Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Persistent Antimalware Doctor / possible virut and other infections


  • This topic is locked This topic is locked
12 replies to this topic

#1 ningo

ningo

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 14 May 2010 - 04:30 AM

Hi. Sorry, I am not very tech-minded so please bear with me.


I got infected through a web-site and multiple pop-ups. The whole thing escalated into a blue screen and my computer crashed. Afterwards I was stuck with the I-Q Manager, and managed to unlock my computer using these instructions. I used the registration code to get rid of the program.


I then was stuck with a few others and kept on getting pop-ups from Antimalware Doctor. I proceeded with these instructions. Ran MBAM and Superantispyware couple of times on safe mode. They removed a fair few things, and one of them was (I think) labelled as virut. Now when I go back to normal mode I get the Antimalware Doctor popping up again. It seems to be connected to gotnewupdate.exe (etc). When I run the Rkill it usually comes up with gotnewupdate.exe, and occasionally there are other programs visible there too (I attached the last Rkill I ran incase it would be helpful).


Then, as my McAfee wasn't working properly, I uninstalled it and installed Avast. Kept on getting blue screen as soon as Windows fired up, and was only able to use the computer on safe mode. I uninstalled Avast, and now am able to use the computer again normally.


I've ran DDS, but was unable to complete GMER as everytime it scanned I got blue screen. Attached are what I have got, ie DDS files. What do you suggest I do next?


Thank you so much for your help already in advance!


---


DDS (Ver_10-03-17.01) - NTFSx86
Run by Irina at 0:39:07,33 on pe 14.05.2010
Internet Explorer: 7.0.6000.17037 BrowserJavaVersion: 1.6.0_05
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.358.1035.18.1918.1026 [GMT 1:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: SUPERAntiSpyware *disabled* (Updated) {222A897C-5018-402e-943F-7E7AC8560DA7}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Dwm.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\RtHDVCpl.exe
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe -k hpdevmgmt
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\System32\svchost.exe -k HPZ12
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k imgsvc
C:\firststeps\OnlineDiagnostic\TestManager\TestHandler.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
c:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Windows\system32\conime.exe
C:\Windows\explorer.exe
C:\Program Files\Java\jre1.6.0_05\bin\jucheck.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\explorer.exe
C:\Users\Irina\Desktop\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uStart Page = hxxp://www.google.fi/
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [<NO NAME>]
uRun: [StartCCC] c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [gotnewupdate000.exe] c:\users\irina\appdata\roaming\cd3bee6132db188bb7c555abd3aa269e\gotnewupdate000.exe
mRun: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
mRun: [RtHDVCpl] RtHDVCpl.exe
mRun: [SMSERIAL] c:\program files\motorola\smserial\sm56hlpr.exe
mRun: [recinfo795] c:\recinfo\RecInfo.exe
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [recinfo] RecInfo.exe
mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: V&ie Microsoft Exceliin - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: Vie Microsoft E&xceliin - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
mASetup: ccc-core-static - msiexec /fums {C61E8F12-31F1-C2E6-DC0C-505CBF2BEE57} /qb

================= FIREFOX ===================

FF - ProfilePath - c:\users\irina\appdata\roaming\mozilla\firefox\profiles\b0hqollt.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.pointshop.fi/ep_startpage.asp?do=sp&userid=3016053&tjecksum=5440959612&email=suklaatajakahvia@gmail.com&doAutoLogin=true
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.visited_color", "#551A8B");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.videoFeeds.handler", "ask");

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]

=============== Created Last 30 ================

2010-05-13 23:35:05 0 ----a-w- c:\users\irina\defogger_reenable
2010-05-13 11:59:52 0 d-----w- c:\programdata\Alwil Software
2010-05-12 09:54:02 0 d-----w- c:\programdata\SUPERAntiSpyware.com
2010-05-12 09:53:41 0 d-----w- c:\users\irina\appdata\roaming\SUPERAntiSpyware.com
2010-05-12 09:53:41 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-12 09:51:48 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-12 01:47:08 930 ----a-w- c:\windows\lsrslt.ini
2010-05-11 23:46:28 0 d-----w- c:\users\irina\appdata\roaming\Malwarebytes
2010-05-11 23:46:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-11 23:46:12 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-11 23:46:12 0 d-----w- c:\programdata\Malwarebytes
2010-05-11 23:46:12 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-11 23:29:12 0 d-----w- c:\programdata\TEMP
2010-05-11 23:07:44 0 d-----w- c:\users\irina\appdata\roaming\GetRightToGo
2010-05-11 21:36:36 823808 ----a-w- c:\windows\system32\drivers\wqjtuap.sys
2010-05-11 21:35:08 0 d-sh--w- c:\users\irina\appdata\roaming\lowsec
2010-05-11 21:34:53 0 d-----w- c:\users\irina\appdata\roaming\CD3BEE6132DB188BB7C555ABD3AA269E
2010-05-09 16:30:49 0 d-----w- c:\program files\iPod
2010-05-09 16:30:33 0 d-----w- c:\programdata\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-05-09 16:30:33 0 d-----w- c:\program files\iTunes
2010-05-09 16:13:21 0 d-----w- c:\program files\Bonjour
2010-05-05 12:38:59 0 d-----w- c:\program files\Free PDF to Word Doc Converter
2010-04-30 16:05:14 0 d-----w- c:\users\irina\appdata\roaming\Quantitative Micro Software
2010-04-30 16:04:31 45 ---h--r- c:\windows\gsc_user.dat
2010-04-30 16:00:18 0 d-----w- c:\program files\EViews6SV
2010-04-26 17:29:24 0 d-----w- c:\programdata\Symantec
2010-04-26 17:29:24 0 d-----w- c:\programdata\Norton
2010-04-26 17:29:17 0 d-----w- c:\programdata\NortonInstaller
2010-04-26 16:59:54 0 d-----w- c:\programdata\Azureus
2010-04-26 16:59:39 0 d-----w- c:\users\irina\appdata\roaming\Azureus
2010-04-26 16:52:57 0 d-----w- c:\program files\Vuze
2010-04-26 16:52:50 0 d-----w- c:\program files\Conduit
2010-04-14 12:55:23 58368 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2010-04-14 12:55:22 211968 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2010-04-14 12:55:20 102400 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2010-04-14 12:55:10 3502480 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-04-14 12:55:09 3468168 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-04-14 12:51:55 171520 ----a-w- c:\windows\system32\wintrust.dll
2010-04-14 12:51:44 97792 ----a-w- c:\windows\system32\cabview.dll

