.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Jim at 19:45:28.00 on Sun 04/18/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.600 [GMT -7:00]
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
============== Running Processes ===============
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Documents and Settings\Jim\Desktop\dds.scr
============== Pseudo HJT Report ===============
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
TB: HopSurf toolbar: {e9fab13d-4600-49e1-90d1-ee961c859d39} - c:\program files\comodo\hopsurftoolbar\HopSurfToolbar_IE.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
StartupFolder: c:\docume~1\jim\startm~1\programs\startup\autoru~1\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~2.lnk - c:\program files\palmone\Hotsync.exe
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
IE: {ED98F8D1-09AC-4107-B2FF-91DBE011B0C5} - {6BBCFF8E-D837-4DA4-9141-1F645B34A179} - c:\program files\comodo\hopsurftoolbar\HopSurfToolbar_IE.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.3.102.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by120fd.bay120.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} - hxxp://media.labs.live.com/all/ps/_code_/Photosynth.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171514215500
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171514206484
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
TCP: {9CBFCC0D-5192-4EBF-9872-0621EE296BC2} = 208.67.222.222,208.67.220.220
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\jim\applic~1\mozilla\firefox\profiles\mwdpz6d4.default\
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\jim\application data\mozilla\firefox\profiles\mwdpz6d4.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
============= SERVICES / DRIVERS ===============
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2007-1-8 11264]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2010-4-9 15464]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-4-9 225344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-4-9 25240]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 214664]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo livepcsupport\CLPSLS.exe [2010-2-19 148744]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-4-9 1769216]
R2 PermissionTVDownloadManager;PermissionTV Download Manager Service;c:\progra~1\permis~1\bin\dm.exe [2008-12-26 213053]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]
S1 MpKslaf321c6a;MpKslaf321c6a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5abe4379-02a2-416e-9603-7f7367330b12}\mpkslaf321c6a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5abe4379-02a2-416e-9603-7f7367330b12}\MpKslaf321c6a.sys [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-13 133104]
S3 DrmRDriverV32;DrmRDriverV32;c:\windows\system32\drivers\DrmRDriverV32.sys [2008-9-14 508544]
S3 DrmRVideo32;DrmRVideo32;c:\windows\system32\drivers\DrmRVideo32.sys [2008-9-14 3768]
S3 iTurns;iTurns;c:\windows\system32\drivers\iTurns.sys [2008-7-18 25344]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-12 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-9-12 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-9-12 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-9-12 40552]
S3 rootrepeal;rootrepeal;\??\c:\windows\system32\drivers\rootrepeal.sys --> c:\windows\system32\drivers\rootrepeal.sys [?]
=============== Created Last 30 ================
2100-02-23 21:35:34 768 -c--a-w- c:\program files\x73_lut.dat
2100-02-08 23:03:54 53248 -c--a-w- c:\program files\ACMonitor_X73.exe
2010-04-19 02:43:31 0 d--h--w- C:\VritualRoot
2010-04-18 01:47:51 159345 ----a-w- C:\MGlogs.zip
2010-04-18 01:46:37 0 d-----w- C:\MGtools
2010-04-17 20:52:51 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-17 20:52:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-17 20:52:27 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-17 20:49:07 0 d-----w- c:\docume~1\alluse~1\applic~1\COMODO
2010-04-17 20:48:32 174656 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-04-17 18:10:51 0 d-----w- c:\program files\Comodo
2010-04-17 18:10:51 0 d-----w- c:\docume~1\jim\applic~1\Comodo
2010-04-17 18:09:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo Downloader
2010-04-17 18:06:28 0 d-----w- c:\program files\Yahoo!
2010-04-17 18:06:25 0 d-----w- c:\program files\CCleaner
2010-04-17 17:30:09 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-17 17:30:09 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-17 17:26:29 0 d-----w- c:\docume~1\jim\applic~1\FaxCtr
2010-04-17 17:21:55 2389388 ----a-w- C:\MGtools.exe
2010-04-17 08:21:27 0 d-----w- c:\docume~1\alluse~1\applic~1\avG
2010-04-16 03:37:02 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-16 03:36:29 0 d-----w- c:\docume~1\jim\applic~1\SUPERAntiSpyware.com
2010-04-15 02:09:14 0 ----a-w- c:\documents and settings\jim\defogger_reenable
2010-04-14 05:26:06 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-04-14 05:25:00 616960 ----a-w- c:\windows\system32\drivers\advapi32.dll
2010-04-14 05:24:34 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-14 05:03:09 0 d-----w- c:\program files\Sophos
2010-04-14 02:17:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-04-13 13:23:23 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-04-13 02:41:58 364470272 ----a-w- C:\Backup 12 April 2010.bkf
2010-04-13 01:52:41 2728 ----a-w- C:\rollback.ini
2010-04-12 23:44:04 88916 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-04-12 23:44:04 6558752 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-04-12 23:44:04 5060 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-04-12 23:44:04 43296 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-04-12 23:32:39 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-04-12 23:32:39 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-04-12 23:32:39 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-04-12 23:32:39 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-04-12 23:32:39 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-04-12 23:29:18 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2010-04-12 22:03:50 0 d-sha-r- C:\cmdcons
2010-04-12 22:01:04 98816 ----a-w- c:\windows\sed.exe
2010-04-12 22:01:04 77312 ----a-w- c:\windows\MBR.exe
2010-04-12 22:01:04 261632 ----a-w- c:\windows\PEV.exe
2010-04-12 22:01:04 161792 ----a-w- c:\windows\SWREG.exe
2010-04-12 19:45:00 112 ----a-w- c:\docume~1\alluse~1\applic~1\s6I1nLFY.dat
2010-04-09 08:26:12 277240 ----a-w- c:\windows\system32\guard32.dll
2010-04-09 08:25:46 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-04-09 08:25:46 225344 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-04-09 08:25:44 15464 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-04-04 06:53:33 0 d-----w- c:\docume~1\jim\applic~1\Malwarebytes
2010-04-04 06:52:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-04 06:52:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-04 06:52:39 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-04 06:52:37 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-01 02:31:40 0 d-----w- c:\program files\common files\xing shared
2010-04-01 02:26:21 0 d-----w- c:\docume~1\jim\applic~1\OverDrive
2010-03-25 20:30:06 0 d-----w- c:\program files\Microsoft Research
2010-03-23 00:09:24 0 d-----w- c:\program files\Plus!
2010-03-23 00:05:34 0 d-----w- c:\program files\Software Bisque
==================== Find3M ====================
2010-04-18 18:02:46 2404 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-18 03:44:27 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-04-01 02:30:03 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-01 02:30:03 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ------w- c:\windows\system32\wininet.dll
2010-02-24 17:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2004-10-01 22:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2001-07-26 23:58:46 47 -c--a-w- c:\program files\ACMonitor_X73.ini
2001-07-05 19:46:44 8116 -c--a-w- c:\program files\OSLO3071b2.USB
2001-05-08 23:36:42 114688 -c--a-w- c:\program files\lxarscan.dll
2001-04-23 21:22:14 1437 -c--a-w- c:\program files\gtx73.ini
============= FINISH: 19:47:08.46 ===============

Attached Files


Edited by JimT343, 19 April 2010 - 05:17 PM.


#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 20 April 2010 - 06:50 PM

Hello.

I see the infection here. It's the new TDL3 rootkit infection: http://rootbiez.blogspot.com/2009/11/rootk...s-lets-put.html

Let's continue here. We'll start with Combofix and see if it can automatically remove and disinfect it, if not we'll try something else.

aDownload and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Double click ComboFix.exe to start the program. Agree to the prompts.
  • When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.
Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 JimT343

JimT343
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 20 April 2010 - 11:09 PM

Hi EB,

I had tried ComboFix before and it didn't help, but I tried it again and it seems to have worked!

I did notice that the version of CF I downloaded today is 0.01 MB larger than the one I downloaded last week, so maybe the newer version works better against this particular virus.

I can now access the Windows Update page, and Google search results don't seem to be hijacked any longer.

Should I go ahead and check the Windows Update page for updates for my PC?

I have noticed another problem, but I'm not sure if it's related to the virus.

I tried creating a limited account to use when surfing the Web, but I can't run any programs from that account, including Firefox and Comodo Internet Security.

At best, I get a dialog box stating that Windows does not know what program created the file I'm trying to run. At worst, it just does nothing. These are .exe files, so I don't know why Windows does not recognize them.

I also have a netbook running Windows XP and it works fine with the limited account, which is what got me thinking maybe this is part of the virus, but I still have this problem now while I don't have the other symptoms of the virus on my computer.

Here's the ComboFix log:

ComboFix 10-04-19.08 - Jim 04/20/2010 20:39:47.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.690 [GMT -7:00]
Running from: c:\documents and settings\Jim\Desktop\ComboFix.exe
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

Infected copy of c:\windows\system32\drivers\rdpcdd.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-03-21 to 2010-04-21 )))))))))))))))))))))))))))))))
.

