Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antispyware Soft, Alureon, Pop Ups, Internet not working


  • This topic is locked This topic is locked
32 replies to this topic

#1 Gil Milet

Gil Milet

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:20 AM

Posted 06 June 2010 - 12:58 AM

Hello to you all kind souls. Please be patient with me, this is my first posting and I am not a computer pro, just a regular end user.

I have issues with my Sony Vaio laptop. It is running on Microsoft Windows XP, Media Center Edition, Version 2002 Service Pack 3. Since my internet totally stopped working two nights ago, I am using another computer to write this.

My issues started back in early April this year when we upgraded our wireless Verizon internet from 1.5/384 to FIOS 15/5. All the other computers in the house worked fine except for mine. We were advised by the Verizon technical people to turn off the firewall through my Windows Live Onecare settings, then remove the automatic 7IH56 network (Control Panel, Network Connections, Wireless Network tab), then add the same network name (7IH56) and then unclick the automatic key and input the password they provided. Once I am connected, I turn the firewall on again. Thus each time I want to go to the internet, I had to do these procedures. I have been doing this since then.

Two weeks ago, I got a message about virus win antispyware soft. I was besieged with so many pop ups that I could not use the computer at all. It was either throwing me out of the internet or not letting me do anything. I tried to restore my computer to an earlier date and I tried this approach several times but each time I get message that the restore has failed.

I read the various postings you had in your forum, downloaded the Malwarebytes Anti-Malware software through another computer into a USB, installed it and did a full scan in the safemode. (By the way, I used the msconfig to do the safemode since my F8 does not work at all after innumerable trys.) MBAM eliminated all those pop ups, but afterwards, I was getting warnings mostly from Windows Live OneCare about the presence of different names of viruses. One message that always appears is the Virus: Alurion.H. I was also getting message that there is unauthorized access to my computer.

In addition, the websites I want to visit are being redirected to different websites which advertise all sorts of products. Only MSN and Yahoo websites were working. Typing the website address like bleepingcomputer.com initially was working but after a few minutes is redirected again. Before my internet explorer completely stopped working, this typing of website address did not even work.

I downloaded rkill, Superantispyware, atf cleaner into a USB and followed all procedures suggested in your forum. I have made countless full and quick scans, restarts, safemode boots, but I still have the same issues- plus my internet has completely stopped working. Also, the wireless network tab in the Wireless Network Connection in Control Panel is not showing half the time, so I had to constantly restart to get the computer to show that tab so I can do my remove and add procedures noted above to open my browser. Later, even this does not work anymore.

In between these scans but before my internet stopped working, I upgraded my internet explorer to Version 8. I have also used Microsoft Windows Malicious Software, Microsoft Full Install Package and did full and quick scans. All the last scans I did using these softwares indicated that there are no malicious viruses found.

My browser is not working as of this time, the reboot is taking a while and my computer is really really slow. It is like watching slow motion on tv.

I really need your help guys. Can you please be detailed in your responses since I am not a computer pro.

I have attached the dds attach file as you have instructed. Below is the dds text log. I did the gmer scan overnight last night (Friday) but found my computer screen just black this morning (Saturday). I had to turn off my computer the hard way and rerun the scan. It was running for 15 hours and it looked like it stopped working, so I cannot save anything.

Thank you in advance for your valuable time and help.

Sincerely,
Gil Milet

DDS (Ver_10-03-17.01) - NTFSx86
Run by Emelita Sumague at 23:13:28.31 on Fri 06/04/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.401 [GMT -7:00]

AV: Windows Live OneCare *On-access scanning enabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Windows Live OneCare Firewall *enabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\WINDOWS\system32\srvany.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\pvsw\bin\w3dbsmgr.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\Sony\VAIO Power Management\SPMgr.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Sony\VAIO Update 2\VAIOUpdt.exe
C:\Program Files\Sony\Wireless Switch Setting Utility\Switcher.exe
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdateMgr.exe
C:\Program Files\Sony\VAIO Camera Utility\VCUServe.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Microsoft Windows OneCare Live\WinSSUI.exe
F:\dds.scr