==================== Find3M ====================

2010-05-13 23:10:28 85022 ----a-w- c:\windows\system32\perfc00B.dat
2010-05-13 23:10:28 462826 ----a-w- c:\windows\system32\perfh00B.dat
2010-05-09 16:15:47 86016 ----a-w- c:\windows\inf\infstrng.dat
2010-05-09 16:15:47 86016 ----a-w- c:\windows\inf\infstor.dat
2010-05-09 16:15:47 51200 ----a-w- c:\windows\inf\infpub.dat
2010-05-06 09:36:38 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-04-08 12:20:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-04-08 12:20:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-03-09 16:54:49 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-09 16:50:34 56320 ----a-w- c:\windows\system32\iesetup.dll
2010-03-09 16:50:25 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-09 16:48:34 72704 ----a-w- c:\windows\system32\admparse.dll
2010-03-09 14:17:48 26624 ----a-w- c:\windows\system32\ieUnatt.exe
2010-03-09 12:43:52 48128 ----a-w- c:\windows\system32\mshtmler.dll
2010-03-04 19:24:26 434176 ----a-w- c:\windows\system32\vbscript.dll
2010-02-23 16:03:32 164816 ----a-w- c:\windows\hpoins21.dat
2010-02-20 23:54:40 24064 ----a-w- c:\windows\system32\nshhttp.dll
2010-02-20 23:51:43 31232 ----a-w- c:\windows\system32\httpapi.dll
2010-02-19 23:47:50 3604480 ----a-w- c:\windows\system32\GPhotos.scr
2010-02-18 14:19:34 179712 ----a-w- c:\windows\system32\iphlpsvc.dll
2010-02-18 14:01:48 167424 ----a-w- c:\windows\system32\tcpipcfg.dll
2010-02-18 13:56:56 416768 ----a-w- c:\windows\system32\IKEEXT.DLL
2010-02-18 13:56:27 543232 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2010-02-18 13:55:43 317440 ----a-w- c:\windows\system32\BFE.DLL
2010-02-18 11:51:11 22016 ----a-w- c:\windows\system32\netiougc.exe
2008-12-11 13:31:36 174 --sha-w- c:\program files\desktop.ini
2008-06-13 09:28:40 665600 ----a-w- c:\windows\inf\drvindex.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2006-11-02 09:20:21 287440 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2006-11-02 09:20:19 30674 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
1999-09-10 18:31:01 36790 ----a-w- c:\windows\inf\perflib\040b\perfd.dat
1999-09-10 18:31:01 36790 ----a-w- c:\windows\inf\perflib\040b\perfc.dat
1999-09-10 18:31:01 274158 ----a-w- c:\windows\inf\perflib\040b\perfi.dat
1999-09-10 18:31:01 274158 ----a-w- c:\windows\inf\perflib\040b\perfh.dat
2007-12-30 21:06:15 16384 --sha-w- c:\windows\temp\cookies\index.dat
2007-12-30 21:06:15 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2007-12-30 21:06:15 32768 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 0:41:49,84 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:26 PM

Posted 14 May 2010 - 09:37 PM

Hello ningo,

Welcome to Bleeping Computer. smile.gif

QUOTE
They removed a fair few things, and one of them was (I think) labelled as virut.


Do you have the report(s) saying you have virut? If you do indeed have virut, then you will have to reformat your computer, no choice. It is incurable. I would like to know for sure first.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 ningo

ningo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 15 May 2010 - 02:25 PM

QUOTE(teacup61 @ May 15 2010, 03:37 AM) View Post
Do you have the report(s) saying you have virut? If you do indeed have virut, then you will have to reformat your computer, no choice. It is incurable. I would like to know for sure first.


Hi teacup and thanks for your reply.

I ran MBAM and Superantispy in safe mode (w/out networking) today and attached the logs. An earlier normal mode scan with Superantispy (see attached log) had a label Trojan.Agent/Gen-Virut, which I thought is the virut. I don't know for sure though, is it? I didn't see it in the latest SAS scan.

What do you suggest?

Thanks,

ningo

Attached Files



#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:26 PM

Posted 15 May 2010 - 02:34 PM

Hi there,

Scans done in Safe Mode are always different from Normal Mode. The reason for this is not everything starts up in Safe Mode, so most scanners can't see everything they need to when in Safe Mode. If you could please run those same scans in Normal Mode again, that would be great. thumbup2.gif

Now, there are other things going on, but the possibility of virut is the most serious. If we can be sure one way or the other, then we can move on. One way to know is to run ComboFix. In addition to removing the other infections you have, if it gets that far, if you have any virut-like behavior, ComboFix will warn you right off. So in your reply, please let me know if you see this.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Thanks,
tea


Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 ningo

ningo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 18 May 2010 - 07:50 PM

QUOTE(teacup61 @ May 15 2010, 08:34 PM) View Post
Hi there,

..

