Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Rootkit Infection


  • This topic is locked This topic is locked
11 replies to this topic

#1 saltydogs

saltydogs

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 06 May 2010 - 09:46 PM

I am hoping that you will be able to help me diagnose a suspected Rootkit infection on my computer. I recently scanned with Malwarebytes, Spybot, and Spyware Blaster.
I can't seem to do Windows Updates, and I have random webpage redirects including my online banking website and Paypal.
It is at this point that I followed and completed your "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help".
DDS and GMER logs attached.

I have Windows XP Service Pack 3
running Firefox

Thank you.


DDS (Ver_10-03-17.01) - NTFSx86
Run by Lori at 18:42:48.60 on Thu 05/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.121 [GMT -4:00]

AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Outdated) {00000000-0000-0000-0000-000000000000}
AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {804E5358-FFA4-00EB-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {804E5358-FFA4-00FC-0D24-347CA8A3377C}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\system32\svchost.exe -k HPService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Lori\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.nytimes.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dll
{555d4d79-4bd2-4094-a395-cfc534424a05}
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - c:\program files\aim\aim.exe
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\iogear\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\ssv.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
DPF: {00000075-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/voxacm.CAB
DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} - hxxp://install.homestead.com/~site/InstallFiles/SIFiles/lpxlive/HS_live.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {05317530-B882-449D-9421-18D94FA3ED34} - hxxp://www.sis.com/support/chipdetect/OSInfo.cab
DPF: {16095503-786F-4097-AED6-5D567A26D760} - hxxp://www.sis.com/support/chipdetect/SiSAutodetectNT.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} - hxxp://scpwnb.ops.placeware.com/etc/place/NOVEMBER/SCNpws-b1/5.1.5.222/lib/quicksilver.cab
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} - hxxp://musicstore.connect.com/assets/activexplayer/SMALStreaming.cab
DPF: {4063B398-3FC7-433E-B23B-0460CE7EDC27} - hxxp://thesims.ea.com/teleport/makinmagic/MaxisMakinMagicTeleX.cab
DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} - hxxp://coop.mlxchange.com/Control/MultiSelectComboBox.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://bin.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1137450405281
DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} - hxxp://coop.mlxchange.com/Control/MLXClientUtils.cab
DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - hxxp://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://coop.mlxchange.com/Control/IRCSharc.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {9CF28A69-7659-4C51-BFD5-9ADE19E19EC3} - hxxp://download.yahoo.com/dl/installs/bkm/prod/yregcfg.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37866.4967939815
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://bin.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.4/jinstall-14_02-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_01-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_02-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - hxxp://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - hxxp://download.abacast.com/download/files/abasetup151.cab
DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} - hxxp://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4375/mcfscan.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: WRNotifier - WRLogonNTF.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {54D9498B-CF93-414F-8984-8CE7FDE0D391} - No File
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\loriho~1\applic~1\mozilla\firefox\profiles\8a7xuixy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={5F14FA2F-2123-E1CC-1185-74BEA1D43EB5}&q=
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\mozilla firefox\plugins\npmnqmp07010901.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npwinamp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-3-31 11608]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-1-5 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-1-5 74480]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-3-31 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-3-31 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-3-31 56816]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [2005-10-2 2368]
S3 PPDrv;Protector Plus Driver;\??\c:\program files\protector plus\ppdrv.sys --> c:\program files\protector plus\PPDrv.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-1-5 7408]
S3 SE402RefCameraStill;GD-350V (WDM);c:\windows\system32\drivers\aox402sc.sys [2003-9-19 67332]
S3 V90drv;v90drv;c:\windows\system32\drivers\v90drv.sys [2001-11-29 1432836]
S4 ewido security suite control;ewido security suite control;c:\program files\ewido anti-malware\ewidoctrl.exe --> c:\program files\ewido anti-malware\ewidoctrl.exe [?]
S4 gupdate1c99dd639dca636;Google Update Service (gupdate1c99dd639dca636);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]

=============== Created Last 30 ================

2010-05-06 19:17:34 0 d-----w- c:\windows\Internet Logs
2010-04-20 11:24:48 0 ----a-w- c:\windows\txtDef
2010-04-20 11:14:30 19742 -c--a-w- C:\idsuite_run.bat
2010-04-20 10:57:26 0 d-----w- c:\program files\Index.dat Suite
2010-04-07 16:56:37 0 d-----w- c:\program files\ESET

==================== Find3M ====================

2010-04-19 11:12:42 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-03-10 06:15:52 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24:37 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-17 13:10:28 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25:04 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 20:56:37 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-12 04:33:11 100864 ----a-w- c:\windows\system32\6to4svc.dll
2005-08-20 18:08:23 7248896 ----a-w- c:\program files\avwinsfx.exe
2005-08-07 02:42:08 0 ----a-w- c:\program files\index.jsp
2005-08-01 23:06:55 4633184 ----a-w- c:\program files\pi-installer.exe
2004-10-06 11:36:11 21 ----a-w- c:\program files\AVPersonalAVWIN.INI
2003-08-27 19:19:18 36963 ----a-r- c:\program files\common files\SM1updtr.dll
2004-08-04 07:56:57 73728 --sha-w- c:\windows\registeredpackages\{dd90d410-1823-43eb-9a16-a2331bf08799}$backup$\system\wmplayer.exe
2005-12-02 20:20:29 56 --sh--r- c:\windows\system32\8169F249CF.sys
2005-12-02 20:20:39 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys

============= FINISH: 18:44:28.14 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 12/18/2004 11:10:35 PM
System Uptime: 5/6/2010 3:26:08 PM (3 hours ago)

Motherboard: ASUSTeK Computer INC. | | P4S8X-MX
Processor: Intel® Pentium® 4 CPU 2.40GHz | Socket 478 | 2394/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 75 GiB total, 43.248 GiB free.
D: is CDROM ()
E: is CDROM (CDFS)
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable
K: is Removable
L: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1212: 4/13/2010 4:54:45 PM - System Checkpoint
RP1213: 4/13/2010 11:04:26 PM - Software Distribution Service 3.0
RP1214: 4/14/2010 11:19:44 PM - System Checkpoint
RP1215: 4/15/2010 11:29:57 PM - System Checkpoint
RP1216: 4/17/2010 12:14:12 AM - System Checkpoint
RP1217: 4/20/2010 7:14:55 AM - Index.dat Suite Restore Point [ C:\idsuite_run.bat ]
RP1218: 4/20/2010 7:18:03 AM - Index.dat Suite Restore Point [ C:\idsuite_run.bat ]
RP1219: 4/20/2010 7:51:08 AM - Index.dat Suite Restore Point [ C:\idsuite_run.bat ]
RP1220: 4/20/2010 7:52:17 AM - Index.dat Suite Restore Point [ Cleanup ]
RP1221: 4/20/2010 7:56:03 AM - Index.dat Suite Restore Point [ Cleanup ]
RP1222: 4/20/2010 7:56:18 AM - Index.dat Suite Restore Point [ Cleanup ]
RP1223: 4/20/2010 7:56:29 AM - Index.dat Suite Restore Point [ Cleanup ]
RP1224: 5/4/2010 2:12:10 PM - System Checkpoint
RP1225: 5/6/2010 4:30:35 PM - System Checkpoint