2100-02-23 21:35 . 2001-02-22 16:54 768 -c--a-w- c:\program files\x73_lut.dat
2100-02-08 23:03 . 2001-05-11 18:39 53248 -c--a-w- c:\program files\ACMonitor_X73.exe
2010-04-20 06:10 . 2010-04-20 06:10 38432 ----a-w- c:\documents and settings\Jim_2\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-04-19 11:45 . 2010-04-19 11:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\khbkkdrqs
2010-04-19 04:28 . 2010-04-19 04:28 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-04-19 02:43 . 2010-04-19 02:43 -------- d-----w- C:\VritualRoot
2010-04-18 18:35 . 2010-04-21 03:09 -------- d-----w- c:\documents and settings\Jim_2\Tracing
2010-04-18 18:32 . 2010-04-18 18:32 -------- d-----w- c:\documents and settings\Jim_2\Local Settings\Application Data\LastPass
2010-04-18 18:32 . 2010-04-18 18:32 -------- d-sh--w- c:\documents and settings\Jim_2\PrivacIE
2010-04-18 01:47 . 2010-04-18 01:54 159345 ----a-w- C:\MGlogs.zip
2010-04-18 01:46 . 2010-04-18 01:54 -------- d-----w- C:\MGtools
2010-04-17 20:52 . 2010-04-17 20:52 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-17 20:52 . 2010-04-17 20:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-17 20:52 . 2010-04-17 20:52 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-17 20:49 . 2010-04-17 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\COMODO
2010-04-17 20:48 . 2010-04-21 03:35 174656 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-04-17 18:10 . 2010-04-17 18:12 -------- d-----w- c:\program files\Comodo
2010-04-17 18:10 . 2010-04-17 18:10 -------- d-----w- c:\documents and settings\Jim\Application Data\Comodo
2010-04-17 18:10 . 2010-04-17 18:46 5542592 ----a-w- c:\documents and settings\All Users\Application Data\Comodo Downloader\hopsurf.exe
2010-04-17 18:09 . 2010-04-17 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2010-04-17 18:06 . 2010-04-17 18:06 -------- d-----w- c:\documents and settings\Jim\Application Data\Yahoo!
2010-04-17 18:06 . 2010-04-17 18:34 -------- d-----w- c:\program files\Yahoo!
2010-04-17 18:06 . 2010-04-17 18:06 -------- d-----w- c:\program files\CCleaner
2010-04-17 17:30 . 2010-04-17 17:30 503808 ----a-w- c:\documents and settings\Jim\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-23667e6a-n\msvcp71.dll
2010-04-17 17:30 . 2010-04-17 17:30 499712 ----a-w- c:\documents and settings\Jim\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-23667e6a-n\jmc.dll
2010-04-17 17:30 . 2010-04-17 17:30 348160 ----a-w- c:\documents and settings\Jim\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-23667e6a-n\msvcr71.dll
2010-04-17 17:30 . 2010-04-17 17:30 61440 ----a-w- c:\documents and settings\Jim\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7bd23969-n\decora-sse.dll
2010-04-17 17:30 . 2010-04-17 17:30 12800 ----a-w- c:\documents and settings\Jim\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7bd23969-n\decora-d3d.dll
2010-04-17 17:30 . 2010-04-17 17:30 -------- d-----w- c:\program files\Common Files\Java
2010-04-17 17:30 . 2010-04-17 17:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-17 17:28 . 2010-04-17 17:28 79488 ----a-w- c:\documents and settings\Jim\Application Data\Sun\Java\jre1.6.0_20\gtapi.dll
2010-04-17 17:28 . 2010-04-17 17:28 152576 ----a-w- c:\documents and settings\Jim\Application Data\Sun\Java\jre1.6.0_20\lzma.dll
2010-04-17 17:26 . 2010-04-17 17:26 -------- d-----w- c:\documents and settings\Jim\Application Data\FaxCtr
2010-04-17 17:26 . 2010-04-17 17:26 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\SupportSoft
2010-04-17 17:21 . 2010-04-17 17:21 2389388 ----a-w- C:\MGtools.exe
2010-04-17 09:27 . 2010-04-17 09:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-04-17 08:21 . 2010-04-17 08:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\avG
2010-04-17 08:21 . 2010-04-17 08:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-16 03:37 . 2010-04-16 03:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-16 03:36 . 2010-04-16 13:24 -------- d-----w- c:\documents and settings\Jim\Application Data\SUPERAntiSpyware.com
2010-04-14 07:06 . 2010-04-14 07:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-14 07:04 . 2010-04-14 07:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-14 05:26 . 2004-08-03 23:14 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-04-14 05:25 . 2004-08-04 00:56 616960 ----a-w- c:\windows\system32\drivers\advapi32.dll
2010-04-14 05:24 . 2010-04-15 02:00 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-14 05:03 . 2010-04-17 16:04 -------- d-----w- c:\program files\Sophos
2010-04-14 02:24 . 2010-04-14 02:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-04-14 02:19 . 2010-04-14 02:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-04-14 02:19 . 2010-04-14 02:24 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\Temp
2010-04-14 02:18 . 2010-04-14 02:23 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\Google
2010-04-14 02:17 . 2010-04-14 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-13 13:23 . 2010-04-13 13:23 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-04-13 02:08 . 2010-04-13 02:08 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2010-04-12 23:44 . 2010-04-14 02:53 43296 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-04-12 23:44 . 2010-04-14 02:53 6558752 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-04-12 23:32 . 2006-06-19 19:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-04-12 23:32 . 2006-05-25 21:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-04-12 23:32 . 2005-08-26 07:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-04-12 23:32 . 2003-02-03 02:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-04-12 23:32 . 2002-03-06 07:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-04-12 23:29 . 2010-04-14 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-04-12 23:28 . 2010-04-12 23:28 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\Downloaded Installations
2010-04-11 20:07 . 2010-04-11 20:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-10 23:32 . 2010-02-26 23:51 6870864 ---ha-w- c:\documents and settings\Jim\Application Data\mjusbsp\in00000\setup.exe
2010-04-09 08:26 . 2010-04-09 08:26 277240 ----a-w- c:\windows\system32\guard32.dll
2010-04-09 08:25 . 2010-04-09 08:25 86800 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-04-09 08:25 . 2010-04-09 08:25 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-04-09 08:25 . 2010-04-09 08:25 225344 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-04-09 08:25 . 2010-04-09 08:25 15464 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-04-05 20:44 . 2010-04-05 20:44 65536 ----a-r- c:\documents and settings\Jim\Application Data\Microsoft\Installer\{E89D78B8-28F7-412F-8B26-C684739CBBDC}\PalmDesktopShortcut.exe
2010-04-05 20:44 . 2010-04-05 20:44 65536 ----a-r- c:\documents and settings\Jim\Application Data\Microsoft\Installer\{E89D78B8-28F7-412F-8B26-C684739CBBDC}\ARPPRODUCTICON.exe
2010-04-05 00:24 . 2010-04-05 00:24 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\ATI
2010-04-05 00:24 . 2010-04-05 00:24 -------- d-----w- c:\documents and settings\Jim\Application Data\ATI
2010-04-05 00:24 . 2010-04-05 00:24 126 ----a-w- c:\documents and settings\Jim\Local Settings\Application Data\fusioncache.dat
2010-04-05 00:24 . 2010-04-18 01:54 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\ApplicationHistory
2010-04-04 06:53 . 2010-04-04 06:53 -------- d-----w- c:\documents and settings\Jim\Application Data\Malwarebytes
2010-04-04 06:52 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-04 06:52 . 2010-04-04 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-04 06:52 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-04 06:52 . 2010-04-16 03:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 06:31 . 2010-04-04 06:31 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\Threat Expert
2010-04-01 02:32 . 2010-04-01 02:32 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-04-01 02:32 . 2010-04-01 02:32 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-04-01 02:32 . 2010-04-01 02:32 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-04-01 02:32 . 2010-04-01 02:32 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-04-01 02:32 . 2010-04-01 02:32 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-04-01 02:32 . 2010-04-01 02:32 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-04-01 02:32 . 2010-04-01 02:32 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-04-01 02:32 . 2010-04-01 02:32 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-04-01 02:31 . 2010-04-01 02:31 -------- d-----w- c:\program files\Common Files\xing shared
2010-04-01 02:26 . 2010-04-01 02:26 -------- d-----w- c:\documents and settings\Jim\Application Data\OverDrive
2010-03-25 20:30 . 2010-03-25 20:30 -------- d-----w- c:\program files\Microsoft Research
2010-03-23 00:09 . 2010-03-23 00:09 8854 ----a-r- c:\documents and settings\Jim\Application Data\Microsoft\Installer\{0B6E1533-7684-48FF-B9F1-5B3B99DC89D5}\UNINST_Uninstall_T_0B6E1533768448FFB9F15B3B99DC89D5.exe
2010-03-23 00:09 . 2010-03-23 00:09 536576 ----a-r- c:\documents and settings\Jim\Application Data\Microsoft\Installer\{0B6E1533-7684-48FF-B9F1-5B3B99DC89D5}\TheSkyX.exe_0B6E1533768448FFB9F15B3B99DC89D5.exe
2010-03-23 00:09 . 2010-03-23 00:09 495670 ----a-r- c:\documents and settings\Jim\Application Data\Microsoft\Installer\{0B6E1533-7684-48FF-B9F1-5B3B99DC89D5}\ARPPRODUCTICON.exe
2010-03-23 00:09 . 2010-03-23 00:09 -------- d-----w- c:\program files\Plus!
2010-03-23 00:05 . 2010-03-23 00:05 -------- d-----w- c:\program files\Software Bisque

