Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

No internet, no sound device, gray taskbar


  • This topic is locked This topic is locked
16 replies to this topic

#1 nflskins12

nflskins12

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 04 June 2010 - 12:27 PM

A couple weeks ago I got a virus on my computer that ran a fake security alert pop-up and would enable random advertising pop ups on my browser (Firefox - even though all pop-ups should be blocked). I ran Malwarebytes and SuperAntiSpyware and that seemed to get rid of most of the problem. However, a couple days ago I left my browser up overnight (Firefox) and I got on in the morning and I had 3 or 4 error messages dealing with Windows System32. So I restarted my computer and everything started up completely fine except I can't get on the internet, I apparently don't have any sound device driver and the taskbar is gray and looks like it's from an older version of windows.

I've checked the device manager and it says my drivers are working properly but for some reason, my computer isn't detecting them at the same time. I fear something got deleted from my registry when I was cleaning out this virus.

Sidenote: I don't get any error messages or anything at start up or at any time I'm on the computer. I just can't get on the internet, there's no sound device, and the taskbar/"minimise-restore down-close" browser buttons look weird (gray and look like a very old version of windows)

Any help would be appreciated...thanks!

Link for previous thread --> http://www.bleepingcomputer.com/forums/t/321523/no-internet-no-sound-device-gray-taskbar/


Here is my DDS log:

DDS (Ver_10-03-17.01) - NTFSx86
Run by genoveck at 13:17:21.26 on Fri 06/04/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.469 [GMT -4:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\WINDOWS\System32\Novell\XTAgent.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Kodak\printer\center\KodakSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compal Electronics, INC\Sidewalker\CSWalker.exe
C:\Program Files\Compal Electronics, INC\Wireless Select Switch\Wireless Select Switch.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\dpmw32.exe
C:\WINDOWS\system32\NWTRAY.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\Temp\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\HP\Temp\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Novell\ZENworks\NalAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Temp\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\Explorer.EXE
E:\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.facebook.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
uRun: [Aim6]
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Sidewalker] c:\program files\compal electronics, inc\sidewalker\CSWalker.exe
mRun: [CASS] c:\program files\compal electronics, inc\wireless select switch\Wireless Select Switch.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [NDPS] c:\windows\system32\dpmw32.exe
mRun: [ZENRC Tray Icon] c:\windows\system32\zentray.exe
mRun: [NWTRAY] NWTRAY.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [snp2std] c:\windows\vsnp2std.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [HP Software Update] c:\program files\hp\temp\hp software update\HPWuSchd2.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [EKIJ5000StatusMonitor] c:\windows\system32\spool\drivers\w32x86\3\EKIJ5000MUI.exe
StartupFolder: c:\docume~1\genoveck\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\applic~1.lnk - c:\program files\novell\zenworks\NalView.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\temp\digital imaging\bin\hpqtra08.exe
uPolicies-explorer: NoDevMgrUpdate = 1 (0x1)
mPolicies-system: CompatibleRUPSecurity = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\MSMSGS.EXE
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {C1994287-422F-47aa-8E5E-6323E210A125} - {4B5F7606-8666-4D5A-9780-DB92A9D8812B} - c:\program files\novell\zenworks\AxNalServer.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182951779109
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
Notify: NetIdentity Notification - c:\windows\system32\novell\XtNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Application Explorer: {763370c4-268e-4308-a60c-d8da0342be32} - c:\program files\novell\zenworks\NalShell.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
LSA: Authentication Packages = msv1_0 nwv1_0

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\genoveck\applic~1\mozilla\firefox\profiles\ix080kje.default\
FF - prefs.js: browser.startup.homepage - google.com
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 CPEb;CPEb;c:\windows\system32\drivers\CPEb.sys [2006-2-23 8192]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-6 68168]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2006-9-6 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2006-9-6 54968]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [2005-5-23 6899]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2007-5-29 192104]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2007-5-29 169576]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\kodak\printer\center\KodakSvc.exe [2007-12-13 18944]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\novell\zenworks\remotemanagement\rmagent\ZenRem32.exe [2006-5-9 167936]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2007-6-6 116928]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2007-6-6 1821376]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [2006-5-2 61440]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-6-1 102448]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100601.002\naveng.sys [2010-6-1 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100601.002\navex15.sys [2010-6-1 1347504]
S0 cshxjflh;cshxjflh;c:\windows\system32\drivers\dnnbge.sys --> c:\windows\system32\drivers\dnnbge.sys [?]

=============== Created Last 30 ================

2010-06-04 15:14:36 0 d-----w- C:\$WINDOWS.~BT
2010-06-04 15:14:26 1905 ----a-w- c:\windows\diagwrn.xml
2010-06-04 15:14:26 1905 ----a-w- c:\windows\diagerr.xml
2010-06-04 05:46:02 0 d-----w- c:\docume~1\alluse~1\applic~1\RegCure
2010-06-04 01:24:13 77312 ----a-w- c:\windows\MBR.exe
2010-06-04 01:24:13 256512 ----a-w- c:\windows\PEV.exe
2010-06-04 01:24:12 98816 ----a-w- c:\windows\sed.exe
2010-06-04 01:24:12 161792 ----a-w- c:\windows\SWREG.exe
2010-06-04 01:23:55 0 d-----w- C:\ComboFix
2010-05-22 23:17:47 0 d-----w- c:\windows\system32\wbem\Repository
2010-05-21 17:06:58 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-05-21 17:06:37 0 d-----w- c:\program files\SUPERAntiSpyware
2010-05-21 17:06:37 0 d-----w- c:\docume~1\genoveck\applic~1\SUPERAntiSpyware.com
2010-05-21 17:05:36 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-16 00:49:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-16 00:49:32 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-15 03:38:45 0 d-----w- c:\docume~1\genoveck\applic~1\Malwarebytes
2010-05-15 03:37:58 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-15 03:37:52 0 d-----w- c:\program files\Malwarebytes' Anti-Malware

==================== Find3M ====================

2010-04-21 19:10:51 141251 ----a-w- c:\windows\hpoins14.dat
2010-03-11 12:38:54 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38:52 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38:51 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09:18 430080 ----a-w- c:\windows\system32\vbscript.dll

============= FINISH: 13:18:55.17 ===============





BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:30 PM

Posted 04 June 2010 - 03:56 PM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.
    1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

"GMER Rootkit Scanner"

Download GMER Rootkit Scanner from here or here.
  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
  • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan..
  • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
    • Sections
    • IAT/EAT
    • Drives/Partition other than Systemdrive (typically C:\)
    • Show All (don't miss this one)
  • Then click the Scan button & wait for it to finish.
  • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