============== Pseudo HJT Report ===============

uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.msn.com
uWindow Title = Internet Explorer, optimized for Bing and MSN
uDefault_Page_URL = hxxp://www.msn.com
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AOLSearchHook Class: {54eb34ea-e6be-4cfd-9f4f-c4a0c2eafa22} - c:\program files\aol\aol search enhancement\AOLSearch.dll
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Skype add-on for Internet Explorer: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Bing Bar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: @c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll,-100: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\5.0.1449.0\npwinext.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [VAIO Recovery] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_05\bin\jusched.exe
mRun: [SonyPowerCfg] c:\program files\sony\vaio power management\SPMgr.exe
mRun: [ISBMgr.exe] c:\program files\sony\isb utility\ISBMgr.exe
mRun: [VAIO Update 2] "c:\program files\sony\vaio update 2\VAIOUpdt.exe" /Stationary
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Switcher.exe] c:\program files\sony\wireless switch setting utility\Switcher.exe
mRun: [DISCover] c:\program files\disc\DISCover.exe
mRun: [DiscUpdateManager] c:\program files\disc\DiscUpdateMgr.exe
mRun: [<NO NAME>]
mRun: [VAIOCameraUtility] "c:\program files\sony\vaio camera utility\VCUServe.exe"
mRun: [PartSeal] c:\windows\sonysys\vaio recovery\PartSeal.exe
mRun: [PeachtreePrefetcher.exe] "c:\progra~1\sageso~1\peacht~1\PeachtreePrefetcher.exe" /configfile:peachtreeprefetcher.winstart.config
mRun: [OneCareUI] "c:\program files\microsoft windows onecare live\winssnotify.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Microsoft Default Manager] "c:\program files\microsoft\search enhancement pack\default manager\DefMgr.exe" -resume
StartupFolder: c:\docume~1\emelit~1\startm~1\programs\startup\cyber-~1.lnk - c:\program files\sony\sony picture utility\volumewatcher\SPUVolumeWatcher.exe
StartupFolder: c:\docume~1\emelit~1\startm~1\programs\startup\epsona~1.lnk - e:\titles\ereg\EPSONREG.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - c:\program files\yahoo!\messenger\YahooMessenger.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mif269~1\office11\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_05-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: VESWinlogon - VESWinlogon.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 faproct;Circuit City Firedog Advisor ProcessTriggerDriver;c:\windows\system32\drivers\faproct.sys [2007-6-17 4864]
R2 faunidrv;UniDriver for Firedog Advisor;c:\windows\system32\drivers\faunidrv.sys [2007-3-21 5376]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -svaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlservr.exe -sVAIO_VEDB [?]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\microsoft windows onecare live\OcHealthMon.exe [2010-2-5 26120]
R2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [2008-1-30 13608]
R3 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2008-8-19 53168]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [2005-12-15 28800]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [2005-12-15 217472]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.exe -i vaio_vedb --> c:\program files\microsoft sql server\mssql$vaio_vedb\binn\sqlagent.EXE -i VAIO_VEDB [?]