==== Installed Programs ======================

32 Bit HP CIO Components Installer
Across Lite 2.0
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Help Center 2.1
Adobe Photoshop Elements 5.0
Adobe Reader 8.1.7
Adobe Shockwave Player 11.5
Adobe® Photoshop® Album Starter Edition 3.0
AIM 7
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Avira AntiVir Personal - Free Antivirus
Blaze Media Pro
Bluetooth Remote Control
Bonjour
BPD_Scan
Cheetah CD Burner
CleanUp!
CLEP Sampler
Critical Update for Windows Media Player 11 (KB959772)
DivX Content Uploader
DivX Web Player
DocProc
DocProcQFolder
Download Updater (AOL LLC)
DriverAgent by eSupport.com
ESET Online Scanner v3
Google Earth
Google Update Helper
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Photosmart C4600 All-In-One Driver 13.0 Rel .5
HP_Network_UserGuide
Index.dat Suite
iPhone Configuration Utility
iTunes
Java Auto Updater
Java™ 6 Update 18
Karen's Replicator
Logitech QuickCam
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Application Error Reporting
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.5
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MobileMe Control Panel
Mozilla Firefox (3.6.3)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser
Network
OCR Software by I.R.I.S 7.0
PC Connectivity Solution
PS_AIO_05_C4600_Software_Min
QuickTime
Safari
Scan
SecondLife (remove only)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Internet Explorer 8 (KB974455)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 Series (KB969878)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Skype™ 4.0
Spybot - Search & Destroy
SpywareBlaster 4.2
SUPERAntiSpyware Free Edition
Toolbox
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB971180)
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB976749)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Video Cutter 1.0
Videora iPod touch Converter 5.03
WebFldrs XP
Windows Driver Package - Nokia (WUDFRd) WPD (03/19/2007 6.83.31.1)
Windows Driver Package - Nokia Modem (02/15/2007 3.1)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
WordBiz version 1.8
Xiph QuickTime Components
Yahoo! Software Update

==== Event Viewer Messages From Past Week ========

5/6/2010 6:42:54 PM, error: Service Control Manager [7016] - The SmartLinkService service has reported an invalid current state 0.
5/3/2010 2:11:57 PM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the TrueVector Internet Monitor service to connect.
5/3/2010 2:11:57 PM, error: Service Control Manager [7000] - The Yahoo! Updater service failed to start due to the following error: The system cannot find the file specified.
5/3/2010 2:11:57 PM, error: Service Control Manager [7000] - The TrueVector Internet Monitor service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
5/3/2010 2:10:42 PM, error: iviVD [9] - The device, \Device\Scsi\iviVD1, did not respond within the timeout period.

==== End Of File ===========================
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-06 22:37:14
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\LORIHO~1\LOCALS~1\Temp\pxtdapow.sys


---- System - GMER 1.0.15 ----

SSDT F8EB2C4E ZwCreateKey
SSDT F8EB2C44 ZwCreateThread
SSDT F8EB2C53 ZwDeleteKey
SSDT F8EB2C5D ZwDeleteValueKey
SSDT IPVNMon.sys (IPVNMon/Visual Networks) ZwDeviceIoControlFile [0xF8648803]
SSDT F8EB2C62 ZwLoadKey
SSDT F8EB2C30 ZwOpenProcess
SSDT F8EB2C35 ZwOpenThread
SSDT F8EB2C6C ZwReplaceKey
SSDT F8EB2C67 ZwRestoreKey
SSDT F8EB2C58 ZwSetValueKey
SSDT F8EB2C3F ZwTerminateProcess

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[2516] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 60: copy of MBR

---- EOF - GMER 1.0.15 ----


BC AdBot (Login to Remove)

 


#2 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:02 AM

Posted 08 May 2010 - 10:19 PM



Hello saltydogs smile.gif Welcome to the BC HijackThis Log and Analysis forum. I will be assisting you in cleaning up your system.


I ask that you refrain from running tools other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.



In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond the your topic and facilitate the cleaning of your machine.


Please keep in mind that we have a large backlog of users just like yourself waiting to be helped so try to be as timely as possible in your replies. Since we do this on a part-time voluntary basis we are limited on how many logs we can respond to and keep open due to time restraints. If you have to be away or can't answer for some other reason just let me know. Thank you for your understanding.



After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Instruction can be found HERE
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

















Note: Please post the log in the reply window and do not make it an attachment. Do this with all subsequent replies unless I ask otherwise.







Thanks,



thewall





If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#3 saltydogs

saltydogs
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 09 May 2010 - 03:53 PM

Thank you for the quick reply. ComboFix log posted.


ComboFix 10-05-08.03 - Lori Hoagland 05/09/2010 16:24:11.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.129 [GMT -4:00]
Running from: c:\documents and settings\Lori Hoagland\Desktop\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Outdated) {00000000-0000-0000-0000-000000000000}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {804E5358-FFA4-00EB-0D24-347CA8A3377C}
AV: AntiVir PersonalEdition Classic Virus Protection *On-access scanning enabled* (Updated) {804E5358-FFA4-00FC-0D24-347CA8A3377C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\eSellerateEngine.dll
c:\windows\system32\ie.ico

.
((((((((((((((((((((((((( Files Created from 2010-04-09 to 2010-05-09 )))))))))))))))))))))))))))))))
.

2010-05-06 19:17 . 2010-05-06 19:17 -------- d-----w- c:\windows\Internet Logs
2010-04-20 11:14 . 2010-04-20 11:50 19742 -c--a-w- C:\idsuite_run.bat
2010-04-20 10:57 . 2010-04-20 11:58 -------- d-----w- c:\program files\Index.dat Suite

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-04-19 11:17 . 2007-09-21 23:34 -------- d-----w- c:\program files\Common Files\LogiShrd
2010-04-19 11:12 . 2010-02-25 20:05 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-04-16 22:21 . 2003-01-29 18:46 -------- d-----w- c:\program files\aim
2010-04-07 16:56 . 2010-04-07 16:56 -------- d-----w- c:\program files\ESET
2010-03-10 06:15 . 2001-08-23 12:00 420352 ----a-w- c:\windows\system32\vbscript.dll
2010-02-25 06:24 . 2004-01-08 20:23 916480 ----a-w- c:\windows\system32\wininet.dll
2010-02-24 13:11 . 2001-08-23 12:00 455680 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-02-17 13:10 . 2001-08-23 12:00 2189952 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-16 13:25 . 2001-08-17 13:48 2066816 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-12 20:57 . 2010-02-12 20:57 503808 -c--a-w- c:\documents and settings\Lori Hoagland\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-20fb3c06-n\msvcp71.dll
2010-02-12 20:57 . 2010-02-12 20:57 499712 -c--a-w- c:\documents and settings\Lori Hoagland\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-20fb3c06-n\jmc.dll
2010-02-12 20:57 . 2010-02-12 20:57 348160 -c--a-w- c:\documents and settings\Lori Hoagland\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-20fb3c06-n\msvcr71.dll
2010-02-12 20:57 . 2010-02-12 20:57 61440 -c--a-w- c:\documents and settings\Lori Hoagland\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6b75c71f-n\decora-sse.dll
2010-02-12 20:57 . 2010-02-12 20:57 12800 -c--a-w- c:\documents and settings\Lori Hoagland\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-6b75c71f-n\decora-d3d.dll
2010-02-12 20:56 . 2008-12-04 19:34 411368 ----a-w- c:\windows\system32\deploytk.dll
2010-02-12 04:33 . 2001-08-23 12:00 100864 ----a-w- c:\windows\system32\6to4svc.dll
2010-02-11 12:02 . 2001-08-23 12:00 226880 ----a-w- c:\windows\system32\drivers\tcpip6.sys
2005-08-20 18:08 . 2005-08-20 18:05 7248896 ----a-w- c:\program files\avwinsfx.exe
2005-08-07 02:42 . 2005-08-07 02:42 0 ----a-w- c:\program files\index.jsp
2005-08-01 23:06 . 2005-08-01 23:05 4633184 ----a-w- c:\program files\pi-installer.exe
2004-10-06 11:36 . 2004-10-06 11:36 21 ----a-w- c:\program files\AVPersonalAVWIN.INI
2003-08-27 19:19 . 2003-12-17 01:01 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
2004-08-04 07:56 . 2006-05-10 23:38 73728 --sha-w- c:\windows\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
2005-12-02 20:20 . 2005-10-20 22:25 56 --sh--r- c:\windows\system32\8169F249CF.sys
2005-12-02 20:20 . 2005-10-20 22:21 3350 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@=""