Thanks,
tea



Hi teacup61,

Sorry for not getting back to you sooner. Here are the logs; MBAM, Superantispyware and Combofix. I noticed, Combofix ran on another language than English, so I don't know if it is a problem for you - I could translate the Finnish bits in English and post them here if you want to. Just let me know.

I'm getting a window says that PSSWCORE is on a networks resource that is unavailable and wanting me to get to its installation package. Is it an ok application?

Thanks,

ningo

Attached Files



#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:26 PM

Posted 19 May 2010 - 11:42 AM

Hi there,

Not a problem....real life seems to happen. wink.gif No worries on the logs either. I can read them just fine in almost any language. thumbup2.gif

How is your printer working? PSSWCORE belongs to HP printers. If you aren't using it then leave it until we know for sure what is happening here. ComboFix deleted quite a few bad things, and we need to run another tool to identify a random file that could be infected.

As for Virut.....I have to assume ComboFix did not give you the virut message at the beginning of its run. So far, if you do have virut I'm not seeing any signs of it. It is possible that the report gave you a false positive. It does happen.
  1. Go to this page and Download TDSSKiller.zip to your Desktop.
  2. Extract its contents to your desktop and drag TDSSKiller.exe on the desktop, not in the folder.
  3. Vista Start logo >All Programs> Accessories> RIGHT-click on Command Prompt and Select Run As Administrator. Copy/paste the following bolded command and hit Enter.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt -v
  4. If TDSSKiller alerts you that the system needs to reboot, please consent.
  5. When done, a log file should be created on your C: drive named "TDSSKiller.txt" please copy and paste the contents in your next reply.

Thanks,
tea

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 ningo

ningo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 20 May 2010 - 07:28 AM

Hiya,

Yep life happens... I had a major project due in this week, and as would happen, this whole malarkey has come up at the worst possible time mad.gif

I haven't tried my printer, so I don't know if it is working at all now. I'll probably just use another computer for now if there is any essential printing to be done. My computer has worked better after Combofix, but internet has been a bit slow and it randomly sometimes just hasn't loaded up pages. Hopefully this has helped the matter.

Anyway, here is the log and thanks for your help!


13:13:04:580 1372 TDSS rootkit removing tool 2.3.0.0 May 12 2010 18:11:17
13:13:04:580 1372 ================================================================================
13:13:04:580 1372 SystemInfo:

13:13:04:580 1372 OS Version: 6.0.6000 ServicePack: 0.0
13:13:04:580 1372 Product type: Workstation
13:13:04:580 1372 ComputerName: IRINA-PC
13:13:04:580 1372 UserName: Irina
13:13:04:580 1372 Windows directory: C:\Windows
13:13:04:580 1372 Processor architecture: Intel x86
13:13:04:580 1372 Number of processors: 2
13:13:04:580 1372 Page size: 0x1000
13:13:04:580 1372 Boot type: Normal boot
13:13:04:580 1372 ================================================================================
13:13:04:596 1372 UnloadDriverW: NtUnloadDriver error 2
13:13:04:596 1372 ForceUnloadDriverW: UnloadDriverW(klmd23) error 2
13:13:20:664 1372 wfopen_ex: Trying to open file C:\Windows\system32\config\system
13:13:20:664 1372 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:13:20:664 1372 wfopen_ex: Trying to KLMD file open
13:13:20:664 1372 wfopen_ex: File opened ok (Flags 2)
13:13:20:695 1372 wfopen_ex: Trying to open file C:\Windows\system32\config\software
13:13:20:695 1372 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
13:13:20:695 1372 wfopen_ex: Trying to KLMD file open
13:13:20:695 1372 wfopen_ex: File opened ok (Flags 2)
13:13:20:695 1372 KLAVA engine initialized
13:13:27:044 1372 Initialize success
13:13:27:044 1372
13:13:27:044 1372 Scanning Services ...
13:13:28:152 1372 Raw services enum returned 425 services
13:13:28:183 1372 Suspicious serv wqjtuap (h: 0, b: 1)
13:13:28:183 1372
13:13:28:183 1372 Hidden service detected!
13:13:28:183 1372 Service name: wqjtuap
13:13:28:183 1372 Image path:
13:13:28:183 1372 Type "delete" (without quotes) to delete it: 13:14:32:238 1372
13:14:32:238 1372 By user detect wqjtuap
13:14:32:238 1372 RegNode HKLM\SYSTEM\ControlSet001\services\wqjtuap infected by TDSS rootkit ... 13:14:32:238 1372 will be deleted on reboot
13:14:32:331 1372 RegNode HKLM\SYSTEM\ControlSet003\services\wqjtuap infected by TDSS rootkit ... 13:14:32:331 1372 will be deleted on reboot
13:14:32:347 1372 File C:\Windows\system32\drivers\wqjtuap.sys infected by TDSS rootkit ... 13:14:32:347 1372 will be deleted on reboot
13:14:32:347 1372
13:14:32:347 1372 Scanning Drivers ...
13:14:32:550 1372 ACPI (84fc6df81212d16be5c4f441682feccc) C:\Windows\system32\drivers\acpi.sys
13:14:32:628 1372 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
13:14:32:675 1372 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
13:14:32:721 1372 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
13:14:32:753 1372 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
13:14:32:862 1372 AFD (5d24caf8efd924a875698ff28384db8b) C:\Windows\system32\drivers\afd.sys
13:14:32:909 1372 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
13:14:32:940 1372 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
13:14:32:971 1372 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
13:14:33:002 1372 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
13:14:33:018 1372 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
13:14:33:049 1372 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
13:14:33:096 1372 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\DRIVERS\amdk8.sys
13:14:33:111 1372 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
13:14:33:143 1372 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
13:14:33:205 1372 AsyncMac (e86cf7ce67d5de898f27ef884dc357d8) C:\Windows\system32\DRIVERS\asyncmac.sys
13:14:33:283 1372 atapi (b35cfcef838382ab6490b321c87edf17) C:\Windows\system32\drivers\atapi.sys
13:14:33:330 1372 athr (dfa77e7f9e625406f388c8eb09d9d1b4) C:\Windows\system32\DRIVERS\athr.sys
13:14:33:377 1372 Beep (ac3dd1708b22761ebd7cbe14dcc3b5d7) C:\Windows\system32\drivers\Beep.sys
13:14:33:423 1372 bowser (913cd06fbe9105ce6077e90fd4418561) C:\Windows\system32\DRIVERS\bowser.sys
13:14:33:439 1372 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
13:14:33:455 1372 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
13:14:33:486 1372 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
13:14:33:501 1372 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
13:14:33:533 1372 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
13:14:33:548 1372 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
13:14:33:579 1372 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
13:14:33:673 1372 cdfs (6c3a437fc873c6f6a4fc620b6888cb86) C:\Windows\system32\DRIVERS\cdfs.sys
13:14:33:751 1372 cdrom (8d1866e61af096ae8b582454f5e4d303) C:\Windows\system32\DRIVERS\cdrom.sys
13:14:33:782 1372 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
13:14:33:860 1372 CLFS (1b84fd0937d3b99af9ba38ddff3daf54) C:\Windows\system32\CLFS.sys
13:14:33:907 1372 CmBatt (ed97ad3df1b9005989eaf149bf06c821) C:\Windows\system32\DRIVERS\CmBatt.sys
13:14:33:938 1372 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
13:14:33:969 1372 Compbatt (722936afb75a7f509662b69b5632f48a) C:\Windows\system32\DRIVERS\compbatt.sys
13:14:34:016 1372 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
13:14:34:047 1372 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
13:14:34:110 1372 DfsC (a7179de59ae269ab70345527894ccd7c) C:\Windows\system32\Drivers\dfsc.sys
13:14:34:157 1372 disk (841af4c4d41d3e3b2f244e976b0f7963) C:\Windows\system32\drivers\disk.sys
13:14:34:203 1372 Dot4 (57b2d433a08b95e4f1b53a919937f3e5) C:\Windows\system32\DRIVERS\Dot4.sys
13:14:34:250 1372 Dot4Print (d93fa484bb62fbe7e5ef335c5415d3cf) C:\Windows\system32\DRIVERS\Dot4Prt.sys
13:14:34:297 1372 dot4usb (599742c4260fb3e8edb3be148b8ce856) C:\Windows\system32\DRIVERS\dot4usb.sys
13:14:34:344 1372 drmkaud (ee472cd2c01f6f8e8aa1fa06ffef61b6) C:\Windows\system32\drivers\drmkaud.sys
13:14:34:391 1372 DXGKrnl (b95202efd0464d226e7542c1e319c028) C:\Windows\System32\drivers\dxgkrnl.sys
13:14:34:453 1372 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
13:14:34:547 1372 Ecache (0efc7531b936ee57fdb4e837664c509f) C:\Windows\system32\drivers\ecache.sys