"information and logs"
    In your next post I need the following
      1.log from GMER
      2. Let Me Know Of Any Problem You May Have Had

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 nflskins12

nflskins12
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 04 June 2010 - 09:06 PM

First of all, thank you for taking the time to help me out with this issue. Secondly, I didn't encounter any problems while running the scan and I have uploaded my log from GMER:

Attached File  ark.txt   3.13KB   17 downloads

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:30 PM

Posted 04 June 2010 - 09:21 PM

greetings

please post all logs into the post it makes it easier to research and study later - I will be back shortly with your instructions


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-06-04 21:56:24
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\genoveck\LOCALS~1\Temp\pxtdruog.sys


---- System - GMER 1.0.15 ----

SSDT 86D232A0 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA8761350]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA8761580]

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device -> \Driver\atapi \Device\Harddisk0\DR0 86EBCCEC

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

---- EOF - GMER 1.0.15 ----


gringo

Hello

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.
    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt
"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?
Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 nflskins12

nflskins12
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 04 June 2010 - 11:06 PM

Alright, I couldn't install the recovery console because I can't access the internet from my computer, but ComboFix was able to scan. Shortly after ComboFix started scanning it said it detected rootkit activity and needed to restart my computer. I clicked "ok" and upon the restart ComboFix finished scanning (computer is as it was still)

Here is my ComboFix log:

ComboFix 10-06-03.01 - genoveck 06/04/2010 23:39:25.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.483 [GMT -4:00]
Running from: E:\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\Adobe\sp.Dll
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\genoveck\Application Data\ATManager\metafiles\e7e2135bcdfc87179deacdb1cdac8b7a.torrent
c:\windows\system32\AutoRun.inf
c:\windows\system32\Drivers\yvlhvv.sys

Infected copy of c:\windows\system32\drivers\acpiec.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_SPService


((((((((((((((((((((((((( Files Created from 2010-05-05 to 2010-06-05 )))))))))))))))))))))))))))))))
.

2010-06-04 15:14 . 2010-06-04 15:14 -------- d-----w- C:\$WINDOWS.~BT
2010-06-04 05:46 . 2010-06-04 06:07 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-06-04 05:46 . 2010-06-04 05:57 -------- d-----w- c:\program files\RegCure
2010-05-22 23:17 . 2010-05-22 23:17 -------- d-----w- c:\windows\system32\wbem\Repository
2010-05-22 23:07 . 2010-05-22 23:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-21 17:08 . 2010-05-25 15:57 63488 ----a-w- c:\documents and settings\genoveck\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-21 17:07 . 2010-05-21 17:07 52224 ----a-w- c:\documents and settings\genoveck\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-21 17:07 . 2010-05-25 15:56 117760 ----a-w- c:\documents and settings\genoveck\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-21 17:06 . 2010-05-21 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-21 17:06 . 2010-05-22 14:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-21 17:06 . 2010-05-21 17:06 -------- d-----w- c:\documents and settings\genoveck\Application Data\SUPERAntiSpyware.com
2010-05-21 17:05 . 2010-05-21 17:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-19 00:05 . 2010-05-19 00:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-05-19 00:05 . 2010-05-19 00:05 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-05-16 00:49 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-16 00:49 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-15 03:38 . 2010-05-15 03:38 -------- d-----w- c:\documents and settings\genoveck\Application Data\Malwarebytes
2010-05-15 03:37 . 2010-05-15 03:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-15 03:37 . 2010-05-16 00:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-05 03:37 . 2007-06-27 12:56 -------- d-----w- c:\program files\Symantec AntiVirus
2010-06-04 15:06 . 2010-06-04 15:29 246078 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-06-04 00:21 . 2007-06-27 12:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-04 00:19 . 2007-10-17 18:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-05-28 22:30 . 2010-04-26 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith
2010-05-26 21:09 . 2007-08-17 15:11 68872 ----a-w- c:\documents and settings\genoveck\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-26 15:38 . 2007-06-27 13:23 -------- d-----w- c:\program files\Webroot
2010-05-26 15:27 . 2007-06-27 12:36 -------- d-----w- c:\program files\CyberLink
2010-05-23 04:13 . 2010-03-19 01:06 439816 ----a-w- c:\documents and settings\genoveck\Application Data\Real\Update\setup3.10\setup.exe
2010-05-15 16:21 . 2007-08-26 00:03 -------- d-----w- c:\program files\Google
2010-05-03 03:50 . 2010-04-19 02:42 -------- d-----w- c:\documents and settings\genoveck\Application Data\Skype
2010-05-03 03:49 . 2008-09-16 23:05 -------- d-----w- c:\documents and settings\genoveck\Application Data\skypePM
2010-04-29 17:58 . 2010-04-22 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-04-27 03:17 . 2009-09-13 22:34 -------- d-----w- c:\documents and settings\genoveck\Application Data\DivX
2010-04-22 18:08 . 2010-04-22 17:58 -------- d-----w- c:\documents and settings\genoveck\Application Data\NCH Swift Sound
2010-04-22 17:58 . 2010-04-22 17:57 -------- d-----w- c:\program files\NCH Swift Sound
2010-04-21 19:21 . 2010-04-21 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-04-21 19:10 . 2010-04-21 18:38 141251 ----a-w- c:\windows\hpoins14.dat
2010-04-21 19:01 . 2008-07-13 04:41 -------- d-----w- c:\program files\V CAST Music with Rhapsody
2010-04-21 18:48 . 2010-04-21 18:48 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-04-21 18:48 . 2007-12-22 17:30 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-04-21 18:47 . 2010-04-21 18:47 -------- d-----w- c:\program files\Common Files\HP
2010-04-21 18:46 . 2010-04-21 18:46 -------- d-----w- c:\program files\Hewlett-Packard
2010-04-21 18:45 . 2010-04-21 18:45 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-04-21 18:43 . 2010-04-21 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-04-21 15:55 . 2007-06-27 13:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-19 02:42 . 2010-04-19 02:42 -------- d-----w- c:\program files\Common Files\Skype
2010-04-19 02:42 . 2010-04-19 02:41 -------- d-----r- c:\program files\Skype
2010-04-19 02:41 . 2008-09-16 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-03-11 12:38 . 2005-01-28 17:31 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2005-01-28 17:30 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2005-01-28 17:29 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2005-01-28 17:31 430080 ----a-w- c:\windows\system32\vbscript.dll
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidewalker"="c:\program files\Compal Electronics" [X]
"CASS"="c:\program files\Compal Electronics" [X]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-05-08 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-05-08 118784]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-09 16143872]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2007-05-09 53248]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 88204]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-08 774233]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 69216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-05-18 40960]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"snp2std"="c:\windows\vsnp2std.exe" [2006-05-15 675840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 185632]
"HP Software Update"="c:\program files\HP\Temp\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-06-06 125632]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-07-19 1306624]

c:\documents and settings\genoveck\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Application Explorer.lnk - c:\program files\Novell\ZENworks\NalView.exe [2006-6-13 35840]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Temp\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2006-06-28 446464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2006-05-02 13:17 24576 ----a-w- c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=