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=c:\windows\pss\Adobe Gamma Loader.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk.disabled]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk.disabled
backup=c:\windows\pss\Adobe Reader Speed Launch.lnk.disabledCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^FlashPath Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\FlashPath Monitor.lnk
backup=c:\windows\pss\FlashPath Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp officejet g series) - 2.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HPAiODevice(hp officejet g series) - 2.lnk
backup=c:\windows\pss\HPAiODevice(hp officejet g series) - 2.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Lori Hoagland^Start Menu^Programs^Startup^Logitech . Product Registration.lnk]
path=c:\documents and settings\Lori Hoagland\Start Menu\Programs\Startup\Logitech . Product Registration.lnk
backup=c:\windows\pss\Logitech . Product Registration.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Lori Hoagland^Start Menu^Programs^Startup^radio@netscape.lnk]
path=c:\documents and settings\Lori Hoagland\Start Menu\Programs\Startup\radio@netscape.lnk
backup=c:\windows\pss\radio@netscape.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-03-24 18:17 952768 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-07 03:46 57344 ----a-w- c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2009-10-03 09:45 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppleSyncNotifier]
2009-08-13 19:51 177440 ----a-w- c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CHotkey]
2002-08-02 19:01 473600 ----a-w- c:\windows\mHotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ------w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ezShieldProtector for Px]
2002-08-20 15:29 40960 ----a-w- c:\windows\system32\ezSP_Px.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
2006-11-13 17:39 1289000 ----a-w- c:\program files\Microsoft ActiveSync\wcescomm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMEKRMIG6.1]
2002-08-29 12:00 44032 ----a-w- c:\windows\ime\imkr6_1\imekrmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 05:31 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2009-10-29 00:21 141600 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2004-03-16 19:45 19968 ----a-w- c:\windows\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCommunicationsManager]
2007-05-17 15:52 505368 ----a-w- c:\program files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechQuickCamRibbon]
2007-05-17 15:53 780312 ----a-w- c:\program files\Logitech\QuickCam10\QuickCam10.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2009-09-05 05:54 417792 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2009-03-11 16:00 24095528 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SM1BG]
2003-08-27 19:20 94208 ----a-r- c:\windows\SM1bg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
2004-11-15 10:20 77824 ----a-w- c:\windows\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 20:07 2260480 ------w- c:\program files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SsAAD.exe]
2006-05-08 09:17 81920 ----a-w- c:\progra~1\Sony\SONICS~1\SSAAD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 20:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
2010-01-05 12:56 2002160 ----a-w- c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 01:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WLSetupSvc"=3 (0x3)
"SPTISRV"=3 (0x3)
"RioMSC"=3 (0x3)
"iPod Service"=3 (0x3)
"gusvc"=3 (0x3)
"gupdate1c99dd639dca636"=2 (0x2)
"ewido security suite control"=2 (0x2)
"btwdins"=2 (0x2)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Yahoo Instant Messengar"=YahooMsgr.exe
"VideoraiPodConverter"=c:\program files\VideoraiPodConverter\VideoraConverter.exe -t
"SsAAD.exe"=c:\progra~1\Sony\SONICS~1\SsAAD.exe
"ezShieldProtector for Px"=c:\windows\system32\ezSP_Px.exe
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" -atboottime
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe"
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Rio\\Rio Music Manager\\riomm.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\aim\\aim.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
"c:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfcCopy.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpiscnapp.exe"=
"c:\\Program Files\\AIM7\\aim.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017
"443:UDP"= 443:UDP:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:ooVoo UDP port 37675
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [1/5/2010 8:56 AM 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [1/5/2010 8:56 AM 74480]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [3/31/2009 7:43 PM 108289]
R2 SVKP;SVKP;c:\windows\system32\SVKP.sys [10/2/2005 6:17 PM 2368]
S2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [10/4/2004 4:47 AM 98304]
S3 PPDrv;Protector Plus Driver;\??\c:\program files\Protector Plus\PPDrv.sys --> c:\program files\Protector Plus\PPDrv.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [1/5/2010 8:56 AM 7408]
S3 SE402RefCameraStill;GD-350V (WDM);c:\windows\system32\drivers\aox402sc.sys [9/19/2003 4:00 PM 67332]
S3 V90drv;v90drv;c:\windows\system32\drivers\v90drv.sys [11/29/2001 6:10 PM 1432836]
S4 gupdate1c99dd639dca636;Google Update Service (gupdate1c99dd639dca636);"c:\program files\Google\Update\GoogleUpdate.exe" /svc --> c:\program files\Google\Update\GoogleUpdate.exe [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - IPVNMon

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
HPService REG_MULTI_SZ HPSLPSVC
.
Contents of the 'Scheduled Tasks' folder

2010-05-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.nytimes.com/
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} - hxxp://scpwnb.ops.placeware.com/etc/place/NOVEMBER/SCNpws-b1/5.1.5.222/lib/quicksilver.cab
DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} - hxxp://coop.mlxchange.com/Control/MultiSelectComboBox.cab
DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} - hxxp://coop.mlxchange.com/Control/MLXClientUtils.cab
DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} - hxxp://coop.mlxchange.com/Control/IRCSharc.cab
FF - ProfilePath - c:\documents and settings\Lori Hoagland\Application Data\Mozilla\Firefox\Profiles\8a7xuixy.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=DEF&v=19&q=
FF - prefs.js: browser.search.selectedEngine - Fast Browser Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://www.fastbrowsersearch.com/results/results.aspx?s=NAUS&v=19&tid={5F14FA2F-2123-E1CC-1185-74BEA1D43EB5}&q=
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmnqmp07010901.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npwinamp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: network.protocol-handler.warn-external.dnupdate - false);user_pref(yahoo.ytff.general.dontshowhpoffer, truec:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDFE0BD779-44EE-4A4B-AA2E-743C63F2E5E6", "AllAccess");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-Blubster - c:\program files\Blubster\Blubster.exe
MSConfigStartUp-ISW - c:\program files\CheckPoint\ZAForceField\ForceField.exe
MSConfigStartUp-Malwarebytes Anti-Malware (reboot) - c:\program files\Malwarebytes' Anti-Malware\mbam.exe
MSConfigStartUp-UnlockerAssistant - c:\program files\Unlocker\UnlockerAssistant.exe
AddRemove-SecondLife - c:\program files\SecondLife\uninst.exe
AddRemove-Videora iPod touch Converter - c:\program files\Red Kawa\Video Converter App\uninstaller.exe
AddRemove-Yahoo! Software Update - c:\progra~1\Yahoo!\SOFTWA~1\UNINST~1.EXE



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-05-09 16:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(520)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll
.
Completion time: 2010-05-09 16:48:12
ComboFix-quarantined-files.txt 2010-05-09 20:47
ComboFix2.txt 2010-02-09 21:33

Pre-Run: 47,467,589,632 bytes free
Post-Run: 47,443,742,720 bytes free

- - End Of File - - 44599297A655325E594A6DDC77050F17


#4 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:02 AM

Posted 09 May 2010 - 07:54 PM

You're welcome! Here's what is next:
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

Edited by thewall, 09 May 2010 - 07:54 PM.