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-21 03:23 . 2004-08-04 10:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-04-19 11:38 . 2007-01-06 04:59 3064 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-18 19:13 . 2007-01-07 03:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-18 19:11 . 2007-01-11 04:26 -------- d-----w- c:\program files\Qwest
2010-04-18 19:09 . 2007-01-11 04:26 -------- d-----w- c:\program files\Common Files\supportsoft
2010-04-18 19:08 . 2008-11-20 03:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-18 19:08 . 2008-11-20 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-17 18:27 . 2007-01-07 20:47 -------- d-----w- c:\program files\Alwil Software
2010-04-17 17:29 . 2007-08-18 17:27 -------- d-----w- c:\program files\Java
2010-04-17 17:24 . 2008-10-08 02:45 5820347 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-17 17:08 . 2008-12-24 03:27 -------- d-----w- c:\program files\QuickTime
2010-04-17 16:12 . 2009-09-12 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-14 12:34 . 2010-02-06 02:50 -------- d-----w- c:\documents and settings\Jim\Application Data\mjusbsp
2010-04-14 03:06 . 2010-04-12 19:45 112 ----a-w- c:\documents and settings\All Users\Application Data\s6I1nLFY.dat
2010-04-14 02:53 . 2010-04-12 23:44 5060 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-04-14 02:53 . 2010-04-12 23:44 88916 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-04-14 02:22 . 2007-08-18 16:56 -------- d-----w- c:\program files\Google
2010-04-05 21:29 . 2007-08-30 06:21 -------- d-----w- c:\program files\palmOne
2010-04-05 00:18 . 2010-02-07 17:47 -------- d-----w- c:\documents and settings\Jim\Application Data\StarOffice8
2010-04-05 00:06 . 2007-10-13 17:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-01 02:32 . 2010-03-20 01:57 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-04-01 02:32 . 2008-11-11 03:00 -------- d-----w- c:\program files\Common Files\Real
2010-04-01 02:31 . 2008-11-11 03:00 -------- d-----w- c:\program files\Real
2010-04-01 02:30 . 2007-01-07 20:47 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-01 02:30 . 2007-01-07 20:47 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-25 02:54 . 2007-02-08 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-25 02:53 . 2008-12-24 03:27 -------- d-----w- c:\program files\Common Files\Apple
2010-03-21 02:28 . 2010-03-21 02:28 -------- d-----w- c:\documents and settings\Jim\Application Data\Leadertech
2010-03-20 02:18 . 2010-03-20 02:18 -------- d-----w- c:\documents and settings\Jim\Application Data\Apple Computer
2010-03-10 10:06 . 2010-03-10 10:06 38432 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-10 06:15 . 2004-08-04 10:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-04 14:27 . 2008-12-26 09:40 -------- d-----w- c:\program files\Unlocker
2010-02-26 23:51 . 2010-02-26 23:51 138584 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\ug00000\magicJack.dll
2010-02-26 23:51 . 2010-03-02 14:10 6870864 ---ha-w- c:\documents and settings\Jim\Application Data\mjusbsp\Upgrade\setup2.exe
2010-02-26 23:51 . 2010-02-26 23:51 6870864 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\ug00000\setup.exe
2010-02-26 23:51 . 2010-02-26 23:51 705936 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\magicJackLoader.exe
2010-02-26 23:51 . 2010-02-26 23:51 480608 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\octvqe1_apiw.dll
2010-02-26 23:51 . 2010-02-26 23:51 214360 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\TjVista.dll
2010-02-26 23:50 . 2010-02-26 23:50 324952 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\TjIpSys.dll
2010-02-26 23:50 . 2010-02-26 23:50 615792 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\SJHandsetMagicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 87384 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\st00000\mjsetup.exe
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\st00000\magicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\magicJack.dll
2010-02-26 23:46 . 2010-02-26 23:46 12526424 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\magicJack.exe
2010-02-26 23:45 . 2010-03-02 14:10 743872 ---ha-w- c:\documents and settings\Jim\Application Data\mjusbsp\Upgrade\install2.exe
2010-02-26 23:45 . 2010-02-26 23:45 743872 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\ug00000\install.exe
2010-02-26 23:45 . 2010-02-26 23:45 87384 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\in00000\mjsetup.exe
2010-02-26 23:45 . 2010-02-26 23:45 138584 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\in00000\magicJack.dll
2010-02-26 23:44 . 2010-02-26 23:44 138584 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\lr00000\magicJack.dll
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\ug00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\st00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\in00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 50520 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\cdloader2 .exe
2010-02-25 06:24 . 2006-03-04 03:33 916480 ------w- c:\windows\system32\wininet.dll
2010-02-24 17:16 . 2009-10-02 18:42 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2004-08-04 10:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2005-03-30 01:23 2146304 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2005-03-30 01:01 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-15 03:17 . 2010-02-21 17:08 651776 ----a-w- c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\mwdpz6d4.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
2010-02-12 04:33 . 2004-08-04 10:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-07-14 21:47 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-06 02:32 . 2010-02-06 02:32 38432 ----a-w- c:\documents and settings\Jim\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2004-10-01 22:00 . 2007-03-31 04:54 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2001-07-26 23:58 . 2000-01-11 19:50 47 -c--a-w- c:\program files\ACMonitor_X73.ini
2001-07-05 19:46 . 2001-07-20 17:48 8116 -c--a-w- c:\program files\OSLO3071b2.USB
2001-05-08 23:36 . 2000-12-05 22:56 114688 -c--a-w- c:\program files\lxarscan.dll
2001-04-23 21:22 . 2100-02-08 22:53 1437 -c--a-w- c:\program files\gtx73.ini
.
CODE
<pre>
c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
c:\program files\Common Files\Real\Update_OB\realsched .exe
c:\program files\Malwarebytes' Anti-Malware\mbam .exe
c:\program files\QuickTime\qttask                    .exe
c:\program files\QuickTime\qttask                   .exe
c:\program files\QuickTime\qttask                  .exe
c:\program files\QuickTime\qttask                 .exe
c:\program files\QuickTime\qttask                .exe
c:\program files\QuickTime\qttask               .exe
c:\program files\QuickTime\qttask             .exe
c:\program files\QuickTime\qttask           .exe
c:\program files\QuickTime\qttask         .exe
c:\program files\QuickTime\qttask       .exe
c:\program files\QuickTime\qttask     .exe
c:\program files\QuickTime\qttask   .exe
c:\program files\QuickTime\qttask .exe
c:\program files\Zone Labs\ZoneAlarm\zlclient .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-04-09 2029456]

c:\documents and settings\Jim_2\Start Menu\Programs\Startup\AutorunsDisabled
HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]

c:\documents and settings\Jim\Start Menu\Programs\Startup\AutorunsDisabled
HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
COMODO Internet Security.lnk - c:\program files\COMODO\COMODO Internet Security\cfp.exe [2010-4-9 2029456]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\palmOne\Hotsync.exe [2004-4-13 299008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"quickcare"=c:\program files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Sierra\\Counter-Strike\\cstrike.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\Photoshop Album Starter Edition.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\cerberus24\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\cerberus24\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\cerberus24\\half-life deathmatch source\\hl2.exe"=
"c:\\WINDOWS\\system32\\lxczcoms.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=
"c:\\Documents and Settings\\James Tiffany\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Documents and Settings\\Jim\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17478:UDP"= 17478:UDP:Delta Force Land Warrior

R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [4/9/2010 01:25 15464]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [4/9/2010 01:25 225344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [4/9/2010 01:25 25240]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\Comodo\COMODO livePCsupport\CLPSLS.exe [2/19/2010 17:00 148744]
R2 PermissionTVDownloadManager;PermissionTV Download Manager Service;c:\progra~1\PERMIS~1\bin\dm.exe [12/26/2008 13:26 213053]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 1213728]
S1 MpKslaf321c6a;MpKslaf321c6a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5ABE4379-02A2-416E-9603-7F7367330B12}\MpKslaf321c6a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5ABE4379-02A2-416E-9603-7F7367330B12}\MpKslaf321c6a.sys [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.SYS --> c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/13/2010 19:19 133104]
S3 DrmRDriverV32;DrmRDriverV32;c:\windows\system32\drivers\DrmRDriverV32.sys [9/14/2008 09:11 508544]
S3 DrmRVideo32;DrmRVideo32;c:\windows\system32\drivers\DrmRVideo32.sys [9/14/2008 09:11 3768]
S3 iTurns;iTurns;c:\windows\system32\drivers\iTurns.sys [7/18/2008 09:10 25344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-14 02:18]

2010-04-21 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-14 02:18]

2010-04-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-725345543-682003330-497453004-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-04-21 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-725345543-682003330-497453004-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-04-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-725345543-682003330-497453004-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-04-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-725345543-682003330-497453004-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-04-21 c:\windows\Tasks\User_Feed_Synchronization-{6F35CF3C-07D7-4D80-B018-75CE993612C7}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\LastPass\context.html?cmd=fillforms
TCP: {9CBFCC0D-5192-4EBF-9872-0621EE296BC2} = 208.67.222.222,208.67.220.220
DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} - hxxp://media.labs.live.com/all/ps/_code_/Photosynth.cab
FF - ProfilePath - c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\mwdpz6d4.default\
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\mwdpz6d4.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

AddRemove-HijackThis - c:\mgtools\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-20 20:52
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2010-04-20 20:55:41
ComboFix-quarantined-files.txt 2010-04-21 03:55
ComboFix2.txt 2010-04-17 19:47
ComboFix3.txt 2010-04-12 22:36

Pre-Run: 6,659,297,280 bytes free
Post-Run: 6,811,803,648 bytes free

- - End Of File - - 3F4629E3E8EB02E2FF515A5D5CF82347

Edited by JimT343, 20 April 2010 - 11:49 PM.