=============== Created Last 30 ================

2010-06-04 13:44:43 10240 ----a-w- c:\windows\system32\drivers\ngjvnwbe.sys
2010-06-04 05:02:17 0 d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-06-04 05:00:54 0 d-----w- c:\program files\SUPERAntiSpyware
2010-06-04 03:35:02 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-06-04 03:34:59 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-06-03 14:42:24 10240 ----a-w- c:\windows\system32\drivers\uorvifeo.sys
2010-06-03 04:37:44 0 d-----w- c:\docume~1\emelit~1\applic~1\SUPERAntiSpyware.com
2010-06-03 01:46:55 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-02 05:59:51 10240 ----a-w- c:\windows\system32\drivers\vgxyyvaa.sys
2010-06-01 06:49:18 10240 ----a-w- c:\windows\system32\drivers\wvysnqok.sys
2010-06-01 04:09:27 0 d-sh--w- c:\documents and settings\emelita sumague\PrivacIE
2010-06-01 02:35:21 0 d-sh--w- c:\documents and settings\emelita sumague\IECompatCache
2010-06-01 02:26:43 0 d-sh--w- c:\documents and settings\emelita sumague\IETldCache
2010-06-01 02:18:35 0 d-----w- c:\windows\ie8updates
2010-06-01 02:13:22 0 dc-h--w- c:\windows\ie8
2010-06-01 02:12:30 0 d-----w- c:\program files\Microsoft
2010-06-01 02:12:27 0 d-----w- c:\program files\MSN Toolbar
2010-06-01 02:11:25 0 d-----w- c:\program files\Bing Bar Installer
2010-06-01 02:08:49 0 d--h--w- c:\windows\msdownld.tmp
2010-06-01 02:04:34 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-06-01 02:04:20 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-01 02:04:20 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-06-01 01:44:38 10240 ----a-w- c:\windows\system32\drivers\olhorhek.sys
2010-05-31 14:57:20 10240 ----a-w- c:\windows\system32\drivers\nhezbzkq.sys
2010-05-29 12:48:04 10240 ----a-w- c:\windows\system32\drivers\yxlhawjp.sys
2010-05-29 03:41:27 0 d-----w- c:\docume~1\emelit~1\applic~1\Malwarebytes
2010-05-29 03:41:09 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-05-29 01:59:58 767952 ----a-w- c:\windows\BDTSupport.dll.old
2010-05-29 01:59:54 1640400 ----a-w- c:\windows\PCTBDCore.dll.old
2010-05-29 01:58:31 0 d-----w- c:\program files\Spyware Doctor
2010-05-28 04:44:07 0 d-----w- c:\program files\common files\Wise Installation Wizard
2010-05-28 04:34:43 0 d-----w- c:\windows\system32\en
2010-05-27 14:07:13 0 d-----w- c:\windows\pss

==================== Find3M ====================


============= FINISH: 23:15:07.29 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:20 AM

Posted 06 June 2010 - 01:06 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems. HijackThis logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that it happens.

Somethings to remember while we are working together.
    1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.
If you follow these instructions, everything should go smoothly.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Gmer is the best but can be hard to get a log lets try this and see what we get.

Scan With RKUnHooker
  • Please Download Rootkit Unhooker Save it to your desktop.
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth, Files, Code Hooks. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"



Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 Gil Milet

Gil Milet
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:20 AM

Posted 06 June 2010 - 01:08 PM

Good morning Gringo. Thank you in advance for taking time to help me. I downloaded the Rootkit Unhooker into a USB using another laptop and put the shortcut into the desktop of my infected computer. I did not install the program in that infected computer. Would this make a difference?

The scanning is running. I will post log once finished. Let me know if I am doing this right.

Thanks again,
Gil Milet

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:20 AM

Posted 06 June 2010 - 02:07 PM

I am not sure, let me have the log and we will see


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 Gil Milet

Gil Milet
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:20 AM

Posted 06 June 2010 - 04:41 PM

Hi Gringo. Here is my Rootkit Unhooker log.