If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#5 saltydogs

saltydogs
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 10 May 2010 - 09:50 AM

OK. TDSSKiller log paste.

10:47:48:187 3320 TDSS rootkit removing tool 2.2.8.1 Mar 22 2010 10:43:04
10:47:48:187 3320 ================================================================================
10:47:48:187 3320 SystemInfo:

10:47:48:187 3320 OS Version: 5.1.2600 ServicePack: 3.0
10:47:48:187 3320 Product type: Workstation
10:47:48:187 3320 ComputerName: DISH
10:47:48:187 3320 UserName: Lori Hoagland
10:47:48:187 3320 Windows directory: C:\WINDOWS
10:47:48:187 3320 Processor architecture: Intel x86
10:47:48:187 3320 Number of processors: 1
10:47:48:187 3320 Page size: 0x1000
10:47:48:187 3320 Boot type: Normal boot
10:47:48:187 3320 ================================================================================
10:47:48:250 3320 UnloadDriverW: NtUnloadDriver error 2
10:47:48:250 3320 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
10:47:48:468 3320 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
10:47:48:468 3320 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:47:48:468 3320 wfopen_ex: Trying to KLMD file open
10:47:48:468 3320 wfopen_ex: File opened ok (Flags 2)
10:47:48:468 3320 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
10:47:48:468 3320 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
10:47:48:468 3320 wfopen_ex: Trying to KLMD file open
10:47:48:468 3320 wfopen_ex: File opened ok (Flags 2)
10:47:48:468 3320 Initialize success
10:47:48:468 3320
10:47:48:468 3320 Scanning Services ...
10:47:49:171 3320 Raw services enum returned 415 services
10:47:49:171 3320
10:47:49:171 3320 Scanning Kernel memory ...
10:47:49:171 3320 Devices to scan: 14
10:47:49:171 3320
10:47:49:171 3320 Driver Name: Disk
10:47:49:171 3320 IRP_MJ_CREATE : F888CBB0
10:47:49:171 3320 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
10:47:49:171 3320 IRP_MJ_CLOSE : F888CBB0
10:47:49:171 3320 IRP_MJ_READ : F8886D1F
10:47:49:171 3320 IRP_MJ_WRITE : F8886D1F
10:47:49:171 3320 IRP_MJ_QUERY_INFORMATION : 804FA88E
10:47:49:171 3320 IRP_MJ_SET_INFORMATION : 804FA88E
10:47:49:171 3320 IRP_MJ_QUERY_EA : 804FA88E
10:47:49:171 3320 IRP_MJ_SET_EA : 804FA88E
10:47:49:171 3320 IRP_MJ_FLUSH_BUFFERS : F88872E2
10:47:49:171 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
10:47:49:171 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
10:47:49:171 3320 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
10:47:49:171 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
10:47:49:171 3320 IRP_MJ_DEVICE_CONTROL : F88873BB
10:47:49:171 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F888AF28
10:47:49:171 3320 IRP_MJ_SHUTDOWN : F88872E2
10:47:49:171 3320 IRP_MJ_LOCK_CONTROL : 804FA88E
10:47:49:171 3320 IRP_MJ_CLEANUP : 804FA88E
10:47:49:171 3320 IRP_MJ_CREATE_MAILSLOT : 804FA88E
10:47:49:171 3320 IRP_MJ_QUERY_SECURITY : 804FA88E
10:47:49:171 3320 IRP_MJ_SET_SECURITY : 804FA88E
10:47:49:171 3320 IRP_MJ_POWER : F8888C82
10:47:49:171 3320 IRP_MJ_SYSTEM_CONTROL : F888D99E
10:47:49:171 3320 IRP_MJ_DEVICE_CHANGE : 804FA88E
10:47:49:171 3320 IRP_MJ_QUERY_QUOTA : 804FA88E
10:47:49:171 3320 IRP_MJ_SET_QUOTA : 804FA88E
10:47:49:187 3320 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
10:47:49:187 3320
10:47:49:187 3320 Driver Name: Disk
10:47:49:187 3320 IRP_MJ_CREATE : F888CBB0
10:47:49:187 3320 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
10:47:49:187 3320 IRP_MJ_CLOSE : F888CBB0
10:47:49:187 3320 IRP_MJ_READ : F8886D1F
10:47:49:187 3320 IRP_MJ_WRITE : F8886D1F
10:47:49:187 3320 IRP_MJ_QUERY_INFORMATION : 804FA88E
10:47:49:187 3320 IRP_MJ_SET_INFORMATION : 804FA88E
10:47:49:187 3320 IRP_MJ_QUERY_EA : 804FA88E
10:47:49:187 3320 IRP_MJ_SET_EA : 804FA88E
10:47:49:187 3320 IRP_MJ_FLUSH_BUFFERS : F88872E2
10:47:49:187 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
10:47:49:187 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
10:47:49:187 3320 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
10:47:49:187 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
10:47:49:187 3320 IRP_MJ_DEVICE_CONTROL : F88873BB
10:47:49:187 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F888AF28
10:47:49:187 3320 IRP_MJ_SHUTDOWN : F88872E2
10:47:49:187 3320 IRP_MJ_LOCK_CONTROL : 804FA88E
10:47:49:187 3320 IRP_MJ_CLEANUP : 804FA88E
10:47:49:187 3320 IRP_MJ_CREATE_MAILSLOT : 804FA88E
10:47:49:187 3320 IRP_MJ_QUERY_SECURITY : 804FA88E
10:47:49:187 3320 IRP_MJ_SET_SECURITY : 804FA88E
10:47:49:187 3320 IRP_MJ_POWER : F8888C82
10:47:49:187 3320 IRP_MJ_SYSTEM_CONTROL : F888D99E
10:47:49:187 3320 IRP_MJ_DEVICE_CHANGE : 804FA88E
10:47:49:187 3320 IRP_MJ_QUERY_QUOTA : 804FA88E
10:47:49:187 3320 IRP_MJ_SET_QUOTA : 804FA88E
10:47:49:187 3320 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
10:47:49:187 3320
10:47:49:187 3320 Driver Name: USBSTOR
10:47:49:187 3320 IRP_MJ_CREATE : F8C3B218
10:47:49:187 3320 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
10:47:49:187 3320 IRP_MJ_CLOSE : F8C3B218
10:47:49:187 3320 IRP_MJ_READ : F8C3B23C
10:47:49:187 3320 IRP_MJ_WRITE : F8C3B23C
10:47:49:187 3320 IRP_MJ_QUERY_INFORMATION : 804FA88E
10:47:49:187 3320 IRP_MJ_SET_INFORMATION : 804FA88E
10:47:49:187 3320 IRP_MJ_QUERY_EA : 804FA88E
10:47:49:187 3320 IRP_MJ_SET_EA : 804FA88E
10:47:49:187 3320 IRP_MJ_FLUSH_BUFFERS : 804FA88E
10:47:49:187 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
10:47:49:187 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
10:47:49:187 3320 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
10:47:49:187 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
10:47:49:187 3320 IRP_MJ_DEVICE_CONTROL : F8C3B180
10:47:49:187 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8C369E6
10:47:49:187 3320 IRP_MJ_SHUTDOWN : 804FA88E
10:47:49:187 3320 IRP_MJ_LOCK_CONTROL : 804FA88E
10:47:49:187 3320 IRP_MJ_CLEANUP : 804FA88E
10:47:49:187 3320 IRP_MJ_CREATE_MAILSLOT : 804FA88E