13:14:34:609 1372 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
13:14:34:656 1372 fastfat (84a317cb0b3954d3768cdcd018dbf670) C:\Windows\system32\drivers\fastfat.sys
13:14:34:687 1372 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
13:14:34:718 1372 FileInfo (65773d6115c037ffd7ef8280ae85eb9d) C:\Windows\system32\drivers\fileinfo.sys
13:14:34:749 1372 Filetrace (c226dd0de060745f3e042f58dcf78402) C:\Windows\system32\drivers\filetrace.sys
13:14:34:796 1372 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
13:14:34:874 1372 FltMgr (a6a8da7ae4d53394ab22ac3ab6d3f5d3) C:\Windows\system32\drivers\fltmgr.sys
13:14:34:905 1372 Fs_Rec (66a078591208baa210c7634b11eb392c) C:\Windows\system32\drivers\Fs_Rec.sys
13:14:34:952 1372 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
13:14:34:968 1372 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\Drivers\GEARAspiWDM.sys
13:14:34:999 1372 HdAudAddService (cb04c744be0a61b1d648faed182c3b59) C:\Windows\system32\drivers\HdAudio.sys
13:14:35:046 1372 HDAudBus (0db613a7e427b5663563677796fd5258) C:\Windows\system32\DRIVERS\HDAudBus.sys
13:14:35:077 1372 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
13:14:35:093 1372 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
13:14:35:139 1372 HidUsb (01e7971e9f4bd6ac6a08db52d0ea0418) C:\Windows\system32\DRIVERS\hidusb.sys
13:14:35:171 1372 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
13:14:35:233 1372 HTTP (ea24fe637d974a8a31bc650f478e3533) C:\Windows\system32\drivers\HTTP.sys
13:14:35:280 1372 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
13:14:35:342 1372 i8042prt (1c9ee072baa3abb460b91d7ee9152660) C:\Windows\system32\DRIVERS\i8042prt.sys
13:14:35:405 1372 iaStor (2358c53f30cb9dcd1d3843c4e2f299b2) C:\Windows\system32\drivers\iastor.sys
13:14:35:451 1372 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
13:14:35:483 1372 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
13:14:35:592 1372 IntcAzAudAddService (c61b3b87f3856cef0c9f204028c6860d) C:\Windows\system32\drivers\RTKVHDA.sys
13:14:35:670 1372 intelide (97469037714070e45194ed318d636401) C:\Windows\system32\drivers\intelide.sys
13:14:35:717 1372 intelppm (ce44cc04262f28216dd4341e9e36a16f) C:\Windows\system32\DRIVERS\intelppm.sys
13:14:35:748 1372 IpFilterDriver (880c6f86cc3f551b8fea2c11141268c0) C:\Windows\system32\DRIVERS\ipfltdrv.sys
13:14:35:795 1372 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
13:14:35:826 1372 IPNAT (10077c35845101548037df04fd1a420b) C:\Windows\system32\DRIVERS\ipnat.sys
13:14:35:841 1372 IRENUM (a82f328f4792304184642d6d397bb1e3) C:\Windows\system32\drivers\irenum.sys
13:14:35:888 1372 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
13:14:35:935 1372 iScsiPrt (4dca456d4d5723f8fa9c6760d240b0df) C:\Windows\system32\DRIVERS\msiscsi.sys
13:14:35:966 1372 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
13:14:35:997 1372 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
13:14:36:029 1372 JRAID (c1632fe31d1824a43dea29725312e3fa) C:\Windows\system32\drivers\jraid.sys
13:14:36:075 1372 kbdclass (b076b2ab806b3f696dab21375389101c) C:\Windows\system32\DRIVERS\kbdclass.sys
13:14:36:107 1372 kbdhid (d2600cb17b7408b4a83f231dc9a11ac3) C:\Windows\system32\drivers\kbdhid.sys
13:14:36:153 1372 klmd23 (f736ee0d4da5b9bcc2c8539c8add06e2) C:\Windows\system32\drivers\klmd.sys
13:14:36:278 1372 KSecDD (0a829977b078dea11641fc2af87ceade) C:\Windows\system32\Drivers\ksecdd.sys
13:14:36:325 1372 L8042Kbd (d88846f9f4f27ae9be584a6e5b6b8753) C:\Windows\system32\DRIVERS\L8042Kbd.sys
13:14:36:356 1372 L8042mou (bea61fda2103f6f51b14eb0872e8a050) C:\Windows\system32\DRIVERS\L8042mou.Sys
13:14:36:387 1372 LHidFilt (3fa98339e8d9e007726be62f231e2015) C:\Windows\system32\DRIVERS\LHidFilt.Sys
13:14:36:434 1372 lltdio (fd015b4f95daa2b712f0e372a116fbad) C:\Windows\system32\DRIVERS\lltdio.sys
13:14:36:481 1372 LMouFilt (f259f758e04d8fb8d48c6cdbe45223e8) C:\Windows\system32\DRIVERS\LMouFilt.Sys
13:14:36:497 1372 LMouKE (cab504e38fced9a56d87d838e9ba13e9) C:\Windows\system32\DRIVERS\LMouKE.Sys
13:14:36:528 1372 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
13:14:36:559 1372 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
13:14:36:590 1372 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
13:14:36:637 1372 luafv (42885bb44b6e065b8575a8dd6c430c52) C:\Windows\system32\drivers\luafv.sys
13:14:36:684 1372 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
13:14:36:731 1372 Modem (21755967298a46fb6adfec9db6012211) C:\Windows\system32\drivers\modem.sys
13:14:36:762 1372 monitor (7446e104a5fe5987ca9e4983fbac4f97) C:\Windows\system32\DRIVERS\monitor.sys
13:14:36:824 1372 mouclass (5fba13c1a1841b0885d316ed3589489d) C:\Windows\system32\DRIVERS\mouclass.sys
13:14:36:871 1372 mouhid (b569b5c5d3bde545df3a6af512cccdba) C:\Windows\system32\DRIVERS\mouhid.sys
13:14:36:918 1372 MountMgr (01f1e5a3e4877c931cbb31613fec16a6) C:\Windows\system32\drivers\mountmgr.sys
13:14:36:949 1372 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
13:14:36:980 1372 mpsdrv (6e7a7f0c1193ee5648443fe2d4b789ec) C:\Windows\system32\drivers\mpsdrv.sys
13:14:37:027 1372 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
13:14:37:074 1372 MRxDAV (1d8828b98ee309d65e006f0829e280e5) C:\Windows\system32\drivers\mrxdav.sys
13:14:37:136 1372 mrxsmb (8af705ce1bb907932157fab821170f27) C:\Windows\system32\DRIVERS\mrxsmb.sys
13:14:37:152 1372 mrxsmb10 (47e13ab23371be3279eef22bbfa2c1be) C:\Windows\system32\DRIVERS\mrxsmb10.sys
13:14:37:183 1372 mrxsmb20 (90b3fc7bd6b3d7ee7635debba2187f66) C:\Windows\system32\DRIVERS\mrxsmb20.sys
13:14:37:214 1372 msahci (742aed7939e734c36b7e8d6228ce26b7) C:\Windows\system32\drivers\msahci.sys
13:14:37:245 1372 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
13:14:37:277 1372 Msfs (729eafefd4e7417165f353a18dbe947d) C:\Windows\system32\drivers\Msfs.sys
13:14:37:339 1372 msisadrv (5f454a16a5146cd91a176d70f0cfa3ec) C:\Windows\system32\drivers\msisadrv.sys