Thanks,
Gil Milet


RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1851392 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1851392 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF5B28000 C:\WINDOWS\system32\DRIVERS\w39n51.sys 1429504 bytes (IntelĘ Corporation, IntelĘ Wireless LAN Driver)
0xF5CC1000 C:\WINDOWS\system32\DRIVERS\ialmnt5.sys 1355776 bytes (Intel Corporation, Intel Graphics Miniport Driver)
0xAA946000 C:\WINDOWS\system32\drivers\sthda.sys 1040384 bytes (SigmaTel, Inc., NDRC)
0xAA7FC000 C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys 999424 bytes (Conexant Systems, Inc., HSF_DP driver)
0xBFA3B000 C:\WINDOWS\System32\ialmdd5.DLL 925696 bytes (Intel Corporation, DirectDraw® Driver for Intel® Graphics Technology)
0xAA74B000 C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys 724992 bytes (Conexant Systems, Inc., HSF_CNXT driver)
0xF722A000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xA76C2000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xF59B3000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xA78B7000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0x9E186000 C:\WINDOWS\system32\DRIVERS\srv.sys 356352 bytes (Microsoft Corporation, Server driver)
0xBFFA0000 C:\WINDOWS\System32\ATMFD.DLL 286720 bytes (Adobe Systems Incorporated, Windows NT OpenType/Type 1 Font Driver)
0x9E205000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xA44DE000 C:\WINDOWS\System32\Drivers\usbvm321.sys 249856 bytes (Vimicro Corporation, VM321 Video Driver)
0x9E111000 C:\WINDOWS\system32\DRIVERS\tcpip6.sys 229376 bytes (Microsoft Corporation, IPv6 driver)
0xF5ACE000 C:\WINDOWS\system32\drivers\ti21sony.sys 221184 bytes (Texas Instruments, ti21sony.sys)
0xBFA06000 C:\WINDOWS\System32\ialmdev5.DLL 217088 bytes (Intel Corporation, Component GHAL Driver)
0xAA8F0000 C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys 204800 bytes (Conexant Systems, Inc., HSF_HWAZL WDM driver)
0xF5A11000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xF738F000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0x9E2BE000 C:\WINDOWS\system32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF71FD000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0x9D6AB000 C:\WINDOWS\system32\drivers\kmixer.sys 176128 bytes (Microsoft Corporation, Kernel Mode Audio Mixer)
0xA7732000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF5AA6000 C:\WINDOWS\system32\DRIVERS\e100b325.sys 163840 bytes (Intel Corporation, Intel® PRO/100 Adapter NDIS 5.1 driver)
0xF5C85000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xA7867000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xA7841000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0x9E363000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xAA922000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF5B04000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF5A69000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xA781F000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xBF9E4000 C:\WINDOWS\System32\ialmdnt5.dll 139264 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xA77FD000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF72E0000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF7341000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF7360000 pcmcia.sys 122880 bytes (Microsoft Corporation, PCMCIA Bus Driver)
0xA7923000 C:\WINDOWS\system32\DRIVERS\msfwhlpr.sys 110592 bytes (Microsoft Corporation, OneCare Firewall Helper Driver)
0xF5A8C000 C:\WINDOWS\system32\DRIVERS\Apfiltr.sys 106496 bytes (Alps Electric Co., Ltd., Alps Touch Pad Driver)
0xF71E3000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF7329000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF7300000 C:\WINDOWS\system32\DRIVERS\SCSIPORT.SYS 98304 bytes (Microsoft Corporation, SCSI Port Driver)
0xF72B7000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF5A52000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0x9E149000 C:\WINDOWS\system32\DRIVERS\msfwdrv.sys 86016 bytes (Microsoft Corporation, OneCare Firewall Driver)
0x9DCC4000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF5CAD000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xA7910000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF9C4000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF72CE000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF737E000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF5A41000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xF7318000 SI3132.sys 69632 bytes (Silicon Image, Inc., Serial ATA miniport driver)
0x9D43A000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF6471000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF76FE000 C:\WINDOWS\system32\DRIVERS\nic1394.sys 65536 bytes (Microsoft Corporation, IEEE1394 Ndis Miniport and Call Manager)
0xF74CE000 ohci1394.sys 65536 bytes (Microsoft Corporation, 1394 OpenHCI Port Driver)
0xF6451000 C:\WINDOWS\System32\Drivers\tosrfcom.sys 65536 bytes (TOSHIBA Corporation, Bluetooth RFCOMM Driver)
0xAA1C2000 C:\WINDOWS\system32\DRIVERS\arp1394.sys 61440 bytes (Microsoft Corporation, IP/1394 Arp Client)