10:47:49:187 3320 IRP_MJ_QUERY_SECURITY : 804FA88E
10:47:49:187 3320 IRP_MJ_SET_SECURITY : 804FA88E
10:47:49:187 3320 IRP_MJ_POWER : F8C3A5F0
10:47:49:187 3320 IRP_MJ_SYSTEM_CONTROL : F8C38A6E
10:47:49:187 3320 IRP_MJ_DEVICE_CHANGE : 804FA88E
10:47:49:187 3320 IRP_MJ_QUERY_QUOTA : 804FA88E
10:47:49:187 3320 IRP_MJ_SET_QUOTA : 804FA88E
10:47:49:234 3320 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
10:47:49:234 3320
10:47:49:234 3320 Driver Name: Disk
10:47:49:234 3320 IRP_MJ_CREATE : F888CBB0
10:47:49:234 3320 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
10:47:49:234 3320 IRP_MJ_CLOSE : F888CBB0
10:47:49:234 3320 IRP_MJ_READ : F8886D1F
10:47:49:234 3320 IRP_MJ_WRITE : F8886D1F
10:47:49:234 3320 IRP_MJ_QUERY_INFORMATION : 804FA88E
10:47:49:234 3320 IRP_MJ_SET_INFORMATION : 804FA88E
10:47:49:234 3320 IRP_MJ_QUERY_EA : 804FA88E
10:47:49:234 3320 IRP_MJ_SET_EA : 804FA88E
10:47:49:234 3320 IRP_MJ_FLUSH_BUFFERS : F88872E2
10:47:49:234 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
10:47:49:234 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
10:47:49:234 3320 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
10:47:49:234 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
10:47:49:234 3320 IRP_MJ_DEVICE_CONTROL : F88873BB
10:47:49:234 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F888AF28
10:47:49:234 3320 IRP_MJ_SHUTDOWN : F88872E2
10:47:49:234 3320 IRP_MJ_LOCK_CONTROL : 804FA88E
10:47:49:234 3320 IRP_MJ_CLEANUP : 804FA88E
10:47:49:234 3320 IRP_MJ_CREATE_MAILSLOT : 804FA88E
10:47:49:234 3320 IRP_MJ_QUERY_SECURITY : 804FA88E
10:47:49:234 3320 IRP_MJ_SET_SECURITY : 804FA88E
10:47:49:234 3320 IRP_MJ_POWER : F8888C82
10:47:49:234 3320 IRP_MJ_SYSTEM_CONTROL : F888D99E
10:47:49:234 3320 IRP_MJ_DEVICE_CHANGE : 804FA88E
10:47:49:234 3320 IRP_MJ_QUERY_QUOTA : 804FA88E
10:47:49:234 3320 IRP_MJ_SET_QUOTA : 804FA88E
10:47:49:234 3320 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
10:47:49:234 3320
10:47:49:234 3320 Driver Name: Disk
10:47:49:234 3320 IRP_MJ_CREATE : F888CBB0
10:47:49:234 3320 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
10:47:49:234 3320 IRP_MJ_CLOSE : F888CBB0
10:47:49:234 3320 IRP_MJ_READ : F8886D1F
10:47:49:234 3320 IRP_MJ_WRITE : F8886D1F
10:47:49:234 3320 IRP_MJ_QUERY_INFORMATION : 804FA88E
10:47:49:234 3320 IRP_MJ_SET_INFORMATION : 804FA88E
10:47:49:234 3320 IRP_MJ_QUERY_EA : 804FA88E
10:47:49:234 3320 IRP_MJ_SET_EA : 804FA88E
10:47:49:234 3320 IRP_MJ_FLUSH_BUFFERS : F88872E2
10:47:49:234 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
10:47:49:234 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
10:47:49:234 3320 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
10:47:49:234 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
10:47:49:234 3320 IRP_MJ_DEVICE_CONTROL : F88873BB
10:47:49:234 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F888AF28
10:47:49:234 3320 IRP_MJ_SHUTDOWN : F88872E2
10:47:49:234 3320 IRP_MJ_LOCK_CONTROL : 804FA88E
10:47:49:234 3320 IRP_MJ_CLEANUP : 804FA88E
10:47:49:234 3320 IRP_MJ_CREATE_MAILSLOT : 804FA88E
10:47:49:234 3320 IRP_MJ_QUERY_SECURITY : 804FA88E
10:47:49:234 3320 IRP_MJ_SET_SECURITY : 804FA88E
10:47:49:234 3320 IRP_MJ_POWER : F8888C82
10:47:49:234 3320 IRP_MJ_SYSTEM_CONTROL : F888D99E
10:47:49:234 3320 IRP_MJ_DEVICE_CHANGE : 804FA88E
10:47:49:234 3320 IRP_MJ_QUERY_QUOTA : 804FA88E
10:47:49:234 3320 IRP_MJ_SET_QUOTA : 804FA88E
10:47:49:234 3320 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
10:47:49:234 3320
10:47:49:234 3320 Driver Name: Disk
10:47:49:234 3320 IRP_MJ_CREATE : F888CBB0
10:47:49:234 3320 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
10:47:49:234 3320 IRP_MJ_CLOSE : F888CBB0
10:47:49:234 3320 IRP_MJ_READ : F8886D1F
10:47:49:234 3320 IRP_MJ_WRITE : F8886D1F
10:47:49:234 3320 IRP_MJ_QUERY_INFORMATION : 804FA88E
10:47:49:234 3320 IRP_MJ_SET_INFORMATION : 804FA88E
10:47:49:234 3320 IRP_MJ_QUERY_EA : 804FA88E
10:47:49:234 3320 IRP_MJ_SET_EA : 804FA88E
10:47:49:234 3320 IRP_MJ_FLUSH_BUFFERS : F88872E2
10:47:49:234 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
10:47:49:234 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
10:47:49:234 3320 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
10:47:49:234 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
10:47:49:234 3320 IRP_MJ_DEVICE_CONTROL : F88873BB
10:47:49:234 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F888AF28
10:47:49:234 3320 IRP_MJ_SHUTDOWN : F88872E2
10:47:49:234 3320 IRP_MJ_LOCK_CONTROL : 804FA88E
10:47:49:234 3320 IRP_MJ_CLEANUP : 804FA88E
10:47:49:234 3320 IRP_MJ_CREATE_MAILSLOT : 804FA88E
10:47:49:234 3320 IRP_MJ_QUERY_SECURITY : 804FA88E
10:47:49:234 3320 IRP_MJ_SET_SECURITY : 804FA88E
10:47:49:234 3320 IRP_MJ_POWER : F8888C82
10:47:49:234 3320 IRP_MJ_SYSTEM_CONTROL : F888D99E
10:47:49:234 3320 IRP_MJ_DEVICE_CHANGE : 804FA88E
10:47:49:234 3320 IRP_MJ_QUERY_QUOTA : 804FA88E
10:47:49:234 3320 IRP_MJ_SET_QUOTA : 804FA88E
10:47:49:250 3320 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
10:47:49:250 3320
10:47:49:250 3320 Driver Name: Disk
10:47:49:250 3320 IRP_MJ_CREATE : F888CBB0
10:47:49:250 3320 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
10:47:49:250 3320 IRP_MJ_CLOSE : F888CBB0
10:47:49:250 3320 IRP_MJ_READ : F8886D1F
10:47:49:250 3320 IRP_MJ_WRITE : F8886D1F
10:47:49:250 3320 IRP_MJ_QUERY_INFORMATION : 804FA88E
10:47:49:250 3320 IRP_MJ_SET_INFORMATION : 804FA88E
10:47:49:250 3320 IRP_MJ_QUERY_EA : 804FA88E
10:47:49:250 3320 IRP_MJ_SET_EA : 804FA88E
10:47:49:250 3320 IRP_MJ_FLUSH_BUFFERS : F88872E2
10:47:49:250 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
10:47:49:250 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
10:47:49:250 3320 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
10:47:49:250 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
10:47:49:250 3320 IRP_MJ_DEVICE_CONTROL : F88873BB
10:47:49:250 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F888AF28