R1 CPEb;CPEb;c:\windows\system32\drivers\CPEb.sys [2/23/2006 6:21 PM 8192]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/6/2010 5:10 PM 68168]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [5/23/2005 2:47 PM 6899]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [12/13/2007 12:07 PM 18944]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [5/9/2006 10:59 AM 167936]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/6/2007 4:24 PM 116928]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [5/2/2006 9:17 AM 61440]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/1/2010 3:57 PM 102448]
S0 cshxjflh;cshxjflh;c:\windows\system32\drivers\dnnbge.sys --> c:\windows\system32\drivers\dnnbge.sys [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-05-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]

2010-04-22 c:\windows\Tasks\mixpadSevenDaysInit.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-04-22 17:58]

2010-04-22 c:\windows\Tasks\mixpadShakeIcon.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-04-22 17:58]

2010-06-04 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-06-04 c:\windows\Tasks\RegCure.job
- c:\program files\RegCure\RegCure.exe [2010-05-19 23:20]

2010-04-29 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-04-22 17:58]

2010-05-15 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-04-22 17:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\genoveck\Application Data\Mozilla\Firefox\Profiles\ix080kje.default\
FF - prefs.js: browser.startup.homepage - google.com

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Aim6 - (no file)
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
SafeBoot-WebrootSpySweeperService



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-04 23:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86EC0CEC]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf75b0fc3
\Driver\ACPI -> ACPI.sys @ 0xf7503cb8
\Driver\atapi -> atapi.sys @ 0xf74777b4
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e4e39
ParseProcedure -> ntoskrnl.exe @ 0x8057fa99
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e4e39
ParseProcedure -> ntoskrnl.exe @ 0x8057fa99
NDIS: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC -> SendCompleteHandler -> NDIS.sys @ 0xf7370ba0
PacketIndicateHandler -> NDIS.sys @ 0xf735fa0b
SendHandler -> NDIS.sys @ 0xf7373b31
user & kernel MBR OK

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(900)
c:\windows\system32\WININET.dll
c:\program files\Novell\ZENworks\ZENPOL32.DLL
c:\windows\system32\xmlparse.dll
c:\windows\system32\ZenMup.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll

- - - - - - - > 'lsass.exe'(960)
c:\windows\system32\WININET.dll
.
Completion time: 2010-06-04 23:54:06
ComboFix-quarantined-files.txt 2010-06-05 03:54

Pre-Run: 33,865,875,456 bytes free
Post-Run: 33,831,669,760 bytes free

- - End Of File - - DF3B3585C7F6F424A7421E2741A678A0


#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:30 PM

Posted 04 June 2010 - 11:23 PM

Greetings nflskins12


this is what I need you to do next.

TDSSKiller:
  • Please Download TDSSKiller.zip and save it on your desktop.
  • extract (unzip) its contents to your Desktop.
  • double-click the TDSSKiller Folder on your desktop.
  • right-click on TDSSKiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy the text in the codebox below.
CODE
"%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"
  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
  • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.
  • a log file should be created on your C: drive named something like TDSSKiller 2.1.1 Dec 20 2009 02:40:02
  • To find the log click Start then Computer then Vista ( C:).
  • Please post the contents of that log in your next reply


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 nflskins12

nflskins12
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 04 June 2010 - 11:48 PM

TDSSKiller detected some malicious services or files and restarted my computer. After the restart, it seems like everything is back to normal! Here is my TDSSKiller log file:

00:38:04:359 2624 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
00:38:04:359 2624 ================================================================================
00:38:04:359 2624 SystemInfo:

00:38:04:359 2624 OS Version: 5.1.2600 ServicePack: 2.0
00:38:04:359 2624 Product type: Workstation
00:38:04:359 2624 ComputerName: GENOVECK-WS
00:38:04:359 2624 UserName: genoveck
00:38:04:359 2624 Windows directory: C:\WINDOWS
00:38:04:359 2624 Processor architecture: Intel x86
00:38:04:359 2624 Number of processors: 2
00:38:04:359 2624 Page size: 0x1000
00:38:04:359 2624 Boot type: Normal boot
00:38:04:359 2624 ================================================================================
00:38:04:515 2624 Initialize success
00:38:04:515 2624
00:38:04:515 2624 Scanning Services ...
00:38:04:953 2624 Raw services enum returned 384 services
00:38:04:953 2624
00:38:04:953 2624 Scanning Drivers ...
00:38:05:578 2624 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
00:38:05:609 2624 ACPIEC (5c8066ac867fe63fa60d944d9f82926c) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
00:38:05:609 2624 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ACPIEC.sys. Real md5: 5c8066ac867fe63fa60d944d9f82926c, Fake md5: 9859c0f6936e723e4892d7141b1327d5
00:38:05:609 2624 File "C:\WINDOWS\system32\DRIVERS\ACPIEC.sys" infected by TDSS rootkit ... 00:38:06:078 2624 Backup copy found, using it..
00:38:06:125 2624 will be cured on next reboot
00:38:06:468 2624 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
00:38:06:578 2624 AFD (6a0397376853e604de8e1e7a87fc08ac) C:\WINDOWS\System32\drivers\afd.sys
00:38:06:718 2624 AgereSoftModem (c41a5740468d0b9cb46e6390a0e15ce3) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
00:38:06:812 2624 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
00:38:06:890 2624 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
00:38:06:937 2624 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
00:38:07:000 2624 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
00:38:07:046 2624 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
00:38:07:062 2624 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
00:38:07:093 2624 BlankScr (0d266f08aed52d9b17b3c61be01dd576) C:\WINDOWS\system32\drivers\BlankScr.sys
00:38:07:218 2624 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
00:38:07:265 2624 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
00:38:07:312 2624 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
00:38:07:406 2624 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
00:38:07:468 2624 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
00:38:07:515 2624 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
00:38:07:531 2624 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
00:38:07:546 2624 CPEb (0b2b1b3217cbc51cd06a30e28c8e5cad) C:\WINDOWS\system32\drivers\CPEb.sys
00:38:07:609 2624 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
00:38:07:671 2624 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
00:38:07:796 2624 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
00:38:07:812 2624 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
00:38:07:875 2624 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
00:38:07:906 2624 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
00:38:08:125 2624 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
00:38:08:203 2624 EMSCR (01857b94bd3f8c99188862d026c925c0) C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
00:38:08:265 2624 EraserUtilRebootDrv (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys
00:38:08:281 2624 ESDCR (5983f3f91487c2a2a514c17245a0e25d) C:\WINDOWS\system32\DRIVERS\ESD7SK.sys
00:38:08:312 2624 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
00:38:08:406 2624 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
00:38:08:421 2624 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
00:38:08:453 2624 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
00:38:08:531 2624 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
00:38:08:546 2624 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
00:38:08:593 2624 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
00:38:08:625 2624 GEARAspiWDM (5dc17164f66380cbfefd895c18467773) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
00:38:08:671 2624 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
00:38:08:703 2624 HDAudBus (3fcc124b6e08ee0e9351f717dd136939) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
00:38:08:765 2624 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
00:38:08:812 2624 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
00:38:08:828 2624 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
00:38:08:875 2624 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
00:38:08:906 2624 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
00:38:08:984 2624 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
00:38:09:109 2624 ialm (0f0194c4b635c10c3f785e4fee52d641) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
00:38:09:171 2624 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
00:38:09:515 2624 IntcAzAudAddService (71ae838a88b07268d732f596fc17ced5) C:\WINDOWS\system32\drivers\RtkHDAud.sys
00:38:09:609 2624 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
00:38:09:656 2624 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
00:38:09:703 2624 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
00:38:09:718 2624 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
00:38:09:781 2624 IpNat (d58ecd3b3969a670e68588f1640920b6) C:\WINDOWS\system32\DRIVERS\ipnat.sys
00:38:09:859 2624 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
00:38:09:890 2624 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
00:38:09:937 2624 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
00:38:09:953 2624 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
00:38:10:015 2624 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
00:38:10:062 2624 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
00:38:10:140 2624 KSecDD (1be7cc2535d760ae4d481576eb789f24) C:\WINDOWS\system32\drivers\KSecDD.sys
00:38:10:187 2624 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
00:38:10:218 2624 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
00:38:10:281 2624 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
00:38:10:343 2624 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
00:38:10:375 2624 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
00:38:10:468 2624 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
00:38:10:593 2624 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
00:38:10:656 2624 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
00:38:10:718 2624 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
00:38:10:765 2624 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
00:38:10:796 2624 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
00:38:10:859 2624 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
00:38:10:890 2624 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
00:38:10:953 2624 Mup (f66b6b1cddee6ca87cefc016eb7a0d8e) C:\WINDOWS\system32\drivers\Mup.sys
00:38:10:984 2624 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
00:38:11:265 2624 NAVENG (83518e6cc82bdc3c3db0c12d1c9a2275) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100601.002\naveng.sys
00:38:11:546 2624 NAVEX15 (85cf37740fe06c7a2eaa7f6c81f0819c) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100601.002\navex15.sys
00:38:11:921 2624 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
00:38:12:234 2624 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
00:38:12:656 2624 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
00:38:12:750 2624 Ndisuio (5146c3d286e66c72328f6ce6e4d983a8) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
00:38:12:765 2624 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
00:38:12:796 2624 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
00:38:12:875 2624 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
00:38:12:890 2624 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
00:38:13:046 2624 NetwareWorkstation (9152b3a38ad0147eae4342281ae65883) C:\WINDOWS\system32\NetWare\nwfs.sys