0xF5E2C000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF6461000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF772E000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xF764E000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF74DE000 C:\WINDOWS\system32\DRIVERS\1394BUS.SYS 57344 bytes (Microsoft Corporation, 1394 Bus Device Driver)
0xBF9D6000 C:\WINDOWS\System32\ialmrnt5.dll 57344 bytes (Intel Corporation, Controller Hub for Intel Graphics Driver)
0xF751E000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF770E000 C:\WINDOWS\system32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF6441000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xA4F50000 C:\WINDOWS\System32\Drivers\STREAM.SYS 53248 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
0xF74FE000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF6421000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xF63F1000 C:\WINDOWS\system32\DRIVERS\tosporte.sys 49152 bytes (TOSHIBA Corporation, TOSHIBA Bluetooth Port Emulation Driver)
0xAA1B2000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF771E000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF74EE000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0x9DA36000 C:\WINDOWS\system32\DRIVERS\MpFilter.sys 45056 bytes (Microsoft Corporation, Minifilter)
0xF6431000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF74BE000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xF63E1000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0x9E031000 C:\WINDOWS\system32\DRIVERS\secdrv.sys 40960 bytes (Macrovision Corporation, Macrovision Europe Limited, and Macrovision Japan and Asia K.K., Macrovision SECURITY Driver)
0xF6401000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF750E000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0x9F183000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xF76EE000 C:\WINDOWS\system32\DRIVERS\intelppm.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xA4595000 C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys 36864 bytes (Microsoft Corporation, IP FILTER DRIVER)
0xF6411000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xF76DE000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xA4555000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF752E000 PxHelp20.sys 36864 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xAA1D2000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xF77B6000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xAA47B000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xA4763000 C:\WINDOWS\system32\DRIVERS\SonyImgF.sys 32768 bytes (Sony Corporation, Sony Image Filter Driver)
0xF78C6000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xF78B6000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xF773E000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xA476B000 C:\WINDOWS\System32\Drivers\USBCAMD2.SYS 28672 bytes (Microsoft Corporation, Universal Serial Bus Camera Driver)
0xF788E000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xF777E000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xF7786000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xF778E000 C:\WINDOWS\system32\drivers\pfc.sys 24576 bytes (Padus, Inc., Padus® ASPI Shell)
0xAA473000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xF7756000 C:\WINDOWS\System32\Drivers\SonyNC.sys 24576 bytes (Sony Corporation, Sony Notebook Control driver)
0xF78BE000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xF77BE000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0x9EC31000 C:\WINDOWS\system32\DRIVERS\AegisP.sys 20480 bytes (Meetinghouse Data Communications, IEEE 802.1X Protocol Driver)
0xF7796000 C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys 20480 bytes (GEAR Software Inc., CD DVD Filter)
0xF7806000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xF7746000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xF77A6000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xF77AE000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xF779E000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0x9EC21000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF78D6000 C:\WINDOWS\system32\DRIVERS\BATTC.SYS 16384 bytes (Microsoft Corporation, Battery Class Driver)
0xF796A000 C:\WINDOWS\system32\DRIVERS\CmBatt.sys 16384 bytes (Microsoft Corporation, Control Method Battery Driver)
0x9E26E000 C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys 16384 bytes (Conexant, Diagnostic Interface DRIVER)
0xF6851000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xA206E000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xA204A000 C:\WINDOWS\system32\DRIVERS\s24trans.sys 16384 bytes (Intel Corporation, Intel WLAN Packet Driver)
0xF78DA000 ACPIEC.sys 12288 bytes (Microsoft Corporation, ACPI Embedded Controller Driver)
0xF78CE000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF78D2000 compbatt.sys 12288 bytes (Microsoft Corporation, Composite Battery Driver)
0x9EB96000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0x9F2C5000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0x9F2C1000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xF686D000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xF7966000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF78DE000 SiWinAcc.sys 12288 bytes (Silicon Image, Inc., Windows Accelerator Driver)