10:47:49:250 3320 IRP_MJ_SHUTDOWN : F88872E2
10:47:49:250 3320 IRP_MJ_LOCK_CONTROL : 804FA88E
10:47:49:250 3320 IRP_MJ_CLEANUP : 804FA88E
10:47:49:250 3320 IRP_MJ_CREATE_MAILSLOT : 804FA88E
10:47:49:250 3320 IRP_MJ_QUERY_SECURITY : 804FA88E
10:47:49:250 3320 IRP_MJ_SET_SECURITY : 804FA88E
10:47:49:250 3320 IRP_MJ_POWER : F8888C82
10:47:49:250 3320 IRP_MJ_SYSTEM_CONTROL : F888D99E
10:47:49:250 3320 IRP_MJ_DEVICE_CHANGE : 804FA88E
10:47:49:250 3320 IRP_MJ_QUERY_QUOTA : 804FA88E
10:47:49:250 3320 IRP_MJ_SET_QUOTA : 804FA88E
10:47:49:250 3320 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
10:47:49:250 3320
10:47:49:250 3320 Driver Name: USBSTOR
10:47:49:250 3320 IRP_MJ_CREATE : F8C3B218
10:47:49:250 3320 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
10:47:49:250 3320 IRP_MJ_CLOSE : F8C3B218
10:47:49:250 3320 IRP_MJ_READ : F8C3B23C
10:47:49:250 3320 IRP_MJ_WRITE : F8C3B23C
10:47:49:250 3320 IRP_MJ_QUERY_INFORMATION : 804FA88E
10:47:49:250 3320 IRP_MJ_SET_INFORMATION : 804FA88E
10:47:49:250 3320 IRP_MJ_QUERY_EA : 804FA88E
10:47:49:250 3320 IRP_MJ_SET_EA : 804FA88E
10:47:49:250 3320 IRP_MJ_FLUSH_BUFFERS : 804FA88E
10:47:49:250 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
10:47:49:250 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
10:47:49:250 3320 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
10:47:49:250 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
10:47:49:250 3320 IRP_MJ_DEVICE_CONTROL : F8C3B180
10:47:49:250 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8C369E6
10:47:49:250 3320 IRP_MJ_SHUTDOWN : 804FA88E
10:47:49:250 3320 IRP_MJ_LOCK_CONTROL : 804FA88E
10:47:49:250 3320 IRP_MJ_CLEANUP : 804FA88E
10:47:49:250 3320 IRP_MJ_CREATE_MAILSLOT : 804FA88E
10:47:49:250 3320 IRP_MJ_QUERY_SECURITY : 804FA88E
10:47:49:250 3320 IRP_MJ_SET_SECURITY : 804FA88E
10:47:49:250 3320 IRP_MJ_POWER : F8C3A5F0
10:47:49:250 3320 IRP_MJ_SYSTEM_CONTROL : F8C38A6E
10:47:49:250 3320 IRP_MJ_DEVICE_CHANGE : 804FA88E
10:47:49:250 3320 IRP_MJ_QUERY_QUOTA : 804FA88E
10:47:49:250 3320 IRP_MJ_SET_QUOTA : 804FA88E
10:47:49:250 3320 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
10:47:49:250 3320
10:47:49:250 3320 Driver Name: USBSTOR
10:47:49:250 3320 IRP_MJ_CREATE : F8C3B218
10:47:49:250 3320 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
10:47:49:250 3320 IRP_MJ_CLOSE : F8C3B218
10:47:49:250 3320 IRP_MJ_READ : F8C3B23C
10:47:49:250 3320 IRP_MJ_WRITE : F8C3B23C
10:47:49:250 3320 IRP_MJ_QUERY_INFORMATION : 804FA88E
10:47:49:250 3320 IRP_MJ_SET_INFORMATION : 804FA88E
10:47:49:250 3320 IRP_MJ_QUERY_EA : 804FA88E
10:47:49:250 3320 IRP_MJ_SET_EA : 804FA88E
10:47:49:250 3320 IRP_MJ_FLUSH_BUFFERS : 804FA88E
10:47:49:250 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
10:47:49:250 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
10:47:49:250 3320 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
10:47:49:250 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
10:47:49:250 3320 IRP_MJ_DEVICE_CONTROL : F8C3B180
10:47:49:250 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8C369E6
10:47:49:250 3320 IRP_MJ_SHUTDOWN : 804FA88E
10:47:49:250 3320 IRP_MJ_LOCK_CONTROL : 804FA88E
10:47:49:250 3320 IRP_MJ_CLEANUP : 804FA88E
10:47:49:250 3320 IRP_MJ_CREATE_MAILSLOT : 804FA88E
10:47:49:250 3320 IRP_MJ_QUERY_SECURITY : 804FA88E
10:47:49:250 3320 IRP_MJ_SET_SECURITY : 804FA88E
10:47:49:250 3320 IRP_MJ_POWER : F8C3A5F0
10:47:49:250 3320 IRP_MJ_SYSTEM_CONTROL : F8C38A6E
10:47:49:250 3320 IRP_MJ_DEVICE_CHANGE : 804FA88E
10:47:49:250 3320 IRP_MJ_QUERY_QUOTA : 804FA88E
10:47:49:250 3320 IRP_MJ_SET_QUOTA : 804FA88E
10:47:49:250 3320 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
10:47:49:250 3320
10:47:49:250 3320 Driver Name: USBSTOR
10:47:49:250 3320 IRP_MJ_CREATE : F8C3B218
10:47:49:250 3320 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
10:47:49:250 3320 IRP_MJ_CLOSE : F8C3B218
10:47:49:250 3320 IRP_MJ_READ : F8C3B23C
10:47:49:250 3320 IRP_MJ_WRITE : F8C3B23C
10:47:49:250 3320 IRP_MJ_QUERY_INFORMATION : 804FA88E
10:47:49:250 3320 IRP_MJ_SET_INFORMATION : 804FA88E
10:47:49:250 3320 IRP_MJ_QUERY_EA : 804FA88E
10:47:49:250 3320 IRP_MJ_SET_EA : 804FA88E
10:47:49:250 3320 IRP_MJ_FLUSH_BUFFERS : 804FA88E
10:47:49:250 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
10:47:49:250 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
10:47:49:250 3320 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
10:47:49:250 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
10:47:49:250 3320 IRP_MJ_DEVICE_CONTROL : F8C3B180
10:47:49:250 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8C369E6
10:47:49:250 3320 IRP_MJ_SHUTDOWN : 804FA88E
10:47:49:250 3320 IRP_MJ_LOCK_CONTROL : 804FA88E
10:47:49:250 3320 IRP_MJ_CLEANUP : 804FA88E
10:47:49:250 3320 IRP_MJ_CREATE_MAILSLOT : 804FA88E
10:47:49:250 3320 IRP_MJ_QUERY_SECURITY : 804FA88E
10:47:49:250 3320 IRP_MJ_SET_SECURITY : 804FA88E
10:47:49:250 3320 IRP_MJ_POWER : F8C3A5F0
10:47:49:250 3320 IRP_MJ_SYSTEM_CONTROL : F8C38A6E
10:47:49:250 3320 IRP_MJ_DEVICE_CHANGE : 804FA88E
10:47:49:250 3320 IRP_MJ_QUERY_QUOTA : 804FA88E
10:47:49:250 3320 IRP_MJ_SET_QUOTA : 804FA88E
10:47:49:250 3320 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
10:47:49:250 3320
10:47:49:250 3320 Driver Name: USBSTOR
10:47:49:250 3320 IRP_MJ_CREATE : F8C3B218
10:47:49:250 3320 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
10:47:49:250 3320 IRP_MJ_CLOSE : F8C3B218
10:47:49:250 3320 IRP_MJ_READ : F8C3B23C
10:47:49:250 3320 IRP_MJ_WRITE : F8C3B23C
10:47:49:250 3320 IRP_MJ_QUERY_INFORMATION : 804FA88E
10:47:49:250 3320 IRP_MJ_SET_INFORMATION : 804FA88E
10:47:49:250 3320 IRP_MJ_QUERY_EA : 804FA88E
10:47:49:250 3320 IRP_MJ_SET_EA : 804FA88E
10:47:49:250 3320 IRP_MJ_FLUSH_BUFFERS : 804FA88E
10:47:49:250 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
10:47:49:250 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
10:47:49:250 3320 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