00:38:13:078 2624 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
00:38:13:109 2624 NICM (c501404558ea82e8a875de6331f0748d) C:\WINDOWS\system32\drivers\nicm.sys
00:38:13:125 2624 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
00:38:13:156 2624 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
00:38:13:187 2624 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
00:38:13:312 2624 NWDHCP (a4b071419e0ea596ffb3da89c1f04e61) C:\WINDOWS\system32\NetWare\nwdhcp.sys
00:38:13:328 2624 NWDNS (6327cec99fd740dd1cff11a047789bcc) C:\WINDOWS\system32\NetWare\nwdns.sys
00:38:13:375 2624 NWFILTER (7bbf493e2b4979312fa5b350fcf5a4c4) C:\WINDOWS\system32\NetWare\nwfilter.sys
00:38:13:406 2624 NWHOST (baa75acf404bebce7065663664a7c3e4) C:\WINDOWS\system32\NetWare\NWHOST.sys
00:38:13:468 2624 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
00:38:13:500 2624 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
00:38:13:531 2624 NWSAP (2726a6792bbb080ff345ed9a8111360f) C:\WINDOWS\system32\NetWare\NWSAP.sys
00:38:13:562 2624 NWSIPX32 (0c19ea7bf54f23ef37d8a14c61f64891) C:\WINDOWS\system32\NetWare\nwsipx32.sys
00:38:13:593 2624 NWSLP (0b5c354bebc5381b59a196bd7e517814) C:\WINDOWS\system32\NetWare\nwslp.sys
00:38:13:609 2624 NWSNS (172308996609da67e99c87fa784df8bc) C:\WINDOWS\system32\NetWare\NWSNS.sys
00:38:13:703 2624 ohci1394 (fc128c3d7d5ad30a13742dc3737b9df7) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
00:38:13:765 2624 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
00:38:13:796 2624 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
00:38:13:843 2624 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
00:38:13:890 2624 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
00:38:13:921 2624 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
00:38:13:953 2624 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
00:38:14:078 2624 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
00:38:14:140 2624 PRISM_A02 (57e95881e5f014816a8a53ad94ee0c48) C:\WINDOWS\system32\DRIVERS\WUSB20XP.sys
00:38:14:187 2624 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
00:38:14:203 2624 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
00:38:14:281 2624 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
00:38:14:343 2624 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
00:38:14:421 2624 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
00:38:14:453 2624 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
00:38:14:468 2624 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
00:38:14:562 2624 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
00:38:14:593 2624 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
00:38:14:625 2624 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
00:38:14:671 2624 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
00:38:14:687 2624 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
00:38:14:812 2624 RESMGR (16c27d650113b0aa0c8255c561a71cd4) C:\WINDOWS\system32\NetWare\resmgr.sys
00:38:14:875 2624 rspndr (a3b23fb3f295694091f51865f98588b2) C:\WINDOWS\system32\DRIVERS\rspndr.sys
00:38:14:953 2624 RTLE8023xp (6bb86099e1b4f9994d4f733f0c9e4c22) C:\WINDOWS\system32\DRIVERS\Rtenicxp.sys
00:38:15:031 2624 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
00:38:15:078 2624 SASKUTIL (4fd72291a89793049104ca0a7e353cd4) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
00:38:15:218 2624 SAVRT (12b6e269ef8ac8ea36122544c8a1b6d8) C:\Program Files\Symantec AntiVirus\savrt.sys
00:38:15:234 2624 SAVRTPEL (97e5b6f3f95465e1f59360b59d8ec64e) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
00:38:15:406 2624 sdbus (02fc71b020ec8700ee8a46c58bc6f276) C:\WINDOWS\system32\DRIVERS\sdbus.sys
00:38:15:453 2624 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
00:38:15:484 2624 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
00:38:15:500 2624 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
00:38:15:546 2624 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
00:38:16:250 2624 SNP2STD (9711ad901264ddf0bd960d8a626c1b2a) C:\WINDOWS\system32\DRIVERS\snp2sxp.sys
00:38:16:359 2624 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
00:38:16:546 2624 SPBBCDrv (ef9760a364d836a0ce6149ebdf71524d) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
00:38:16:609 2624 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
00:38:16:671 2624 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
00:38:16:765 2624 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
00:38:16:843 2624 SRVLOC (21d0242d37ab7b275261ed030adaaad5) C:\WINDOWS\system32\NetWare\srvloc.sys
00:38:16:875 2624 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
00:38:16:906 2624 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
00:38:16:921 2624 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
00:38:17:015 2624 SymEvent (49b20b430a4f219173f823536944474a) C:\WINDOWS\system32\Drivers\SYMEVENT.SYS
00:38:17:093 2624 SYMREDRV (7de45dfebb51e56d7c795bd0c2d7aef5) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
00:38:17:125 2624 SYMTDI (e1444c6095d67ca4ef6ba192cf7fa91a) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
00:38:17:218 2624 SynTP (ae4052fc36bd4c390cee45a38ec1199a) C:\WINDOWS\system32\DRIVERS\SynTP.sys
00:38:17:234 2624 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
00:38:17:296 2624 Tcpip (744e57c99232201ae98c49168b918f48) C:\WINDOWS\system32\DRIVERS\tcpip.sys
00:38:17:312 2624 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
00:38:17:343 2624 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
00:38:17:359 2624 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
00:38:17:406 2624 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
00:38:17:500 2624 Update (ced744117e91bdc0beb810f7d8608183) C:\WINDOWS\system32\DRIVERS\update.sys
00:38:17:578 2624 USBAAPL (f340199e8cb097e1acd58a967c665919) C:\WINDOWS\system32\Drivers\usbaapl.sys
00:38:17:656 2624 usbbus (d9f3bb7c292f194f3b053ce295754eb8) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
00:38:17:718 2624 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
00:38:17:781 2624 UsbDiag (c4f77da649f99fad116ea585376fc164) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
00:38:17:843 2624 usbehci (a45ea1550ea4b368c4fba7ca9d056bc9) C:\WINDOWS\system32\DRIVERS\usbehci.sys
00:38:17:859 2624 usbhub (6d46b1f89134892a862ac56b00ac11fe) C:\WINDOWS\system32\DRIVERS\usbhub.sys
00:38:17:921 2624 USBModem (c0613ce45e617bc671de8ebb1b30d175) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
00:38:17:968 2624 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
00:38:18:015 2624 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
00:38:18:062 2624 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
00:38:18:093 2624 usbuhci (0ee1925590ba1abec14254d54d9870f4) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
00:38:18:156 2624 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
00:38:18:187 2624 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
00:38:18:296 2624 w39n51 (c79918a5bd269035f3a34d157401b9df) C:\WINDOWS\system32\DRIVERS\w39n51.sys
00:38:18:343 2624 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
00:38:18:375 2624 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
00:38:18:406 2624 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
00:38:18:421 2624 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
00:38:18:500 2624 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
00:38:18:531 2624 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
00:38:18:531 2624 Reboot required for cure complete..
00:38:19:046 2624 Cure on reboot scheduled successfully
00:38:19:046 2624
00:38:19:046 2624 Completed
00:38:19:046 2624
00:38:19:046 2624 Results:
00:38:19:046 2624 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
00:38:19:046 2624 File objects infected / cured / cured on reboot: 1 / 0 / 1
00:38:19:046 2624
00:38:19:046 2624 KLMD(ARK) unloaded successfully