#6 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 21 April 2010 - 02:40 PM

QUOTE
Should I go ahead and check the Windows Update page for updates for my PC

Not yet. We'll do that once we're done.

Combofix removed that successfully, but we're not quite done yet.

Run ComboFix with CFScript

We will run ComboFix again. This time, the instructions are slightly different.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are unsure how.
  • Open notepad (Start>Run>"notepad") and copy/paste the text in the quotebox below into it:
    CODE
    Driver::
    MpKslaf32
    DDS::
    TCP: {9CBFCC0D-5192-4EBF-9872-0621EE296BC2} = 208.67.222.222,208.67.220.220
    RenV::
    c:\program files\Common Files\Microsoft Shared\DW\dwtrig20 .exe
    c:\program files\Common Files\Real\Update_OB\realsched .exe
    c:\program files\Malwarebytes' Anti-Malware\mbam .exe
    c:\program files\QuickTime\qttask                    .exe
    c:\program files\QuickTime\qttask                   .exe
    c:\program files\QuickTime\qttask                  .exe
    c:\program files\QuickTime\qttask                 .exe
    c:\program files\QuickTime\qttask                .exe
    c:\program files\QuickTime\qttask               .exe
    c:\program files\QuickTime\qttask             .exe
    c:\program files\QuickTime\qttask           .exe
    c:\program files\QuickTime\qttask         .exe
    c:\program files\QuickTime\qttask       .exe
    c:\program files\QuickTime\qttask     .exe
    c:\program files\QuickTime\qttask   .exe
    c:\program files\QuickTime\qttask .exe
    c:\program files\Zone Labs\ZoneAlarm\zlclient .exe
    Save this as CFScript.txt, in the same location as ComboFix.exe. (This should be your desktop.)

    Refering to the picture above, drag CFScript into ComboFix.exe.
When finished, it shall produce a log for you at "C:\ComboFix.txt". Post back with that log.

Do not mouseclick ComboFix's window while it's running. That may cause it to stall

Update and Scan with MalwareBytes Anti-Malware
  • Launch Malwarebytes' Anti-Malware
  • Go to the Update tab
  • Select Check for Update and let MBAM download and install any available updates.
  • After the update is complete go to the Scanner tab.
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


~EB
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#7 JimT343

JimT343
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 22 April 2010 - 12:00 AM

OK, I updated and ran both ComboFix and Malwarebyte's Anti-Malware.

EDIT: I still can't run .exe files or get into Control Panel in my limited account.

Here are the logs:

ComboFix 10-04-21.01 - Jim 04/21/2010 19:47:56.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.536 [GMT -7:00]
Running from: c:\documents and settings\Jim\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Jim\Desktop\cfscript.txt
AV: COMODO Antivirus *On-access scanning disabled* (Outdated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((( Files Created from 2010-03-22 to 2010-04-22 )))))))))))))))))))))))))))))))
.

2100-02-23 21:35 . 2001-02-22 16:54 768 -c--a-w- c:\program files\x73_lut.dat
2100-02-08 23:03 . 2001-05-11 18:39 53248 -c--a-w- c:\program files\ACMonitor_X73.exe
2010-04-21 04:40 . 2010-04-21 12:30 -------- d-----w- c:\documents and settings\Jim_2\Local Settings\Application Data\Microsoft
2010-04-21 04:40 . 2010-04-21 12:31 -------- d-----w- c:\documents and settings\Jim_2
2010-04-19 11:45 . 2010-04-19 11:45 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\khbkkdrqs
2010-04-19 04:28 . 2010-04-19 04:28 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-04-19 02:43 . 2010-04-19 02:43 -------- d-----w- C:\VritualRoot
2010-04-18 01:47 . 2010-04-18 01:54 159345 ----a-w- C:\MGlogs.zip
2010-04-18 01:46 . 2010-04-18 01:54 -------- d-----w- C:\MGtools
2010-04-17 20:52 . 2010-04-17 20:52 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-17 20:52 . 2010-04-17 20:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-04-17 20:52 . 2010-04-17 20:52 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-04-17 20:49 . 2010-04-17 20:50 -------- d-----w- c:\documents and settings\All Users\Application Data\COMODO
2010-04-17 20:48 . 2010-04-21 17:50 174656 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-04-17 18:10 . 2010-04-17 18:12 -------- d-----w- c:\program files\Comodo
2010-04-17 18:10 . 2010-04-17 18:10 -------- d-----w- c:\documents and settings\Jim\Application Data\Comodo
2010-04-17 18:10 . 2010-04-17 18:46 5542592 ----a-w- c:\documents and settings\All Users\Application Data\Comodo Downloader\hopsurf.exe
2010-04-17 18:09 . 2010-04-17 20:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo Downloader
2010-04-17 18:06 . 2010-04-17 18:06 -------- d-----w- c:\documents and settings\Jim\Application Data\Yahoo!
2010-04-17 18:06 . 2010-04-17 18:34 -------- d-----w- c:\program files\Yahoo!
2010-04-17 18:06 . 2010-04-17 18:06 -------- d-----w- c:\program files\CCleaner
2010-04-17 17:30 . 2010-04-17 17:30 503808 ----a-w- c:\documents and settings\Jim\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-23667e6a-n\msvcp71.dll
2010-04-17 17:30 . 2010-04-17 17:30 499712 ----a-w- c:\documents and settings\Jim\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-23667e6a-n\jmc.dll
2010-04-17 17:30 . 2010-04-17 17:30 348160 ----a-w- c:\documents and settings\Jim\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-23667e6a-n\msvcr71.dll
2010-04-17 17:30 . 2010-04-17 17:30 61440 ----a-w- c:\documents and settings\Jim\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7bd23969-n\decora-sse.dll
2010-04-17 17:30 . 2010-04-17 17:30 12800 ----a-w- c:\documents and settings\Jim\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7bd23969-n\decora-d3d.dll
2010-04-17 17:30 . 2010-04-17 17:30 -------- d-----w- c:\program files\Common Files\Java
2010-04-17 17:30 . 2010-04-17 17:29 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-17 17:28 . 2010-04-17 17:28 79488 ----a-w- c:\documents and settings\Jim\Application Data\Sun\Java\jre1.6.0_20\gtapi.dll
2010-04-17 17:28 . 2010-04-17 17:28 152576 ----a-w- c:\documents and settings\Jim\Application Data\Sun\Java\jre1.6.0_20\lzma.dll
2010-04-17 17:26 . 2010-04-17 17:26 -------- d-----w- c:\documents and settings\Jim\Application Data\FaxCtr
2010-04-17 17:26 . 2010-04-17 17:26 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\SupportSoft
2010-04-17 17:21 . 2010-04-17 17:21 2389388 ----a-w- C:\MGtools.exe
2010-04-17 09:27 . 2010-04-17 09:27 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-04-17 08:21 . 2010-04-17 08:21 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\avG
2010-04-17 08:21 . 2010-04-17 08:21 -------- d-----w- c:\documents and settings\All Users\Application Data\avG
2010-04-16 03:37 . 2010-04-16 03:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-04-16 03:36 . 2010-04-16 13:24 -------- d-----w- c:\documents and settings\Jim\Application Data\SUPERAntiSpyware.com
2010-04-14 07:06 . 2010-04-14 07:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-04-14 07:04 . 2010-04-14 07:06 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-04-14 05:26 . 2004-08-03 23:14 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-04-14 05:25 . 2004-08-04 00:56 616960 ----a-w- c:\windows\system32\drivers\advapi32.dll
2010-04-14 05:24 . 2010-04-15 02:00 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-14 05:03 . 2010-04-17 16:04 -------- d-----w- c:\program files\Sophos
2010-04-14 02:24 . 2010-04-14 02:24 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2010-04-14 02:19 . 2010-04-14 02:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google
2010-04-14 02:19 . 2010-04-14 02:24 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\Temp
2010-04-14 02:18 . 2010-04-14 02:23 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\Google
2010-04-14 02:17 . 2010-04-14 02:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Alwil Software
2010-04-13 13:23 . 2010-04-13 13:23 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2010-04-13 02:08 . 2010-04-13 02:08 125952 ----a-w- c:\documents and settings\All Users\Application Data\ParetoLogic\UUS2\Temp\Update.exe
2010-04-12 23:44 . 2010-04-14 02:53 43296 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-04-12 23:44 . 2010-04-14 02:53 6558752 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-04-12 23:32 . 2006-06-19 19:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-04-12 23:32 . 2006-05-25 21:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-04-12 23:32 . 2005-08-26 07:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-04-12 23:32 . 2003-02-03 02:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-04-12 23:32 . 2002-03-06 07:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-04-12 23:29 . 2010-04-14 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\ParetoLogic
2010-04-12 23:28 . 2010-04-12 23:28 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\Downloaded Installations
2010-04-11 20:07 . 2010-04-11 20:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-04-10 23:32 . 2010-02-26 23:51 6870864 ---ha-w- c:\documents and settings\Jim\Application Data\mjusbsp\in00000\setup.exe
2010-04-09 08:26 . 2010-04-09 08:26 277240 ----a-w- c:\windows\system32\guard32.dll
2010-04-09 08:25 . 2010-04-09 08:25 86800 ----a-w- c:\windows\system32\drivers\inspect.sys
2010-04-09 08:25 . 2010-04-09 08:25 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-04-09 08:25 . 2010-04-09 08:25 225344 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-04-09 08:25 . 2010-04-09 08:25 15464 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-04-05 20:44 . 2010-04-05 20:44 65536 ----a-r- c:\documents and settings\Jim\Application Data\Microsoft\Installer\{E89D78B8-28F7-412F-8B26-C684739CBBDC}\PalmDesktopShortcut.exe
2010-04-05 20:44 . 2010-04-05 20:44 65536 ----a-r- c:\documents and settings\Jim\Application Data\Microsoft\Installer\{E89D78B8-28F7-412F-8B26-C684739CBBDC}\ARPPRODUCTICON.exe
2010-04-05 00:24 . 2010-04-05 00:24 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\ATI
2010-04-05 00:24 . 2010-04-05 00:24 -------- d-----w- c:\documents and settings\Jim\Application Data\ATI
2010-04-05 00:24 . 2010-04-05 00:24 126 ----a-w- c:\documents and settings\Jim\Local Settings\Application Data\fusioncache.dat
2010-04-05 00:24 . 2010-04-18 01:54 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\ApplicationHistory
2010-04-04 06:53 . 2010-04-04 06:53 -------- d-----w- c:\documents and settings\Jim\Application Data\Malwarebytes
2010-04-04 06:52 . 2010-03-30 07:46 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-04 06:52 . 2010-04-04 06:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-04-04 06:52 . 2010-03-30 07:45 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-04 06:52 . 2010-04-22 02:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-04 06:31 . 2010-04-04 06:31 -------- d-----w- c:\documents and settings\Jim\Local Settings\Application Data\Threat Expert
2010-04-01 02:32 . 2010-04-01 02:32 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimwmp.dll
2010-04-01 02:32 . 2010-04-01 02:32 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimswf.dll
2010-04-01 02:32 . 2010-04-01 02:32 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimrp.dll
2010-04-01 02:32 . 2010-04-01 02:32 49152 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\Components\nprpffbrowserrecordext.dll
2010-04-01 02:32 . 2010-04-01 02:32 45056 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\ThinShims\rpnpshimqt.dll
2010-04-01 02:32 . 2010-04-01 02:32 308808 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Common\rpmainbrowserrecordplugin.dll
2010-04-01 02:32 . 2010-04-01 02:32 14848 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
2010-04-01 02:32 . 2010-04-01 02:32 40960 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Chrome\Hook\rpchromebrowserrecordhelper.dll
2010-04-01 02:31 . 2010-04-01 02:31 -------- d-----w- c:\program files\Common Files\xing shared
2010-04-01 02:26 . 2010-04-01 02:26 -------- d-----w- c:\documents and settings\Jim\Application Data\OverDrive
2010-03-25 20:30 . 2010-03-25 20:30 -------- d-----w- c:\program files\Microsoft Research