13:14:37:370 1372 MSKSSRV (892cedefa7e0ffe7be8da651b651d047) C:\Windows\system32\drivers\MSKSSRV.sys
13:14:37:401 1372 MSPCLOCK (ae2cb1da69b2676b4cee2a501af5871c) C:\Windows\system32\drivers\MSPCLOCK.sys
13:14:37:417 1372 MSPQM (f910da84fa90c44a3addb7cd874463fd) C:\Windows\system32\drivers\MSPQM.sys
13:14:37:448 1372 MsRPC (84571c0ae07647ba38d493f5f0015df7) C:\Windows\system32\drivers\MsRPC.sys
13:14:37:479 1372 mssmbios (4385c80ede885e25492d408cad91bd6f) C:\Windows\system32\DRIVERS\mssmbios.sys
13:14:37:526 1372 MSTEE (c826dd1373f38afd9ca46ec3c436a14e) C:\Windows\system32\drivers\MSTEE.sys
13:14:37:557 1372 Mup (fa7aa70050cf5e2d15de00941e5665e5) C:\Windows\system32\Drivers\mup.sys
13:14:37:620 1372 NativeWifiP (6da4a0fc7c0e83df0cb3cfd0a514c3bc) C:\Windows\system32\DRIVERS\nwifi.sys
13:14:37:760 1372 NDIS (227c11e1e7cf6ef8afb2a238d209760c) C:\Windows\system32\drivers\ndis.sys
13:14:37:823 1372 NdisTapi (81659cdcbd0f9a9e07e6878ad8c78d3f) C:\Windows\system32\DRIVERS\ndistapi.sys
13:14:37:838 1372 Ndisuio (5de5ee546bf40838ebe0e01cb629df64) C:\Windows\system32\DRIVERS\ndisuio.sys
13:14:37:869 1372 NdisWan (397402adcbb8946223a1950101f6cd94) C:\Windows\system32\DRIVERS\ndiswan.sys
13:14:37:885 1372 NDProxy (1b24fa907af283199a81b3bb37e5e526) C:\Windows\system32\drivers\NDProxy.sys
13:14:37:932 1372 NetBIOS (356dbb9f98e8dc1028dd3092fceeb877) C:\Windows\system32\DRIVERS\netbios.sys
13:14:37:994 1372 netbt (e3a168912e7eefc3bd3b814720d68b41) C:\Windows\system32\DRIVERS\netbt.sys
13:14:38:025 1372 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
13:14:38:072 1372 Npfs (4f9832beb9fafd8ceb0e541f1323b26e) C:\Windows\system32\drivers\Npfs.sys
13:14:38:119 1372 nsiproxy (b488dfec274de1fc9d653870ef2587be) C:\Windows\system32\drivers\nsiproxy.sys
13:14:38:213 1372 Ntfs (37430aa7a66d7a63407adc2c0d05e9f6) C:\Windows\system32\drivers\Ntfs.sys
13:14:38:306 1372 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
13:14:38:353 1372 Null (ec5efb3c60f1b624648344a328bce596) C:\Windows\system32\drivers\Null.sys
13:14:38:462 1372 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
13:14:38:509 1372 nvrd32 (ed399014a8029de02ba5ae01da8cc9ee) C:\Windows\system32\drivers\nvrd32.sys
13:14:38:540 1372 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
13:14:38:587 1372 nvstor32 (703e3a7093b0fac0eebadbb8e931ecaf) C:\Windows\system32\drivers\nvstor32.sys
13:14:38:634 1372 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
13:14:38:681 1372 ohci1394 (be32da025a0be1878f0ee8d6d9386cd5) C:\Windows\system32\drivers\ohci1394.sys
13:14:38:743 1372 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
13:14:38:837 1372 partmgr (555a5b2c8022983bc7467bc925b222ee) C:\Windows\system32\drivers\partmgr.sys
13:14:38:868 1372 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
13:14:38:961 1372 pci (1085d75657807e0e8b32f9e19a1647c3) C:\Windows\system32\drivers\pci.sys
13:14:39:008 1372 pciide (caba65e9c41cd2900d4c92d4f825c5f8) C:\Windows\system32\drivers\pciide.sys
13:14:39:055 1372 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
13:14:39:133 1372 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
13:14:39:195 1372 PptpMiniport (c04dec5ace67c5247b150c4223970bb7) C:\Windows\system32\DRIVERS\raspptp.sys
13:14:39:227 1372 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
13:14:39:289 1372 PSched (2c8bae55247c4e09352e870292e4d1ab) C:\Windows\system32\DRIVERS\pacer.sys
13:14:39:383 1372 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
13:14:39:445 1372 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
13:14:39:476 1372 QWAVEdrv (d2b3e2b7426dc23e185fbc73c8936c12) C:\Windows\system32\drivers\qwavedrv.sys
13:14:39:601 1372 R300 (252826c4bc88b01e945c2d3c6603f3b0) C:\Windows\system32\DRIVERS\atikmdag.sys
13:14:39:679 1372 RasAcd (bd7b30f55b3649506dd8b3d38f571d2a) C:\Windows\system32\DRIVERS\rasacd.sys
13:14:39:695 1372 Rasl2tp (68b0019fee429ec49d29017af937e482) C:\Windows\system32\DRIVERS\rasl2tp.sys
13:14:39:726 1372 RasPppoe (ccf4e9c6cbbac81437f88cb2ae0b6c96) C:\Windows\system32\DRIVERS\raspppoe.sys
13:14:39:804 1372 rdbss (54129c5d9581bbec8bd1ebd3ba813f47) C:\Windows\system32\DRIVERS\rdbss.sys
13:14:39:835 1372 RDPCDD (794585276b5d7fca9f3fc15543f9f0b9) C:\Windows\system32\DRIVERS\RDPCDD.sys
13:14:39:882 1372 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
13:14:39:913 1372 RDPENCDD (980b56e2e273e19d3a9d72d5c420f008) C:\Windows\system32\drivers\rdpencdd.sys
13:14:39:944 1372 RDPWD (e2afac98fc6ca2ad2d09f2de1bc71ad9) C:\Windows\system32\drivers\RDPWD.sys
13:14:39:975 1372 rspndr (97e939d2128fec5d5a3e6e79b290a2f4) C:\Windows\system32\DRIVERS\rspndr.sys
13:14:40:007 1372 RTL8169 (904fd29ec1ff2709099ae2cd1c09a913) C:\Windows\system32\DRIVERS\Rtlh86.sys
13:14:40:100 1372 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
13:14:40:116 1372 SASKUTIL (4fd72291a89793049104ca0a7e353cd4) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
13:14:40:225 1372 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
13:14:40:287 1372 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
13:14:40:319 1372 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
13:14:40:350 1372 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
13:14:40:412 1372 sermouse (450accd77ec5cea720c1cdb9e26b953b) C:\Windows\system32\drivers\sermouse.sys
13:14:40:459 1372 sffdisk (103b79418da647736ee95645f305f68a) C:\Windows\system32\drivers\sffdisk.sys
13:14:40:475 1372 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
13:14:40:490 1372 sffp_sd (9cfa05fcfcb7124e69cfc812b72f9614) C:\Windows\system32\drivers\sffp_sd.sys
13:14:40:521 1372 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
13:14:40:568 1372 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
13:14:40:584 1372 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
13:14:40:631 1372 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