#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:30 PM

Posted 05 June 2010 - 12:06 AM

Greetings nflskins12

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

CODE
rootkit::
c:\windows\system32\drivers\dnnbge.sys

Driver::
cshxjflh


Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

NOTE**
  • When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will upload files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.

"information and logs"
    In your next post I need the following
    1. report from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now after running the script?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 nflskins12

nflskins12
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 05 June 2010 - 12:39 AM

Everything went smoothly and computer seems to be running fine

Here is the log from ComboFix:


ComboFix 10-06-03.01 - genoveck 06/05/2010 1:21.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.425 [GMT -4:00]
Running from: c:\documents and settings\genoveck\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\genoveck\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://windowsupdate.udayton.edu
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_cshxjflh


((((((((((((((((((((((((( Files Created from 2010-05-05 to 2010-06-05 )))))))))))))))))))))))))))))))
.

2010-06-04 15:14 . 2010-06-04 15:14 -------- d-----w- C:\$WINDOWS.~BT
2010-06-04 05:46 . 2010-06-05 04:52 -------- d-----w- c:\documents and settings\All Users\Application Data\RegCure
2010-05-22 23:17 . 2010-05-22 23:17 -------- d-----w- c:\windows\system32\wbem\Repository
2010-05-22 23:07 . 2010-05-22 23:07 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-21 17:08 . 2010-05-25 15:57 63488 ----a-w- c:\documents and settings\genoveck\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-21 17:07 . 2010-05-21 17:07 52224 ----a-w- c:\documents and settings\genoveck\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-05-21 17:07 . 2010-05-25 15:56 117760 ----a-w- c:\documents and settings\genoveck\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-21 17:06 . 2010-05-21 17:06 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-05-21 17:06 . 2010-05-22 14:52 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-05-21 17:06 . 2010-05-21 17:06 -------- d-----w- c:\documents and settings\genoveck\Application Data\SUPERAntiSpyware.com
2010-05-21 17:05 . 2010-05-21 17:05 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-19 00:05 . 2010-05-19 00:05 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-05-19 00:05 . 2010-05-19 00:05 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Apple Computer
2010-05-16 00:49 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-05-16 00:49 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-05-15 03:38 . 2010-05-15 03:38 -------- d-----w- c:\documents and settings\genoveck\Application Data\Malwarebytes
2010-05-15 03:37 . 2010-05-15 03:37 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-15 03:37 . 2010-05-16 00:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-05 05:28 . 2007-06-27 12:56 -------- d-----w- c:\program files\Symantec AntiVirus
2010-06-05 04:44 . 2010-03-19 01:06 439816 ----a-w- c:\documents and settings\genoveck\Application Data\Real\Update\setup3.10\setup.exe
2010-06-05 04:40 . 2001-08-17 13:57 11648 ----a-w- c:\windows\system32\drivers\acpiec.sys
2010-06-04 15:06 . 2010-06-04 15:29 246078 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
2010-06-04 00:21 . 2007-06-27 12:23 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-06-04 00:19 . 2007-10-17 18:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Viewpoint
2010-05-28 22:30 . 2010-04-26 22:01 -------- d-----w- c:\documents and settings\All Users\Application Data\TechSmith
2010-05-26 21:09 . 2007-08-17 15:11 68872 ----a-w- c:\documents and settings\genoveck\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-26 15:38 . 2007-06-27 13:23 -------- d-----w- c:\program files\Webroot
2010-05-26 15:27 . 2007-06-27 12:36 -------- d-----w- c:\program files\CyberLink
2010-05-15 16:21 . 2007-08-26 00:03 -------- d-----w- c:\program files\Google
2010-05-03 03:50 . 2010-04-19 02:42 -------- d-----w- c:\documents and settings\genoveck\Application Data\Skype
2010-05-03 03:49 . 2008-09-16 23:05 -------- d-----w- c:\documents and settings\genoveck\Application Data\skypePM
2010-04-29 17:58 . 2010-04-22 17:58 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2010-04-27 03:17 . 2009-09-13 22:34 -------- d-----w- c:\documents and settings\genoveck\Application Data\DivX
2010-04-22 18:08 . 2010-04-22 17:58 -------- d-----w- c:\documents and settings\genoveck\Application Data\NCH Swift Sound
2010-04-22 17:58 . 2010-04-22 17:57 -------- d-----w- c:\program files\NCH Swift Sound
2010-04-21 19:21 . 2010-04-21 19:21 -------- d-----w- c:\documents and settings\All Users\Application Data\WEBREG
2010-04-21 19:10 . 2010-04-21 18:38 141251 ----a-w- c:\windows\hpoins14.dat
2010-04-21 19:01 . 2008-07-13 04:41 -------- d-----w- c:\program files\V CAST Music with Rhapsody
2010-04-21 18:48 . 2010-04-21 18:48 -------- d-----w- c:\documents and settings\All Users\Application Data\HP Product Assistant
2010-04-21 18:48 . 2007-12-22 17:30 -------- d-----w- c:\documents and settings\All Users\Application Data\HP
2010-04-21 18:47 . 2010-04-21 18:47 -------- d-----w- c:\program files\Common Files\HP
2010-04-21 18:46 . 2010-04-21 18:46 -------- d-----w- c:\program files\Hewlett-Packard
2010-04-21 18:45 . 2010-04-21 18:45 -------- d-----w- c:\program files\Common Files\Hewlett-Packard
2010-04-21 18:43 . 2010-04-21 18:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Hewlett-Packard
2010-04-21 15:55 . 2007-06-27 13:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2010-04-19 02:42 . 2010-04-19 02:42 -------- d-----w- c:\program files\Common Files\Skype
2010-04-19 02:42 . 2010-04-19 02:41 -------- d-----r- c:\program files\Skype
2010-04-19 02:41 . 2008-09-16 23:03 -------- d-----w- c:\documents and settings\All Users\Application Data\Skype
2010-03-11 12:38 . 2005-01-28 17:31 832512 ----a-w- c:\windows\system32\wininet.dll
2010-03-11 12:38 . 2005-01-28 17:30 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-03-11 12:38 . 2005-01-28 17:29 17408 ------w- c:\windows\system32\corpol.dll
2010-03-09 11:09 . 2005-01-28 17:31 430080 ----a-w- c:\windows\system32\vbscript.dll
2009-07-14 00:16 . 2009-07-14 00:16 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-07-14 00:16 . 2009-07-14 00:16 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidewalker"="c:\program files\Compal Electronics" [X]
"CASS"="c:\program files\Compal Electronics" [X]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2007-05-08 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2007-05-08 118784]
"RTHDCPL"="RTHDCPL.EXE" [2007-05-09 16143872]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2007-05-09 53248]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-12 88204]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-08 774233]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-12-06 69216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-06 54832]
"NDPS"="c:\windows\system32\dpmw32.exe" [2004-05-17 32859]
"ZENRC Tray Icon"="c:\windows\system32\zentray.exe" [2005-05-18 40960]
"NWTRAY"="NWTRAY.EXE" [2002-03-12 28672]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"snp2std"="c:\windows\vsnp2std.exe" [2006-05-15 675840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 185632]
"HP Software Update"="c:\program files\HP\Temp\HP Software Update\HPWuSchd2.exe" [2007-03-12 49152]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-03-29 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-03-30 267048]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 52840]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2007-06-06 125632]
"EKIJ5000StatusMonitor"="c:\windows\System32\spool\DRIVERS\W32X86\3\EKIJ5000MUI.exe" [2008-07-19 1306624]

c:\documents and settings\genoveck\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-7 101440]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Application Explorer.lnk - c:\program files\Novell\ZENworks\NalView.exe [2006-6-13 35840]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Temp\Digital Imaging\bin\hpqtra08.exe [2007-3-11 210520]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"CompatibleRUPSecurity"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{763370C4-268E-4308-A60C-D8DA0342BE32}"= "c:\program files\Novell\ZENworks\NalShell.dll" [2006-06-28 446464]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 19:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\NetIdentity Notification]
2006-05-02 13:17 24576 ----a-w- c:\windows\system32\novell\xtnotify.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 nwv1_0