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-22 02:47 . 2008-12-24 03:27 -------- d-----w- c:\program files\QuickTime
2010-04-21 12:43 . 2010-04-21 12:43 -------- d-----w- c:\documents and settings\Jim_2\Application Data\Comodo
2010-04-21 03:23 . 2004-08-04 10:00 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-04-19 11:38 . 2007-01-06 04:59 3064 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-18 19:13 . 2007-01-07 03:02 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-18 19:11 . 2007-01-11 04:26 -------- d-----w- c:\program files\Qwest
2010-04-18 19:09 . 2007-01-11 04:26 -------- d-----w- c:\program files\Common Files\supportsoft
2010-04-18 19:08 . 2008-11-20 03:20 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-04-18 19:08 . 2008-11-20 03:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-04-17 18:27 . 2007-01-07 20:47 -------- d-----w- c:\program files\Alwil Software
2010-04-17 17:29 . 2007-08-18 17:27 -------- d-----w- c:\program files\Java
2010-04-17 17:24 . 2008-10-08 02:45 5820347 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2010-04-17 16:12 . 2009-09-12 23:51 -------- d-----w- c:\documents and settings\All Users\Application Data\McAfee
2010-04-14 12:34 . 2010-02-06 02:50 -------- d-----w- c:\documents and settings\Jim\Application Data\mjusbsp
2010-04-14 03:06 . 2010-04-12 19:45 112 ----a-w- c:\documents and settings\All Users\Application Data\s6I1nLFY.dat
2010-04-14 02:53 . 2010-04-12 23:44 5060 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-04-14 02:53 . 2010-04-12 23:44 88916 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-04-14 02:22 . 2007-08-18 16:56 -------- d-----w- c:\program files\Google
2010-04-05 21:29 . 2007-08-30 06:21 -------- d-----w- c:\program files\palmOne
2010-04-05 00:18 . 2010-02-07 17:47 -------- d-----w- c:\documents and settings\Jim\Application Data\StarOffice8
2010-04-05 00:06 . 2007-10-13 17:31 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-04-01 02:32 . 2010-03-20 01:57 341600 ----a-w- c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
2010-04-01 02:32 . 2008-11-11 03:00 -------- d-----w- c:\program files\Common Files\Real
2010-04-01 02:31 . 2008-11-11 03:00 -------- d-----w- c:\program files\Real
2010-04-01 02:30 . 2007-01-07 20:47 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-01 02:30 . 2007-01-07 20:47 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-25 02:54 . 2007-02-08 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-03-25 02:53 . 2008-12-24 03:27 -------- d-----w- c:\program files\Common Files\Apple
2010-03-23 00:09 . 2010-03-23 00:09 8854 ----a-r- c:\documents and settings\Jim\Application Data\Microsoft\Installer\{0B6E1533-7684-48FF-B9F1-5B3B99DC89D5}\UNINST_Uninstall_T_0B6E1533768448FFB9F15B3B99DC89D5.exe
2010-03-23 00:09 . 2010-03-23 00:09 536576 ----a-r- c:\documents and settings\Jim\Application Data\Microsoft\Installer\{0B6E1533-7684-48FF-B9F1-5B3B99DC89D5}\TheSkyX.exe_0B6E1533768448FFB9F15B3B99DC89D5.exe
2010-03-23 00:09 . 2010-03-23 00:09 495670 ----a-r- c:\documents and settings\Jim\Application Data\Microsoft\Installer\{0B6E1533-7684-48FF-B9F1-5B3B99DC89D5}\ARPPRODUCTICON.exe
2010-03-23 00:09 . 2010-03-23 00:09 -------- d-----w- c:\program files\Plus!
2010-03-23 00:05 . 2010-03-23 00:05 -------- d-----w- c:\program files\Software Bisque
2010-03-21 02:28 . 2010-03-21 02:28 -------- d-----w- c:\documents and settings\Jim\Application Data\Leadertech
2010-03-20 02:18 . 2010-03-20 02:18 -------- d-----w- c:\documents and settings\Jim\Application Data\Apple Computer
2010-03-10 10:06 . 2010-03-10 10:06 38432 ----a-w- c:\documents and settings\NetworkService\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-03-10 06:15 . 2004-08-04 10:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-03-04 14:27 . 2008-12-26 09:40 -------- d-----w- c:\program files\Unlocker
2010-02-26 23:51 . 2010-02-26 23:51 138584 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\ug00000\magicJack.dll
2010-02-26 23:51 . 2010-03-02 14:10 6870864 ---ha-w- c:\documents and settings\Jim\Application Data\mjusbsp\Upgrade\setup2.exe
2010-02-26 23:51 . 2010-02-26 23:51 6870864 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\ug00000\setup.exe
2010-02-26 23:51 . 2010-02-26 23:51 705936 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\magicJackLoader.exe
2010-02-26 23:51 . 2010-02-26 23:51 480608 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\octvqe1_apiw.dll
2010-02-26 23:51 . 2010-02-26 23:51 214360 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\TjVista.dll
2010-02-26 23:50 . 2010-02-26 23:50 324952 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\TjIpSys.dll
2010-02-26 23:50 . 2010-02-26 23:50 615792 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\SJHandsetMagicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 87384 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\st00000\mjsetup.exe
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\st00000\magicJack.dll
2010-02-26 23:50 . 2010-02-26 23:50 138584 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\magicJack.dll
2010-02-26 23:46 . 2010-02-26 23:46 12526424 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\magicJack.exe
2010-02-26 23:45 . 2010-03-02 14:10 743872 ---ha-w- c:\documents and settings\Jim\Application Data\mjusbsp\Upgrade\install2.exe
2010-02-26 23:45 . 2010-02-26 23:45 743872 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\ug00000\install.exe
2010-02-26 23:45 . 2010-02-26 23:45 87384 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\in00000\mjsetup.exe
2010-02-26 23:45 . 2010-02-26 23:45 138584 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\in00000\magicJack.dll
2010-02-26 23:44 . 2010-02-26 23:44 138584 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\lr00000\magicJack.dll
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\ug00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\st00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 441704 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\in00000\magicJackSplash.exe
2010-02-26 23:43 . 2010-02-26 23:43 50520 ----a-w- c:\documents and settings\Jim\Application Data\mjusbsp\cdloader2 .exe
2010-02-25 06:24 . 2006-03-04 03:33 916480 ------w- c:\windows\system32\wininet.dll
2010-02-24 17:16 . 2009-10-02 18:42 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11 . 2004-08-04 10:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08 . 2005-03-30 01:23 2146304 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2005-03-30 01:01 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-15 03:17 . 2010-02-21 17:08 651776 ----a-w- c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\mwdpz6d4.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
2010-02-12 04:33 . 2004-08-04 10:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2008-07-14 21:47 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2010-02-06 02:32 . 2010-02-06 02:32 38432 ----a-w- c:\documents and settings\Jim\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2004-10-01 22:00 . 2007-03-31 04:54 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2001-07-26 23:58 . 2000-01-11 19:50 47 -c--a-w- c:\program files\ACMonitor_X73.ini
2001-07-05 19:46 . 2001-07-20 17:48 8116 -c--a-w- c:\program files\OSLO3071b2.USB
2001-05-08 23:36 . 2000-12-05 22:56 114688 -c--a-w- c:\program files\lxarscan.dll
2001-04-23 21:22 . 2100-02-08 22:53 1437 -c--a-w- c:\program files\gtx73.ini
.