13:14:40:709 1372 Smb (ac0d90738adb51a6fd12ff00874a2162) C:\Windows\system32\DRIVERS\smb.sys
13:14:40:771 1372 smserial (d9bfd2298f5cf116d8eaae3b02dcee2e) C:\Windows\system32\DRIVERS\smserial.sys
13:14:40:833 1372 spldr (426f9b029aa9162ceccf65369457d046) C:\Windows\system32\drivers\spldr.sys
13:14:40:896 1372 srv (038579c35f7cad4a4bbf735dbf83277d) C:\Windows\system32\DRIVERS\srv.sys
13:14:40:958 1372 srv2 (6971a757af8cb5e2cbcbb76cc530db6c) C:\Windows\system32\DRIVERS\srv2.sys
13:14:41:005 1372 srvnet (9e1a4603b874eebce0298113951abefb) C:\Windows\system32\DRIVERS\srvnet.sys
13:14:41:036 1372 swenum (1379bdb336f8158c176a465e30759f57) C:\Windows\system32\DRIVERS\swenum.sys
13:14:41:067 1372 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
13:14:41:099 1372 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
13:14:41:130 1372 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
13:14:41:270 1372 Tcpip (2c1f7005aa3b62721bfdb307bd5f5010) C:\Windows\system32\drivers\tcpip.sys
13:14:41:317 1372 Tcpip6 (2c1f7005aa3b62721bfdb307bd5f5010) C:\Windows\system32\DRIVERS\tcpip.sys
13:14:41:348 1372 tcpipreg (5ce0c4a7b12d0067dad527d72b68c726) C:\Windows\system32\drivers\tcpipreg.sys
13:14:41:395 1372 TDPIPE (964248aef49c31fa6a93201a73ffaf50) C:\Windows\system32\drivers\tdpipe.sys
13:14:41:411 1372 TDTCP (7d2c1ae1648a60fce4aa0f7982e419d3) C:\Windows\system32\drivers\tdtcp.sys
13:14:41:504 1372 tdx (ab4fde8af4a0270a46a001c08cbce1c2) C:\Windows\system32\DRIVERS\tdx.sys
13:14:41:567 1372 TermDD (2c549bd9dd091fbfaa0a2a48e82ec2fb) C:\Windows\system32\DRIVERS\termdd.sys
13:14:41:613 1372 tssecsrv (29f0eca726f0d51f7e048bdb0b372f29) C:\Windows\system32\DRIVERS\tssecsrv.sys
13:14:41:676 1372 tunmp (65e953bc0084d44498b51f59784d2a82) C:\Windows\system32\DRIVERS\tunmp.sys
13:14:41:691 1372 tunnel (4a39bda5e0fd30bdf4884f9d33ae6105) C:\Windows\system32\DRIVERS\tunnel.sys
13:14:41:723 1372 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
13:14:41:769 1372 udfs (6348da98707ceda8a0dfb05820e17732) C:\Windows\system32\DRIVERS\udfs.sys
13:14:41:816 1372 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
13:14:41:847 1372 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
13:14:41:894 1372 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
13:14:41:925 1372 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
13:14:41:957 1372 umbus (3fb78f1d1dd86d87bececd9dffa24dd9) C:\Windows\system32\DRIVERS\umbus.sys
13:14:42:003 1372 USBAAPL (c1ca131f4e3ed63d6bc89a35ffad4cda) C:\Windows\system32\Drivers\usbaapl.sys
13:14:42:050 1372 usbccgp (03b01e8dbd2da2b49157b7e51912aaf2) C:\Windows\system32\DRIVERS\usbccgp.sys
13:14:42:081 1372 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
13:14:42:113 1372 usbehci (2f83363f98484f8edaf49f9b41520d14) C:\Windows\system32\DRIVERS\usbehci.sys
13:14:42:159 1372 usbhub (14d2a4dcd92c0b3368667aed6893463d) C:\Windows\system32\DRIVERS\usbhub.sys
13:14:42:175 1372 usbohci (51dc36722172d45f2f935ce5cc18a812) C:\Windows\system32\DRIVERS\usbohci.sys
13:14:42:206 1372 usbprint (b51e52acf758be00ef3a58ea452fe360) C:\Windows\system32\DRIVERS\usbprint.sys
13:14:42:253 1372 usbscan (b1f95285c08ddfe00c0b955462637ec7) C:\Windows\system32\DRIVERS\usbscan.sys
13:14:42:300 1372 USBSTOR (7887ce56934e7f104e98c975f47353c5) C:\Windows\system32\DRIVERS\USBSTOR.SYS
13:14:42:315 1372 usbuhci (325dbbacb8a36af9988ccf40eac228cc) C:\Windows\system32\DRIVERS\usbuhci.sys
13:14:42:347 1372 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
13:14:42:409 1372 VgaSave (17a8f877314e4067f8c8172cc6d9101c) C:\Windows\System32\drivers\vga.sys
13:14:42:456 1372 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
13:14:42:487 1372 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
13:14:42:518 1372 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
13:14:42:565 1372 viamraid (7dc3e1dc6e4f8be381c31bfea578412a) C:\Windows\system32\drivers\viamraid.sys
13:14:42:612 1372 volmgr (103e84c95832d0ed93507997cc7b54e8) C:\Windows\system32\drivers\volmgr.sys
13:14:42:674 1372 volmgrx (294da8d3f965f6a8db934a83c7b461ff) C:\Windows\system32\drivers\volmgrx.sys
13:14:42:768 1372 volsnap (80dc0c9bcb579ed9815001a4d37cbfd5) C:\Windows\system32\drivers\volsnap.sys
13:14:42:846 1372 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
13:14:42:893 1372 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
13:14:42:924 1372 Wanarp (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys
13:14:42:924 1372 Wanarpv6 (6798c1209a53b5a0ded8d437c45145ff) C:\Windows\system32\DRIVERS\wanarp.sys
13:14:42:955 1372 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
13:14:43:049 1372 Wdf01000 (7b5f66e4a2219c7d9daf9e738480e534) C:\Windows\system32\drivers\Wdf01000.sys
13:14:43:111 1372 WmiAcpi (701a9f884a294327e9141d73746ee279) C:\Windows\system32\drivers\wmiacpi.sys
13:14:43:158 1372 WpdUsb (2d27171b16a577ef14c1273668753485) C:\Windows\system32\DRIVERS\wpdusb.sys
13:14:43:267 1372 wqjtuap (80c6af4f948d4168fc90da1a6f4b6924) C:\Windows\system32\drivers\wqjtuap.sys
13:14:43:267 1372 Suspicious file (NoAccess): C:\Windows\system32\drivers\wqjtuap.sys. md5: 80c6af4f948d4168fc90da1a6f4b6924
13:14:43:314 1372 ws2ifsl (84620aecdcfd2a7a14e6263927d8c0ed) C:\Windows\system32\drivers\ws2ifsl.sys
13:14:43:345 1372 WUDFRd (a2aafcc8a204736296d937c7c545b53f) C:\Windows\system32\DRIVERS\WUDFRd.sys
13:14:43:361 1372 Reboot required for cure complete..
13:14:43:376 1372 Cure on reboot scheduled successfully
13:14:43:376 1372
13:14:43:376 1372 Completed
13:14:43:376 1372
13:14:43:376 1372 Results:
13:14:43:376 1372 Registry objects infected / cured / cured on reboot: 2 / 0 / 2
13:14:43:376 1372 File objects infected / cured / cured on reboot: 1 / 0 / 1
13:14:43:376 1372
13:14:43:376 1372 fclose_ex: Trying to close file C:\Windows\system32\config\system
13:14:43:376 1372 fclose_ex: Trying to close file C:\Windows\system32\config\software
13:14:43:392 1372 KLMD(ARK) unloaded successfully