0xF7A52000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xA46A3000 C:\WINDOWS\system32\DRIVERS\faproct.sys 8192 bytes (Gteko Ltd., Process Trigger Driver)
0xA46A1000 C:\WINDOWS\system32\DRIVERS\faunidrv.sys 8192 bytes (Gteko Ltd., GUniDriver)
0xF7A50000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xF79BE000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xF7A54000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xF7A58000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xF7A10000 C:\WINDOWS\System32\Drivers\RootMdm.sys 8192 bytes (Microsoft Corporation, Legacy Non-Pnp Modem Device Driver)
0xF79C2000 SiRemFil.sys 8192 bytes (Silicon Image, Inc., Filter driver for Silicon Image SATALink controllers.)
0xF7A12000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xF7A46000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xF79C0000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xF7B84000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xA50B5000 C:\WINDOWS\system32\DRIVERS\DMICall.sys 4096 bytes (Sony Corporation, Windows 2000 DMI Call Kernel Driver)
0xF7ADB000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xF7AFE000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xF7A87000 C:\WINDOWS\system32\DRIVERS\OPRGHDLR.SYS 4096 bytes (Microsoft Corporation, ACPI Operation Registration Driver)
0xF7A86000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
!!!!!!!!!!!Hidden driver: 0x86EA7AEA ?_empty_? 1302 bytes
0x86EA7D01 unknown_irp_handler 767 bytes
!!!!!!!!!!!Hidden driver: 0x86D5C488 ?_empty_? 0 bytes
==============================================
>Stealth
==============================================
0xF7329000 WARNING: suspicious driver modification [atapi.sys::0x86EA7AEA]
0xF78D2000 WARNING: Virus alike driver modification [compbatt.sys], 12288 bytes
==============================================
>Files
==============================================
!-->[Hidden] C:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Scans\History\Results\System\{F3051B16-AE43-4A8F-864B-A2290DE02A1E}
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\FXXWLGP8\desktop.ini
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HSTPF5NJ\desktop.ini
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JE8KA1Z1\desktop.ini
!-->[Hidden] C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\L9MVZX9S\desktop.ini
!-->[Hidden] C:\Program Files\DISC\Logs\FTP.20100606.LOG
!-->[Hidden] C:\Program Files\DISC\Logs\useragent.20100606.log
!-->[Hidden] C:\Program Files\Microsoft Windows OneCare Live\Database\edb00079.log
!-->[Hidden] C:\Program Files\Microsoft Windows OneCare Live\Database\edbtmp.log
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\A0111927.ini
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\A0111928.ini
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\change.log.1
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\drivetable.txt
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\RestorePointSize
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\rp.log
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\ComDb.Dat
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\domain.txt
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\Repository\$WinMgmt.CFG
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\Repository\FS\INDEX.BTR
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\Repository\FS\INDEX.MAP
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\Repository\FS\MAPPING.VER
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\Repository\FS\MAPPING1.MAP
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\Repository\FS\MAPPING2.MAP
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\Repository\FS\OBJECTS.DATA
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\Repository\FS\OBJECTS.MAP
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\_REGISTRY_MACHINE_SAM
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\_REGISTRY_MACHINE_SECURITY
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\_REGISTRY_MACHINE_SOFTWARE
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\_REGISTRY_MACHINE_SYSTEM
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\_REGISTRY_USER_.DEFAULT
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-4084652254-2402551355-2118190209-1005
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-4084652254-2402551355-2118190209-1007
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-4084652254-2402551355-2118190209-1008
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-4084652254-2402551355-2118190209-1009
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-4084652254-2402551355-2118190209-1010
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-4084652254-2402551355-2118190209-500
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-18
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-4084652254-2402551355-2118190209-1005
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-4084652254-2402551355-2118190209-1007
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-4084652254-2402551355-2118190209-1008
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-4084652254-2402551355-2118190209-1009
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-4084652254-2402551355-2118190209-1010