((((((((((((((((((((((((((((( SnapShot@2010-04-21_03.53.02 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-04-21 17:51 . 2010-04-21 17:51 16384 c:\windows\Temp\Perflib_Perfdata_2ec.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-04-09 2029456]

c:\documents and settings\Jim\Start Menu\Programs\Startup\AutorunsDisabled
HotSync Manager.lnk - c:\program files\palmOne\HOTSYNC.EXE [2004-4-13 299008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
COMODO Internet Security.lnk - c:\program files\COMODO\COMODO Internet Security\cfp.exe [2010-4-9 2029456]
HOTSYNCSHORTCUTNAME.lnk - c:\program files\palmOne\Hotsync.exe [2004-4-13 299008]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\CLPSLS]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"quickcare"=c:\program files\Qwest\QuickCare\bin\sprtcmd.exe /P QUICKCARE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Sierra\\Counter-Strike\\cstrike.exe"=
"c:\\Program Files\\Valve\\Steam\\Steam.exe"=
"c:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\Photoshop Album Starter Edition.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\cerberus24\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\cerberus24\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Valve\\Steam\\SteamApps\\cerberus24\\half-life deathmatch source\\hl2.exe"=
"c:\\WINDOWS\\system32\\lxczcoms.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Qwest\\QuickConnect\\QuickConnect.exe"=
"c:\\Documents and Settings\\James Tiffany\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Documents and Settings\\Jim\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"17478:UDP"= 17478:UDP:Delta Force Land Warrior

R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [4/9/2010 01:25 15464]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [4/9/2010 01:25 225344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [4/9/2010 01:25 25240]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\Comodo\COMODO livePCsupport\CLPSLS.exe [2/19/2010 17:00 148744]
R2 PermissionTVDownloadManager;PermissionTV Download Manager Service;c:\progra~1\PERMIS~1\bin\dm.exe [12/26/2008 13:26 213053]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\Common Files\supportsoft\bin\sprtlisten.exe [1/8/2008 12:02 1213728]
S1 MpKslaf321c6a;MpKslaf321c6a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5ABE4379-02A2-416E-9603-7F7367330B12}\MpKslaf321c6a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5ABE4379-02A2-416E-9603-7F7367330B12}\MpKslaf321c6a.sys [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.SYS --> c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/13/2010 19:19 133104]
S3 DrmRDriverV32;DrmRDriverV32;c:\windows\system32\drivers\DrmRDriverV32.sys [9/14/2008 09:11 508544]
S3 DrmRVideo32;DrmRVideo32;c:\windows\system32\drivers\DrmRVideo32.sys [9/14/2008 09:11 3768]
S3 iTurns;iTurns;c:\windows\system32\drivers\iTurns.sys [7/18/2008 09:10 25344]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-14 02:18]

2010-04-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-14 02:18]

2010-04-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-725345543-682003330-497453004-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-04-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-725345543-682003330-497453004-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-04-22 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-725345543-682003330-497453004-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-04-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-725345543-682003330-497453004-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-04-21 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-725345543-682003330-497453004-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-04-22 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-725345543-682003330-497453004-1008.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2010-02-25 05:09]

2010-04-22 c:\windows\Tasks\User_Feed_Synchronization-{6F35CF3C-07D7-4D80-B018-75CE993612C7}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
IE: LastPass - file://c:\program files\LastPass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\LastPass\context.html?cmd=fillforms
DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} - hxxp://media.labs.live.com/all/ps/_code_/Photosynth.cab
FF - ProfilePath - c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\mwdpz6d4.default\
FF - component: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\Jim\Application Data\Mozilla\Firefox\Profiles\mwdpz6d4.default\extensions\support@lastpass.com\platform\WINNT_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\documents and settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-04-21 19:58
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(996)
c:\windows\system32\guard32.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(1052)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(3132)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-04-21 20:01:38
ComboFix-quarantined-files.txt 2010-04-22 03:01
ComboFix2.txt 2010-04-21 03:55
ComboFix3.txt 2010-04-17 19:47
ComboFix4.txt 2010-04-12 22:36

Pre-Run: 6,693,478,400 bytes free
Post-Run: 6,723,567,616 bytes free

- - End Of File - - A322D619E44171B2DE84CC57C7C490B8


And the MBam log:

Malwarebytes' Anti-Malware 1.45
www.malwarebytes.org

Database version: 4020

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

4/21/2010 20:42:07
mbam-log-2010-04-21 (20-42-07).txt

Scan type: Quick scan
Objects scanned: 143443
Time elapsed: 36 minute(s), 5 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edited by JimT343, 22 April 2010 - 07:49 AM.


#8 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 22 April 2010 - 07:51 PM

Can you please run DDS in your limited account.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#9 JimT343

JimT343
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 22 April 2010 - 09:34 PM

Yes. Interestingly, Comodo Anti-virus prevented it from running at first. I didn't realize that the antivirus program would prevent something running in another account. Of course, since Comodo is not running in my limited account, I didn't get any warning; the program just wouldn't run. When I switched over to the administrator account, I got the warnings about DDS. When I disabled Comodo in my administrator account, I was able to run DDS in the limited account.

By the way, Comodo reports that the virus database is not up-to-date; I tried to let it update but I get an error message stating that the update failed after the update gets to 5%.

The only other program I can run in the limited account so far is IE8. I have no idea why it will run and nothing else will.

Here is the DDS log from the limited account. The other DDS log is attached to this post.

Thanks.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Jim_2 at 19:23:10.59 on Thu 04/22/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.664 [GMT -7:00]

AV: COMODO Antivirus *On-access scanning disabled* (Outdated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Documents and Settings\Jim_2\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
TB: HopSurf toolbar: {e9fab13d-4600-49e1-90d1-ee961c859d39} - c:\program files\comodo\hopsurftoolbar\HopSurfToolbar_IE.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\comodo~1.lnk - c:\program files\comodo\comodo internet security\cfp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~2.lnk - c:\program files\palmone\Hotsync.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
IE: {ED98F8D1-09AC-4107-B2FF-91DBE011B0C5} - {6BBCFF8E-D837-4DA4-9141-1F645B34A179} - c:\program files\comodo\hopsurftoolbar\HopSurfToolbar_IE.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.3.102.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by120fd.bay120.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} - hxxp://media.labs.live.com/all/ps/_code_/Photosynth.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171514215500
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171514206484
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath -
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2007-1-8 11264]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2010-4-9 15464]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-4-9 225344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-4-9 25240]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 214664]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo livepcsupport\CLPSLS.exe [2010-2-19 148744]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-4-9 1769216]
R2 PermissionTVDownloadManager;PermissionTV Download Manager Service;c:\progra~1\permis~1\bin\dm.exe [2008-12-26 213053]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]
S1 MpKslaf321c6a;MpKslaf321c6a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5abe4379-02a2-416e-9603-7f7367330b12}\mpkslaf321c6a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5abe4379-02a2-416e-9603-7f7367330b12}\MpKslaf321c6a.sys [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-13 133104]
S3 DrmRDriverV32;DrmRDriverV32;c:\windows\system32\drivers\DrmRDriverV32.sys [2008-9-14 508544]
S3 DrmRVideo32;DrmRVideo32;c:\windows\system32\drivers\DrmRVideo32.sys [2008-9-14 3768]
S3 iTurns;iTurns;c:\windows\system32\drivers\iTurns.sys [2008-7-18 25344]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-12 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-9-12 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-9-12 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-9-12 40552]