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\dpmw32.exe"=

R1 CPEb;CPEb;c:\windows\system32\drivers\CPEb.sys [2/23/2006 6:21 PM 8192]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/6/2010 5:10 PM 68168]
R2 BlankScr;HBDevice;c:\windows\system32\drivers\blankscr.sys [5/23/2005 2:47 PM 6899]
R2 KodakSvc;Kodak AiO Device Service;c:\program files\Kodak\Printer\Center\KodakSvc.exe [12/13/2007 12:07 PM 18944]
R2 Remote Management Agent;Novell ZENworks Remote Management Agent;c:\program files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe [5/9/2006 10:59 AM 167936]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/6/2007 4:24 PM 116928]
R2 XTAgent;Novell XTier Agent Services;c:\windows\system32\novell\xtagent.exe [5/2/2006 9:17 AM 61440]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [6/1/2010 3:57 PM 102448]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder

2010-05-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 18:57]

2010-04-22 c:\windows\Tasks\mixpadSevenDaysInit.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-04-22 17:58]

2010-04-22 c:\windows\Tasks\mixpadShakeIcon.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-04-22 17:58]

2010-04-29 c:\windows\Tasks\switchShakeIcon.job
- c:\program files\NCH Swift Sound\Switch\switch.exe [2010-04-22 17:58]

2010-05-15 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-04-22 17:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.facebook.com/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\genoveck\Application Data\Mozilla\Firefox\Profiles\ix080kje.default\
FF - prefs.js: browser.startup.homepage - google.com

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-klmdb.sys



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-05 01:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)
c:\program files\Novell\ZENworks\ZENPOL32.DLL
c:\windows\system32\xmlparse.dll
c:\windows\system32\ZenMup.dll
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'Explorer.exe'(2292)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Symantec AntiVirus\DefWatch.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Novell\ZENworks\nalntsrv.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\program files\Symantec AntiVirus\Rtvscan.exe
c:\program files\Novell\ZENworks\wm.exe
c:\program files\Novell\ZENworks\WMRUNDLL.EXE
c:\windows\RTHDCPL.EXE
c:\windows\AGRSMMSG.exe
c:\program files\Compal Electronics, INC\Sidewalker\CSWalker.exe
c:\program files\Compal Electronics, INC\Wireless Select Switch\Wireless Select Switch.exe
c:\windows\system32\NWTRAY.EXE
c:\program files\Novell\ZENworks\NalAgent.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\Temp\Digital Imaging\bin\hpqSTE08.exe
.
**************************************************************************
.
Completion time: 2010-06-05 01:34:09 - machine was rebooted
ComboFix-quarantined-files.txt 2010-06-05 05:34
ComboFix2.txt 2010-06-05 03:54

Pre-Run: 33,822,085,120 bytes free
Post-Run: 33,789,480,960 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - AD1A3FD4E7083F729A941E435496518B


#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:30 PM

Posted 05 June 2010 - 01:04 AM

Greetings

I would like to get an extra report from combofix.

extra combofix report

I need to see one of the extra reports combofix makes
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
CODE
C:\Qoobox\Add-Remove Programs.txt
  • click ok
  • copy and paste the report into this topic for me to review

: Malwarebytes' Anti-Malware :
    Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


"information and logs"
    In your next post I need the following
    1. extra report from combofix
    2. report From MBAM
    3. let me know of any problems you may have had
    4. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 nflskins12

nflskins12
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 05 June 2010 - 01:24 AM

Everything seems to be working fine.


Here is the extra ComboFix report:

32 Bit HP CIO Components Installer
4U WMA MP3 Converter 5.9.3
AAC Decoder
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
Adobe Shockwave Player
AIM 6
AIO_Scan
aioocr
Apple Mobile Device Support
Apple Software Update
Ares 2.0.9
AutoUpdate
Bonjour Core for Windows
BufferChm
center
Copy
Critical Update for Windows Media Player 11 (KB959772)
Destination Component
DeviceDiscovery
DeviceFunctionQFolder
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
DJ_AIO_ProductContext
DJ_AIO_Software
DJ_AIO_Software_min
DocProc
DocProcQFolder
DVD Suite
F2100
F2100_doccd
F2100_Help
FileZilla (remove only)
Free WMA to MP3 Converter 1.16
H.264 Decoder
Help_CTR
helptut
helpug
High Definition Audio Driver Package - KB888111
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
Hotfix for Microsoft .NET Framework 3.0 (KB932471)
Hotfix for MSXML 2 (KB887606)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB319740)
Hotfix for Windows XP (KB889527)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB897338)
Hotfix for Windows XP (KB898900)
Hotfix for Windows XP (KB903234)
Hotfix for Windows XP (KB904412)
Hotfix for Windows XP (KB906569)
Hotfix for Windows XP (KB907865)
Hotfix for Windows XP (KB912461)
Hotfix for Windows XP (KB912817)
Hotfix for Windows XP (KB913538)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB917021)
Hotfix for Windows XP (KB918005)
Hotfix for Windows XP (KB918093)
Hotfix for Windows XP (KB918997)
Hotfix for Windows XP (KB924867)
Hotfix for Windows XP (KB924941)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB927544)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
HP Deskjet All-In-One Software 9.0
HP Imaging Device Functions 9.0
HP OCR Software 9.0
HP Solution Center & Imaging Support Tools 5.0
HP Update
HPProductAssistant
HPSSupply
IBM Lotus Sametime Connect 7.5.1
Integrated Camera
Intel® Graphics Media Accelerator Driver
InterActual Player
iPowerHour 2.5
iTunes
Java™ 6 Update 3
Java™ 6 Update 5
Java™ 6 Update 7
Java™ SE Runtime Environment 6 Update 1
KODAK All-in-One Printer Software
ksdip
LG USB Modem driver
LiveUpdate 3.1 (Symantec Corporation)
Macromedia Authorware Web Player
Malwarebytes' Anti-Malware
MediaShow 3.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB925168)
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel 2007 Get Started Tab
Microsoft Office Excel MUI (English) 2007
Microsoft Office FrontPage 2003
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint 2007 Get Started Tab
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word 2007 Get Started Tab
Microsoft Office Word MUI (English) 2007
Microsoft Software Update for Web Folders (English) 12
Microsoft User-Mode Driver Framework Feature Pack 1.0
MixPad Audio Mixer
MKV Splitter
Mozilla Firefox (3.6.3)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6 Service Pack 2 (KB973686)
NICI (Shared) U.S./Worldwide (128 bit) (2.7.0-2)
NMAS Challenge Response Method
NMAS Client
Novell Client for Windows
ObjectDock
OpenOffice.org Installer 1.0
Power2Go 5.0
PowerBackup 2.5
PowerDVD
QuickTime
RealPlayer
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Rhapsody Player Engine
Safari
Scan
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB960003)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Microsoft Office Excel 2007 (KB959997)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Visio 2007 (KB947590)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371-v2)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971032)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB981349)
SFR
Shop for HP Supplies
Sidewalker
Skype™ 4.2
Software Update for Web Folders
SolutionCenter
Status
SUPERAntiSpyware Free Edition
Switch Sound File Converter
Symantec AntiVirus
Synaptics Pointing Device Driver
Toolbox
TrayApp
UnloadSupport
Update for 2007 Microsoft Office System (KB967642)
Update for Microsoft .NET Framework 3.0 (KB932394)
Update for Microsoft Office 2007 Help for Common Features (KB963673)
Update for Microsoft Office Access 2007 Help (KB963663)
Update for Microsoft Office Excel 2007 Help (KB963678)
Update for Microsoft Office Infopath 2007 Help (KB963662)
Update for Microsoft Office OneNote 2007 Help (KB963670)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 Help (KB963677)
Update for Microsoft Office Powerpoint 2007 Help (KB963669)
Update for Microsoft Office Publisher 2007 Help (KB963667)
Update for Microsoft Office Script Editor Help (KB963671)
Update for Microsoft Office Word 2007 Help (KB963665)
Update for Office 2007 (KB932080)
Update for Office 2007 (KB934391)
Update for Outlook 2007 Junk Email Filter (kb981433)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB896256)
Update for Windows XP (KB897663)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB907265)
Update for Windows XP (KB908521)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB916846)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922120)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VC80CRTRedist - 8.0.50727.762
WavePad Sound Editor
WebFldrs XP
WebReg
Webroot® Client
Western Australian Time Zone Update
Windows Communication Foundation
Windows Driver Package - Intel (w29n51) net (04/05/2006 9.0.4.13)
Windows Driver Package - Intel (w39n51) net (04/04/2006 10.1.1.3)
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Presentation Foundation
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884020
Windows XP Hotfix - KB884883
Windows XP Hotfix - KB885222
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB886677
Windows XP Hotfix - KB886716
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB889673
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB894395
Windows XP Hotfix - KB896626
Wireless Select Switch
Write-N-Cite
XML Paper Specification Shared Components Pack 1.0
ZENworks Desktop Management Agent