10:47:49:250 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
10:47:49:250 3320 IRP_MJ_DEVICE_CONTROL : F8C3B180
10:47:49:265 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8C369E6
10:47:49:265 3320 IRP_MJ_SHUTDOWN : 804FA88E
10:47:49:265 3320 IRP_MJ_LOCK_CONTROL : 804FA88E
10:47:49:265 3320 IRP_MJ_CLEANUP : 804FA88E
10:47:49:265 3320 IRP_MJ_CREATE_MAILSLOT : 804FA88E
10:47:49:265 3320 IRP_MJ_QUERY_SECURITY : 804FA88E
10:47:49:265 3320 IRP_MJ_SET_SECURITY : 804FA88E
10:47:49:265 3320 IRP_MJ_POWER : F8C3A5F0
10:47:49:265 3320 IRP_MJ_SYSTEM_CONTROL : F8C38A6E
10:47:49:265 3320 IRP_MJ_DEVICE_CHANGE : 804FA88E
10:47:49:265 3320 IRP_MJ_QUERY_QUOTA : 804FA88E
10:47:49:265 3320 IRP_MJ_SET_QUOTA : 804FA88E
10:47:49:265 3320 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
10:47:49:265 3320
10:47:49:265 3320 Driver Name: USBSTOR
10:47:49:265 3320 IRP_MJ_CREATE : F8C3B218
10:47:49:265 3320 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
10:47:49:265 3320 IRP_MJ_CLOSE : F8C3B218
10:47:49:265 3320 IRP_MJ_READ : F8C3B23C
10:47:49:265 3320 IRP_MJ_WRITE : F8C3B23C
10:47:49:265 3320 IRP_MJ_QUERY_INFORMATION : 804FA88E
10:47:49:265 3320 IRP_MJ_SET_INFORMATION : 804FA88E
10:47:49:265 3320 IRP_MJ_QUERY_EA : 804FA88E
10:47:49:265 3320 IRP_MJ_SET_EA : 804FA88E
10:47:49:265 3320 IRP_MJ_FLUSH_BUFFERS : 804FA88E
10:47:49:265 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
10:47:49:265 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
10:47:49:265 3320 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
10:47:49:265 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
10:47:49:265 3320 IRP_MJ_DEVICE_CONTROL : F8C3B180
10:47:49:265 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F8C369E6
10:47:49:265 3320 IRP_MJ_SHUTDOWN : 804FA88E
10:47:49:265 3320 IRP_MJ_LOCK_CONTROL : 804FA88E
10:47:49:265 3320 IRP_MJ_CLEANUP : 804FA88E
10:47:49:265 3320 IRP_MJ_CREATE_MAILSLOT : 804FA88E
10:47:49:265 3320 IRP_MJ_QUERY_SECURITY : 804FA88E
10:47:49:265 3320 IRP_MJ_SET_SECURITY : 804FA88E
10:47:49:265 3320 IRP_MJ_POWER : F8C3A5F0
10:47:49:265 3320 IRP_MJ_SYSTEM_CONTROL : F8C38A6E
10:47:49:265 3320 IRP_MJ_DEVICE_CHANGE : 804FA88E
10:47:49:265 3320 IRP_MJ_QUERY_QUOTA : 804FA88E
10:47:49:265 3320 IRP_MJ_SET_QUOTA : 804FA88E
10:47:49:265 3320 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS - Verdict: 1
10:47:49:265 3320
10:47:49:265 3320 Driver Name: Disk
10:47:49:265 3320 IRP_MJ_CREATE : F888CBB0
10:47:49:265 3320 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
10:47:49:265 3320 IRP_MJ_CLOSE : F888CBB0
10:47:49:265 3320 IRP_MJ_READ : F8886D1F
10:47:49:265 3320 IRP_MJ_WRITE : F8886D1F
10:47:49:265 3320 IRP_MJ_QUERY_INFORMATION : 804FA88E
10:47:49:265 3320 IRP_MJ_SET_INFORMATION : 804FA88E
10:47:49:265 3320 IRP_MJ_QUERY_EA : 804FA88E
10:47:49:265 3320 IRP_MJ_SET_EA : 804FA88E
10:47:49:265 3320 IRP_MJ_FLUSH_BUFFERS : F88872E2
10:47:49:265 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
10:47:49:265 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
10:47:49:265 3320 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
10:47:49:265 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
10:47:49:265 3320 IRP_MJ_DEVICE_CONTROL : F88873BB
10:47:49:265 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F888AF28
10:47:49:265 3320 IRP_MJ_SHUTDOWN : F88872E2
10:47:49:265 3320 IRP_MJ_LOCK_CONTROL : 804FA88E
10:47:49:265 3320 IRP_MJ_CLEANUP : 804FA88E
10:47:49:265 3320 IRP_MJ_CREATE_MAILSLOT : 804FA88E
10:47:49:265 3320 IRP_MJ_QUERY_SECURITY : 804FA88E
10:47:49:265 3320 IRP_MJ_SET_SECURITY : 804FA88E
10:47:49:265 3320 IRP_MJ_POWER : F8888C82
10:47:49:265 3320 IRP_MJ_SYSTEM_CONTROL : F888D99E
10:47:49:265 3320 IRP_MJ_DEVICE_CHANGE : 804FA88E
10:47:49:265 3320 IRP_MJ_QUERY_QUOTA : 804FA88E
10:47:49:265 3320 IRP_MJ_SET_QUOTA : 804FA88E
10:47:49:265 3320 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: 1
10:47:49:265 3320
10:47:49:265 3320 Driver Name: atapi
10:47:49:265 3320 IRP_MJ_CREATE : F87916F2
10:47:49:265 3320 IRP_MJ_CREATE_NAMED_PIPE : 804FA88E
10:47:49:265 3320 IRP_MJ_CLOSE : F87916F2
10:47:49:265 3320 IRP_MJ_READ : 804FA88E
10:47:49:265 3320 IRP_MJ_WRITE : 804FA88E
10:47:49:265 3320 IRP_MJ_QUERY_INFORMATION : 804FA88E
10:47:49:265 3320 IRP_MJ_SET_INFORMATION : 804FA88E
10:47:49:265 3320 IRP_MJ_QUERY_EA : 804FA88E
10:47:49:265 3320 IRP_MJ_SET_EA : 804FA88E
10:47:49:265 3320 IRP_MJ_FLUSH_BUFFERS : 804FA88E
10:47:49:265 3320 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA88E
10:47:49:265 3320 IRP_MJ_SET_VOLUME_INFORMATION : 804FA88E
10:47:49:265 3320 IRP_MJ_DIRECTORY_CONTROL : 804FA88E
10:47:49:265 3320 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA88E
10:47:49:265 3320 IRP_MJ_DEVICE_CONTROL : F8791712
10:47:49:265 3320 IRP_MJ_INTERNAL_DEVICE_CONTROL : F878D852
10:47:49:265 3320 IRP_MJ_SHUTDOWN : 804FA88E
10:47:49:265 3320 IRP_MJ_LOCK_CONTROL : 804FA88E
10:47:49:265 3320 IRP_MJ_CLEANUP : 804FA88E
10:47:49:265 3320 IRP_MJ_CREATE_MAILSLOT : 804FA88E
10:47:49:265 3320 IRP_MJ_QUERY_SECURITY : 804FA88E
10:47:49:265 3320 IRP_MJ_SET_SECURITY : 804FA88E
10:47:49:265 3320 IRP_MJ_POWER : F879173C
10:47:49:265 3320 IRP_MJ_SYSTEM_CONTROL : F8798336
10:47:49:265 3320 IRP_MJ_DEVICE_CHANGE : 804FA88E
10:47:49:265 3320 IRP_MJ_QUERY_QUOTA : 804FA88E
10:47:49:265 3320 IRP_MJ_SET_QUOTA : 804FA88E
10:47:49:281 3320 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: 1
10:47:49:281 3320
10:47:49:281 3320 Completed
10:47:49:281 3320
10:47:49:281 3320 Results:
10:47:49:281 3320 Memory objects infected / cured / cured on reboot: 0 / 0 / 0
10:47:49:281 3320 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
10:47:49:281 3320 File objects infected / cured / cured on reboot: 0 / 0 / 0
10:47:49:281 3320
10:47:49:281 3320 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
10:47:49:281 3320 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
10:47:49:281 3320 KLMD(ARK) unloaded successfully