============== File Associations ===============

.exe=secfile

=============== Created Last 30 ================

2100-02-23 21:35:34 768 -c--a-w- c:\program files\x73_lut.dat
2100-02-08 23:03:54 53248 -c--a-w- c:\program files\ACMonitor_X73.exe
2010-04-22 12:29:16 0 d-sh--w- c:\documents and settings\jim_2\IECompatCache
2010-04-21 12:43:36 0 d-----w- c:\docume~1\jim_2\applic~1\Comodo
2010-04-21 12:31:01 0 d-----w- c:\documents and settings\jim_2\Tracing
2010-04-21 06:26:49 0 d-sh--w- c:\documents and settings\jim_2\PrivacIE
2010-04-19 02:43:31 0 d-----w- C:\VritualRoot
2010-04-18 01:47:51 159345 ----a-w- C:\MGlogs.zip
2010-04-18 01:46:37 0 d-----w- C:\MGtools
2010-04-17 20:52:51 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-17 20:52:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-17 20:52:27 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-17 20:49:07 0 d-----w- c:\docume~1\alluse~1\applic~1\COMODO
2010-04-17 20:48:32 174656 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-04-17 18:10:51 0 d-----w- c:\program files\Comodo
2010-04-17 18:09:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo Downloader
2010-04-17 18:06:28 0 d-----w- c:\program files\Yahoo!
2010-04-17 18:06:25 0 d-----w- c:\program files\CCleaner
2010-04-17 17:30:09 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-17 17:30:09 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-17 17:21:55 2389388 ----a-w- C:\MGtools.exe
2010-04-17 08:21:27 0 d-----w- c:\docume~1\alluse~1\applic~1\avG
2010-04-16 03:37:02 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-14 05:26:06 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-04-14 05:25:00 616960 ----a-w- c:\windows\system32\drivers\advapi32.dll
2010-04-14 05:24:34 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-14 05:03:09 0 d-----w- c:\program files\Sophos
2010-04-14 02:17:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-04-13 13:23:23 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-04-13 02:41:58 364470272 ----a-w- C:\Backup 12 April 2010.bkf
2010-04-13 01:52:41 2728 ----a-w- C:\rollback.ini
2010-04-12 23:44:04 88916 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-04-12 23:44:04 6558752 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-04-12 23:44:04 5060 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-04-12 23:44:04 43296 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-04-12 23:32:39 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-04-12 23:32:39 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-04-12 23:32:39 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-04-12 23:32:39 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-04-12 23:32:39 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-04-12 23:29:18 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2010-04-12 22:03:50 0 d-sha-r- C:\cmdcons
2010-04-12 22:01:04 98816 ----a-w- c:\windows\sed.exe
2010-04-12 22:01:04 77312 ----a-w- c:\windows\MBR.exe
2010-04-12 22:01:04 261632 ----a-w- c:\windows\PEV.exe
2010-04-12 22:01:04 161792 ----a-w- c:\windows\SWREG.exe
2010-04-12 19:45:00 112 ----a-w- c:\docume~1\alluse~1\applic~1\s6I1nLFY.dat
2010-04-09 08:26:12 277240 ----a-w- c:\windows\system32\guard32.dll
2010-04-09 08:25:46 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-04-09 08:25:46 225344 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-04-09 08:25:44 15464 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-04-04 06:52:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-04 06:52:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-04 06:52:39 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-04 06:52:37 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-01 02:31:40 0 d-----w- c:\program files\common files\xing shared
2010-03-25 20:30:06 0 d-----w- c:\program files\Microsoft Research

==================== Find3M ====================

2010-04-21 03:23:40 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-04-19 11:38:45 3064 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-01 02:30:03 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-01 02:30:03 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ------w- c:\windows\system32\wininet.dll
2010-02-24 17:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2004-10-01 22:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2001-07-26 23:58:46 47 -c--a-w- c:\program files\ACMonitor_X73.ini
2001-07-05 19:46:44 8116 -c--a-w- c:\program files\OSLO3071b2.USB
2001-05-08 23:36:42 114688 -c--a-w- c:\program files\lxarscan.dll
2001-04-23 21:22:14 1437 -c--a-w- c:\program files\gtx73.ini

============= FINISH: 19:23:33.07 ===============

Attached Files



#10 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 23 April 2010 - 09:18 PM

Run Malwarebytes on the limited user, give permission as needed and disable any real-time protection security programs.

Then, run OTM...

Download and Run OTM
  1. Please download OTM by OldTimer and save it to your desktop.
  2. Double click the icon on your desktop If you are running on Vista, right click on the file and choose Run As Administrator.
  3. Paste the following code under the area. Do not include the word "Code".
    CODE
    :reg
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe]
    @="exefile"
    [HKEY_CURRENT_USER\SOFTWARE\Classes\.exe]
    @="exefile"
    :commands
    [CREATERESTOREPOINT]
    [resethosts]
    [emptytemp]
  4. Click the large button.
  5. If OTM requires are reboot, please allow it to do so.
  6. Copy/Paste the contents under the line here in your next reply.
Note: If you are unable to copy/paste from this window (as will be the case if the machine was rebooted), open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

That should fix the .exe file association problem.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#11 JimT343

JimT343
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 23 April 2010 - 10:46 PM

I can't run either of those programs in my limited account. Windows says it needs to know what program created them.

I ran both programs from my admin account, and now I can't access the internet at all. In Device Manager, my network adapter no longer shows up. I tried using a USB cable to connect my modem, and that doesn't work (it has worked in the past). The USB light on the modem comes on for about a second, then goes out.

Here is the log from OTM:

All processes killed
========== REGISTRY ==========
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.exe\\@|"exefile" /E : value set successfully!
HKEY_CURRENT_USER\SOFTWARE\Classes\.exe\\@|"exefile" /E : value set successfully!
========== COMMANDS ==========
Restore point Set: OTM Restore Point (64424509440)
C:\WINDOWS\System32\drivers\etc\Hosts moved successfully.
HOSTS file reset successfully

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 82 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 82 bytes

User: James
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 451799958 bytes
->Java cache emptied: 2241423 bytes
->FireFox cache emptied: 41030581 bytes
->Flash cache emptied: 101960 bytes

User: Jim
->Temp folder emptied: 35692 bytes
->Temporary Internet Files folder emptied: 43872380 bytes
->Java cache emptied: 76466 bytes
->FireFox cache emptied: 37608005 bytes
->Google Chrome cache emptied: 5837168 bytes
->Flash cache emptied: 3129 bytes

User: Jim_2
->Temp folder emptied: 1792445 bytes
->Temporary Internet Files folder emptied: 60572379 bytes
->Java cache emptied: 218102 bytes
->Flash cache emptied: 2471 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 409734 bytes
->Flash cache emptied: 2313 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 1720454 bytes
->Java cache emptied: 43879 bytes
->Flash cache emptied: 19600 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 6546405 bytes
%systemroot%\System32 .tmp files removed: 3336689 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 1034752 bytes
Windows Temp folder emptied: 664 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 433933 bytes
RecycleBin emptied: 278784 bytes

Total Files Cleaned = 628.00 mb


OTM by OldTimer - Version 3.1.10.2 log created on 04232010_194525

Files moved on Reboot...

Registry entries deleted on Reboot...


#12 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 24 April 2010 - 11:35 AM

Could you take a new DDS run for me, post both logs once done.

--
Then, please uninstall your Comodo security program -Firewall + AV (since they are in one suite). Make sure you remove any added settings/features that was added to the firewall as well please.

Go to Start >> Run >> Type in appwiz.cpl and press Ok.

This should open the add/remove list. Once the list is populated removed Comodo and follow through the prompts.

Let me know how it goes. We will get you another anti-virus/firewall installed later on.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#13 JimT343

JimT343
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 24 April 2010 - 07:43 PM

I ran DDS in the admin account; if you want it from the limited account, let me know.

I can't access the internet from either account; on the chance something was wrong with the modem, I tried the modem on a different computer and it worked fine. As I previously said, the NIC doesn't show up in Device Manager any longer.

I disconnected the hard drive and tried a different hard drive in my computer. (I did this before you started helping me, so I could access the internet without worrying about the virus, and it worked fine.) I was never able to see the NIC card using this hard drive, but I had previously been able to connect my modem via USB; that doesn't work now either. It makes me wonder if there's a problem with my motherboard (the NIC is built in). Other USB devices seem to work fine, such as the thumb drive I used to transfer the DDS logs to this computer so I can post them.

Here is the DDS log; the other one is attached.

DDS (Ver_10-03-17.01) - NTFSx86
Run by Jim at 16:57:09.15 on Sat 04/24/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.650 [GMT -7:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\Program Files\COMODO\COMODO livePCsupport\CLPSLS.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxczcoms.exe
C:\PROGRA~1\PERMIS~1\bin\dm.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\supportsoft\bin\sprtlisten.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\palmOne\Hotsync.exe
C:\Documents and Settings\Jim\Desktop\dds.scr