#8 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:26 PM

Posted 20 May 2010 - 01:23 PM

That was perfect, thanks. thumbup2.gif How is it running this afternoon after running that? Have a run with MBAM, and if there is anything to report, please post it. It *looks* like the worst is passed now and things should be much better. smile.gif

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#9 ningo

ningo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 22 May 2010 - 07:01 PM

Hey,

Now the computer is working normally, like it used to, bar the annoyance of PSSWCORE. MBAM came out clean but Superantispyware came up with these. What do you think? Can I start using my computer for financial stuff again?


Adware.Tracking Cookie
C:\Users\Irina\AppData\Roaming\Microsoft\Windows\Cookies\irina@track.adform[3].txt
C:\Users\Irina\AppData\Roaming\Microsoft\Windows\Cookies\irina@track.adform[1].txt
C:\Users\Irina\AppData\Roaming\Microsoft\Windows\Cookies\irina@atdmt[2].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@ad.yieldmanager[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@adtech[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@advertise[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@clickpayz10.91462.blueseek[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@content.yieldmanager[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@invitemedia[1].txt
C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\system@revsci[2].txt

Trojan.Agent/Gen
C:\QOOBOX\QUARANTINE\C\USERS\IRINA\APPDATA\ROAMING\CD3BEE6132DB188BB7C555ABD3AA269E\GOTNEWUPDATE000.EXE.VIR


#10 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:26 PM

Posted 23 May 2010 - 01:24 PM

Excellent all around! thumbup.gif

Besides the cookies, the one file is in Qoobox, which is part of ComboFix. I do think you're in the clear now, and I see no reason not to use your computer for transactions again. You might consider changing your passwords as a precaution, but I don't see any threats that might compromise these accounts. smile.gif

Please delete ComboFix and its folder C:\Qoobox. Empty your recycle bin and reboot the computer.

EDIT to add: For the printer, I would uninstall it completely, then reinstall it and see if the message goes away when that file is replaced with a new install. If it still causes problems and you still need help please let me know.

If you have any other questions, please do ask. Otherwise, take care!
tea

Edited by teacup61, 23 May 2010 - 01:29 PM.

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#11 ningo

ningo
  • Topic Starter

  • Members
  • 23 posts
  • OFFLINE
  •  
  • Local time:02:26 AM

Posted 24 May 2010 - 07:17 AM

Hi teacup61 and thanks for your help. Everything is running brilliantly now, including the printer. Cheers!

I've got no more problems!

#12 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:26 PM

Posted 24 May 2010 - 11:01 PM

You're most welcome, and thank you very much! in_love.gif

Take care,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:08:26 PM

Posted 01 June 2010 - 09:17 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users