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP599\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-4084652254-2402551355-2118190209-500
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\A0111929.pbk
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\A0111930.ini
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\A0111931.ini
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\change.log
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\RestorePointSize
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\rp.log
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\ComDb.Dat
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\domain.txt
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\Repository\$WinMgmt.CFG
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\Repository\FS\INDEX.BTR
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\Repository\FS\INDEX.MAP
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\Repository\FS\MAPPING.VER
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\Repository\FS\MAPPING1.MAP
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\Repository\FS\MAPPING2.MAP
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\Repository\FS\OBJECTS.DATA
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\Repository\FS\OBJECTS.MAP
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\_REGISTRY_MACHINE_SAM
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\_REGISTRY_MACHINE_SECURITY
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\_REGISTRY_MACHINE_SOFTWARE
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\_REGISTRY_MACHINE_SYSTEM
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\_REGISTRY_USER_.DEFAULT
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\_REGISTRY_USER_NTUSER_S-1-5-18
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\_REGISTRY_USER_NTUSER_S-1-5-19
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\_REGISTRY_USER_NTUSER_S-1-5-20
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-4084652254-2402551355-2118190209-1005
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-4084652254-2402551355-2118190209-1007
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-4084652254-2402551355-2118190209-1008
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-4084652254-2402551355-2118190209-1009
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-4084652254-2402551355-2118190209-1010
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\_REGISTRY_USER_NTUSER_S-1-5-21-4084652254-2402551355-2118190209-500
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-18
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-19
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-20
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-4084652254-2402551355-2118190209-1005
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-4084652254-2402551355-2118190209-1007
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-4084652254-2402551355-2118190209-1008
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-4084652254-2402551355-2118190209-1009
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-4084652254-2402551355-2118190209-1010
!-->[Hidden] C:\System Volume Information\_restore{FAA3F5BE-A238-4FAB-91BF-59480E951B96}\RP600\snapshot\_REGISTRY_USER_USRCLASS_S-1-5-21-4084652254-2402551355-2118190209-500
!-->[Hidden] C:\WINDOWS\system32\drivers\ivugsiwk.sys
==============================================
>Hooks
==============================================
ntkrnlpa.exe+0x0006ECAE, Type: Inline - RelativeJump 0x80545CAE-->80545CB5 [ntkrnlpa.exe]
[1372]svchost.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[1372]svchost.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[1372]svchost.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[1372]svchost.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[1372]svchost.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[1372]svchost.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[1372]svchost.exe-->user32.dll-->GetCursorPos, Type: Inline - RelativeJump 0x7E42974E-->00000000 [unknown_code_page]
[3300]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
[3300]explorer.exe-->gdi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77F110B4-->00000000 [shimeng.dll]
[3300]explorer.exe-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x01001268-->00000000 [shimeng.dll]
[3300]explorer.exe-->mswsock.dll+0x00004057, Type: Inline - RelativeJump 0x71A54057-->00000000 [unknown_code_page]
[3300]explorer.exe-->mswsock.dll+0x0000433A, Type: Inline - RelativeJump 0x71A5433A-->00000000 [unknown_code_page]
[3300]explorer.exe-->mswsock.dll+0x00005847, Type: Inline - RelativeJump 0x71A55847-->00000000 [unknown_code_page]
[3300]explorer.exe-->ntdll.dll-->KiUserExceptionDispatcher, Type: Inline - RelativeJump 0x7C90E47C-->00000000 [unknown_code_page]
[3300]explorer.exe-->ntdll.dll-->NtProtectVirtualMemory, Type: Inline - RelativeJump 0x7C90D6EE-->00000000 [unknown_code_page]
[3300]explorer.exe-->ntdll.dll-->NtWriteVirtualMemory, Type: Inline - RelativeJump 0x7C90DFAE-->00000000 [unknown_code_page]
[3300]explorer.exe-->shell32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7C9C15A4-->00000000 [shimeng.dll]
[3300]explorer.exe-->user32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x7E41133C-->00000000 [shimeng.dll]