Here is Malwarebytes report/log:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4170

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

6/5/2010 2:20:25 AM
mbam-log-2010-06-05 (02-20-25).txt

Scan type: Quick scan
Objects scanned: 131082
Time elapsed: 7 minute(s), 30 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:30 PM

Posted 05 June 2010 - 01:33 AM

Hello

Thats great thumbup.gif

These logs are looking alot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs
    1. click on start
    2. then go to settings
    3. after that you need control panel
    4. look for the icon add/remove programs
    click on the following programs

    Adobe Reader 8.1.2
    Java™ 6 Update 3
    Java™ 6 Update 5
    Java™ 6 Update 7
    Java™ SE Runtime Environment 6 Update 1


    and click on remove

Update Adobe Reader
    Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

    You can download it from http://www.adobe.com/products/acrobat/readstep2.html
    After installing the latest Adobe Reader, uninstall all previous versions.
    If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.
      If you don't like Adobe Reader (33.5 MB), you can download Foxit PDF Reader(3.5MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

      Note: When installing FoxitReader, be carefull not to install anything to do with AskBar.

Your Java is out of date.

Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 20 and save it to your desktop.
  • Scroll down to where it says JDK 6 Update 20 (JDK or JRE)
  • Click the Download JRE button to the right
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "I agree to the Java SE Runtime Environment 6u20 with JavaFX 1 License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add or Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u20-windows-i586.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
        Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

TFC(Temp File Cleaner):
  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

Eset Online Scanner

**Note** You will need to use Internet explorer for this scan

Go Eset web page to run an online scannner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • click on the ESET Online Scanner button
  • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
  • When asked, allow the activex control to install
    • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options
      Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic

"information and logs"
    In your next post I need the following
    1. Log From ESET Online Scanner
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 nflskins12

nflskins12
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 05 June 2010 - 02:43 AM

ESET Scanner only scanned 23% of my files before it stopped there everytime (tried it 3 times). I updated everything else and removed what you asked. Everything is running really well now. Thank you so much for all of your help!! thumbup2.gif

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:01:30 PM

Posted 05 June 2010 - 02:52 AM

Very well done!! This is my general post for when your logs show no more signs of malware ;)- Please let me know if you still are having problems with your computer and what these problems are.

The following procedure will implement some cleanup procedures. It will also reset your System Restore by flushing out previous restore points and create a new restore point.

:DeFogger:
    To re-enable your Emulation drivers, double click DeFogger to run the tool.
    • The application window will appear
    • Click the Re-enable button to re-enable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger will now ask to reboot the machine - click OK
    Your Emulation drivers are now re-enabled.

:Uninstall ComboFix:
  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box ComboFix /Uninstall and click OK.
  • Note the space between the X and the /Uninstall, it needs to be there.

:remove tools:

Please download OTCleanIt and save it to desktop. This tool will remove all the tools we used to clean your pc.
  • Double-click OTCleanIt.exe.
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes.
  • The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.

:clear system restore points:

This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • choose your root drive (normally C:)
  • after it calculates how much space you will save it will open up a new window
  • Select the More options tab at the top of the window
  • Choose the option to clean up system restore and OK it.
  • go back to the disk clean up tab
  • put a checkmark in all - except compress old files (leave this unchecked)
  • click Ok then click yes
This will remove all restore points except the new one you just created and clean unneeded files

:Make your Internet Explorer more secure:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialise and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    Next press the Apply button and then the OK to exit the Internet Properties page.

:Turn On Automatic Updates:
    Turn On Automatic Updates
    1. Click Start, click Run, type sysdm.cpl, and then press ENTER.
    2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

    If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

    or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

:antispyware programs:

I would reccomend the download and installation of some or all of the following programs (all free), and the updating of them regularly:
  • WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  • Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  • Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
    totally free but for real-time protection you will have to pay a small one-time fee. We used this to help clean your computer and recomend keeping it and useing often.

please read this great article by miekiemoes How to prevent Malware:
and
this great article by Tony Klein So How Did I Get Infected In First Place

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here:

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 nflskins12

nflskins12
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:01:30 PM

Posted 05 June 2010 - 03:01 AM

I've read through everything and I don't have any other questions at this time. I can't thank you enough!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users