============== Pseudo HJT Report ===============

BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: LastPass Browser Helper Object: {95d9ecf5-2a4d-4550-be49-70d42f71296e} - c:\program files\lastpass\LPBar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: LastPass Toolbar: {9f6b5cc3-5c7b-4b5c-97af-19dec1e380e5} - c:\program files\lastpass\LPBar.dll
TB: HopSurf toolbar: {e9fab13d-4600-49e1-90d1-ee961c859d39} - c:\program files\comodo\hopsurftoolbar\HopSurfToolbar_IE.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
StartupFolder: c:\docume~1\jim\startm~1\programs\startup\autoru~1\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\comodo~1.lnk - c:\program files\comodo\comodo internet security\cfp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~2.lnk - c:\program files\palmone\Hotsync.exe
IE: LastPass - file://c:\program files\lastpass\context.html?cmd=lastpass
IE: LastPass Fill Forms - file://c:\program files\lastpass\context.html?cmd=fillforms
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {43699cd0-e34f-11de-8a39-0800200c9a66} - {95D9ECF5-2A4D-4550-BE49-70D42F71296E} - c:\program files\lastpass\LPBar.dll
IE: {ED98F8D1-09AC-4107-B2FF-91DBE011B0C5} - {6BBCFF8E-D837-4DA4-9141-1F645B34A179} - c:\program files\comodo\hopsurftoolbar\HopSurfToolbar_IE.dll
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} - hxxp://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.3.102.cab
DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} - hxxp://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photos.walmart.com/WalmartActivia.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by120fd.bay120.hotmail.msn.com/resources/MsnPUpld.cab
DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} - hxxp://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
DPF: {594ECDD4-A991-4208-A7B7-00DDAD9BE328} - hxxp://media.labs.live.com/all/ps/_code_/Photosynth.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1171514215500
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1171514206484
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {A4110378-789B-455F-AE86-3A1BFC402853} - hxxp://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} - hxxp://www.sibelius.com/download/software/win/ActiveXPlugin.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} - hxxp://zone.msn.com/binframework/v10/StProxy.cab55579.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\windows\system32\guard32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\jim\applic~1\mozilla\firefox\profiles\mwdpz6d4.default\
FF - component: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\firefox\ext\components\nprpffbrowserrecordext.dll
FF - component: c:\documents and settings\jim\application data\mozilla\firefox\profiles\mwdpz6d4.default\extensions\support@lastpass.com\platform\winnt_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npGoogleGadgetPluginFirefoxWin.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2007-1-8 11264]
R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2010-4-9 15464]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-4-9 225344]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-4-9 25240]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2009-7-8 214664]
R2 CLPSLS;COMODO livePCsupport Service;c:\program files\comodo\comodo livepcsupport\CLPSLS.exe [2010-2-19 148744]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-4-9 1769216]
R2 PermissionTVDownloadManager;PermissionTV Download Manager Service;c:\progra~1\permis~1\bin\dm.exe [2008-12-26 213053]
R2 sprtlisten;SupportSoft Listener Service;c:\program files\common files\supportsoft\bin\sprtlisten.exe [2008-1-8 1213728]
S1 MpKslaf321c6a;MpKslaf321c6a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5abe4379-02a2-416e-9603-7f7367330b12}\mpkslaf321c6a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5abe4379-02a2-416e-9603-7f7367330b12}\MpKslaf321c6a.sys [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\superantispyware\saskutil.sys --> c:\program files\superantispyware\SASKUTIL.SYS [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-13 133104]
S3 DrmRDriverV32;DrmRDriverV32;c:\windows\system32\drivers\DrmRDriverV32.sys [2008-9-14 508544]
S3 DrmRVideo32;DrmRVideo32;c:\windows\system32\drivers\DrmRVideo32.sys [2008-9-14 3768]
S3 iTurns;iTurns;c:\windows\system32\drivers\iTurns.sys [2008-7-18 25344]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2010-4-3 38224]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2009-9-12 79816]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2009-9-12 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2009-9-12 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2009-9-12 40552]

=============== Created Last 30 ================

2100-02-23 21:35:34 768 -c--a-w- c:\program files\x73_lut.dat
2100-02-08 23:03:54 53248 -c--a-w- c:\program files\ACMonitor_X73.exe
2010-04-24 02:45:25 0 d-----w- C:\_OTM
2010-04-19 02:43:31 0 d-----w- C:\VritualRoot
2010-04-18 01:47:51 159345 ----a-w- C:\MGlogs.zip
2010-04-18 01:46:37 0 d-----w- C:\MGtools
2010-04-17 20:52:51 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-04-17 20:52:40 0 d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-04-17 20:52:27 0 d-----w- c:\program files\Hitman Pro 3.5
2010-04-17 20:49:07 0 d-----w- c:\docume~1\alluse~1\applic~1\COMODO
2010-04-17 20:48:32 174656 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-04-17 18:10:51 0 d-----w- c:\program files\Comodo
2010-04-17 18:10:51 0 d-----w- c:\docume~1\jim\applic~1\Comodo
2010-04-17 18:09:54 0 d-----w- c:\docume~1\alluse~1\applic~1\Comodo Downloader
2010-04-17 18:06:28 0 d-----w- c:\program files\Yahoo!
2010-04-17 18:06:25 0 d-----w- c:\program files\CCleaner
2010-04-17 17:30:09 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-04-17 17:30:09 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-17 17:26:29 0 d-----w- c:\docume~1\jim\applic~1\FaxCtr
2010-04-17 17:21:55 2389388 ----a-w- C:\MGtools.exe
2010-04-17 08:21:27 0 d-----w- c:\docume~1\alluse~1\applic~1\avG
2010-04-16 03:37:02 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-04-16 03:36:29 0 d-----w- c:\docume~1\jim\applic~1\SUPERAntiSpyware.com
2010-04-15 02:09:14 0 ----a-w- c:\documents and settings\jim\defogger_reenable
2010-04-14 05:26:06 182912 ----a-w- c:\windows\system32\drivers\ndis.sys
2010-04-14 05:25:00 616960 ----a-w- c:\windows\system32\drivers\advapi32.dll
2010-04-14 05:24:34 95360 ----a-w- c:\windows\system32\drivers\atapi.sys
2010-04-14 05:03:09 0 d-----w- c:\program files\Sophos
2010-04-14 02:17:59 0 d-----w- c:\docume~1\alluse~1\applic~1\Alwil Software
2010-04-13 13:23:23 0 d-----w- c:\docume~1\alluse~1\applic~1\PC Tools
2010-04-13 02:41:58 364470272 ----a-w- C:\Backup 12 April 2010.bkf
2010-04-13 01:52:41 2728 ----a-w- C:\rollback.ini
2010-04-12 23:44:04 88916 --sha-w- c:\windows\system32\drivers\fidbox.idx
2010-04-12 23:44:04 6558752 --sha-w- c:\windows\system32\drivers\fidbox.dat
2010-04-12 23:44:04 5060 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2010-04-12 23:44:04 43296 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2010-04-12 23:32:39 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-04-12 23:32:39 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-04-12 23:32:39 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-04-12 23:32:39 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-04-12 23:32:39 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-04-12 23:29:18 0 d-----w- c:\docume~1\alluse~1\applic~1\ParetoLogic
2010-04-12 22:03:50 0 d-sha-r- C:\cmdcons
2010-04-12 22:01:04 98816 ----a-w- c:\windows\sed.exe
2010-04-12 22:01:04 77312 ----a-w- c:\windows\MBR.exe
2010-04-12 22:01:04 261632 ----a-w- c:\windows\PEV.exe
2010-04-12 22:01:04 161792 ----a-w- c:\windows\SWREG.exe
2010-04-12 19:45:00 112 ----a-w- c:\docume~1\alluse~1\applic~1\s6I1nLFY.dat
2010-04-09 08:26:12 277240 ----a-w- c:\windows\system32\guard32.dll
2010-04-09 08:25:46 25240 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2010-04-09 08:25:46 225344 ----a-w- c:\windows\system32\drivers\cmdGuard.sys
2010-04-09 08:25:44 15464 ----a-w- c:\windows\system32\drivers\cmderd.sys
2010-04-04 06:53:33 0 d-----w- c:\docume~1\jim\applic~1\Malwarebytes
2010-04-04 06:52:45 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-04 06:52:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-04-04 06:52:39 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-04 06:52:37 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-04-01 02:31:40 0 d-----w- c:\program files\common files\xing shared
2010-04-01 02:26:21 0 d-----w- c:\docume~1\jim\applic~1\OverDrive

==================== Find3M ====================

2010-04-21 03:23:40 4224 ----a-w- c:\windows\system32\drivers\rdpcdd.sys
2010-04-19 11:38:45 3064 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-01 02:30:03 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-04-01 02:30:03 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ------w- c:\windows\system32\wininet.dll
2010-02-24 17:16:06 181632 ------w- c:\windows\system32\MpSigStub.exe
2010-02-24 13:11:07 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-16 14:08:49 2146304 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2024448 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2004-10-01 22:00:16 40960 ----a-w- c:\program files\Uninstall_CDS.exe
2001-07-26 23:58:46 47 -c--a-w- c:\program files\ACMonitor_X73.ini
2001-07-05 19:46:44 8116 -c--a-w- c:\program files\OSLO3071b2.USB
2001-05-08 23:36:42 114688 -c--a-w- c:\program files\lxarscan.dll
2001-04-23 21:22:14 1437 -c--a-w- c:\program files\gtx73.ini
2008-09-12 10:08:30 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091220080913\index.dat

============= FINISH: 16:58:06.45 ===============

Attached Files



#14 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:26 AM

Posted 25 April 2010 - 12:15 PM

Hello.

The logs look good to me, doesn't seem to be malware related anymore regarding your Network Interface Card issue as that seems more of hardware rather than malware causing that. I was going to suggest re-installing your network devices but you mentioned your NIC isn't in device manager which I'm not exactly sure what you're referring to since I don't see an actual device called NIC there.

I'm no expert on this, if you wish further assistance, I would post it in the Windows XP forum. Your logs look clean and appears to be free of malware now.
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#15 JimT343

JimT343
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:07:26 AM

Posted 25 April 2010 - 02:52 PM

Well, I still can't access any .exe files from my limited account, and I don't have any antivirus installed any longer, which will be a problem when/if I do get connected to the internet again. Should I reinstall Comodo or a different AV/Firewall program?

When I said my NIC doesn't show up in device manager, I think it is actually called Via Rhine II Fast Ethernet Controller, or something like that, but it's not there any longer. I did try using the disk that came with the motherboard to reinstall it, but that didn't work. The Add Hardware wizard says the device cannot start.

The ethernet card disappeared after I ran OTM; is it possible that OTM could have done something to cause this problem? Should I perhaps try using a restore point? By the way, my computer now sometimes hangs while shutting down after running OTM as well.

I'll also post this problem on the XP forum as you suggested. Thank you very much for your help in getting rid of the rootkit problem, I really appreciate it.

Edited by JimT343, 25 April 2010 - 02:54 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users