#6 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:02 AM

Posted 10 May 2010 - 10:28 AM

Are you still experiencing redirections to other sites?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#7 saltydogs

saltydogs
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 10 May 2010 - 11:42 AM

I haven't had any redirect problems the last few hours. My PC seems to be running OK, but slow. I believe that is another issue though.

#8 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:02 AM

Posted 10 May 2010 - 12:37 PM

We still have some looking to do but I needed to know about the redirection problem to see if I needed to keep pursuing that particular symptom. We'll run another scan now and see what it will show:



It's important to run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:



Please perform a scan with Kaspersky Online Virus Scanner.
-- Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.
-- This scan will not remove any detected file threats but it will show where they are located so they can be cleaned with other tools.
  • Vista users need to right-click the IE or FF Start Menu or Quick Launch Bar icons and Run As Administrator from the context menu.
  • Read the "Advantages - Requirements and Limitations" then press the ... button.
  • You will be prompted to install an application from Kaspersky. Click the Run button. It will start downloading and installing the scanner and virus definitions.
  • When the downloads have finished, you should see 'Database is updated. Ready to scan'. Click on the ... button.
  • Make sure these boxes are checked. By default, they should be. If not, please check them and click on the ... button afterwards:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
  • Click on My Computer under the Scan section. OK any warnings from your protection programs.
  • The scan will take a while so be patient and do NOT use the computer while the scan is running. Keep all other programs and windows closed.
  • Once the scan is complete (the 'status' will show complete), click on View Scan Report and any infected objects will be shown.
  • Click on Save Report As... and change the Files of type to Text file (.txt)
  • Name the file KAVScan_ddmmyy (day, month, year) before clicking on the Save button and save it to your Desktop.
  • Copy and paste (Ctrl+C) the saved scan results from that file in your next reply.
-- Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.


If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#9 saltydogs

saltydogs
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Local time:08:02 AM

Posted 11 May 2010 - 11:20 AM

I am getting ready to run the Kaspersky Online Virus Scanner, but when I get to Settings, the "Viruses, Worms, Trojan Horses, Rootkits" button under Detect malicious programs of the following categories: is there but not available, it is grayed out and cannot be checked. Should I run the scan anyways?

#10 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:02 AM

Posted 11 May 2010 - 12:02 PM

No, let's try to run the following instead. Uncheck where it says to remove found threats before you do. We can go back and rerun it after we see what it finds.



I'd like us to scan your machine with ESET OnlineScan
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push




If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#11 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:02 AM

Posted 16 May 2010 - 04:11 PM

Are you still there?
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you

#12 thewall

thewall

  • Malware Response Team
  • 6,425 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:02 AM

Posted 17 May 2010 - 07:37 PM

Due to the lack of feedback This Topic is closed.

Should you need it reopened, please contact my by PM. Include the address of this thread in your request.

If you have a new issue, please start a New Topic.

This applies only to the original poster. Everyone else please begin a New Topic.
If I have helped you then please consider donating so I can continue the fight against malware Posted Image
All donations go directly to the helper

Posted Image

Due to the large amount of backlogs we have I cannot respond to PMs for help unless I am already working with you




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users