!!POSSIBLE ROOTKIT ACTIVITY DETECTED!! =)

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:20 AM

Posted 06 June 2010 - 04:55 PM

Greetings

One or more of the identified infections is a Backdoor Trojan.

This could allow hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC could be compromised and there is no way to be sure that your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. "If you would like to continue, then follow the steps below, otherwise please let me know"

I Would like you to do the following.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:
    Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
    This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
    It is a simple procedure that will only take a few moments of your time.


    Once installed, you should see a blue screen prompt that says:
      The Recovery Console was successfully installed.
    Please continue as follows:
    • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Click Yes to allow ComboFix to continue scanning for malware.

    When the tool is finished, it will produce a report for you.

    Please include the report in your next post:

    C:\ComboFix.txt

"information and logs"
    In your next post I need the following
    1. Log from Combofix
    2. let me know of any problems you may have had
    3. How is the computer doing now?

Gringo


I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 Gil Milet

Gil Milet
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:20 AM

Posted 06 June 2010 - 08:22 PM

Hi Gringo. That was fast. Thank you. Anyway, after going through the suggested readings, I think I will go with the hard drive reformat. I am tired of all the scannings without satisfactory results. In the last several days, it seems like the fixes solve the problem only to be replaced by another problem. I do not think I can take the risk of compromising the security of my financial transactions. In addition, will this reformat improve the speed of my computer?

I was trying to search for my HDD recovery; I found from that big user guide poster that came with the laptop that the system and or application CDs are not delivered with my computer. It says that the computer is equipped with VAIO Recovery.

I have made backups of some of my files. The rest I do not need to back up.

In regards to my issues of turning off the firewall first and removing then adding the current network internet provider, can you please help me with this one too. I guess this would be later after you help me with the drive reformat.

Please let me know how to go about these reformat procedures. Meanwhile, the slide button for wirelessLAN is still off.

Kind regards,
Gil Milet

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:20 AM

Posted 06 June 2010 - 09:36 PM

Greetings

QUOTE
I am tired of all the scannings without satisfactory results.
I wanted to address this, all the scans so far have been getting the needed information (which we now have) the combofix scan is the first scan to do any cleaning

at this time I still would like you to run this scan to take out the rootkit - so if you still want to format it would not creat any problems.

let me have the combofix report then we will move on to what you decide


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 Gil Milet

Gil Milet
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:20 AM

Posted 06 June 2010 - 11:20 PM

Good evening Gringo.

I downloaded the combofix to my USB still using another laptop. Then, I ran it in the infected computer after I disabled firewall and antivirus in Windows Live OneCare. It said that my machine does not have the Microsoft Windows Recovery Console installed. It asked me if I wanted combofix to download same. I answered NO since I cannot connect to the internet. It still ran combofix autoscan. After a few minutes, it asked to restart the computer since combofix found rootkit activity.

As soon as the computer restarted, it asked me the same question if I want combofix to download Microsoft Windows Recovery Console. I answered NO again. It again ran autoscan. After a little more than ten minutes, it produced the log below.

I have not tried turning the wireless LAN on to try to see if internet is working. Is it safe to do this? Also, should I manually install the Microsoft Windows Recovery Console and then run combofix again?

Kind regards,
Gil Milet

ComboFix 10-06-06.01 - Emelita Sumague 06/06/2010 20:24:15.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.512 [GMT -7:00]
Running from: F:\ComboFix.exe
AV: Windows Live OneCare *On-access scanning disabled* (Updated) {427ADFC3-B354-4A51-BE34-A9D4218E45C4}
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
FW: Windows Live OneCare Firewall *disabled* {A3899D22-27E6-4A7E-AE4E-2C106646DAAB}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\setup.exe
c:\windows\Sonysys\VAIO Recovery\PartSeal.exe
c:\windows\system32\Thumbs.db

Infected copy of c:\windows\system32\drivers\compbatt.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-05-07 to 2010-06-07 )))))))))))))))))))))))))))))))
.

2010-06-06 19:44 . 2010-06-06 19:44 10240 ----a-w- c:\windows\system32\drivers\ivugsiwk.sys
2010-06-04 13:44 . 2010-06-04 13:44 10240 ----a-w- c:\windows\system32\drivers\ngjvnwbe.sys
2010-06-04 13:12 . 2010-06-04 13:12 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2010-06-04 05:02 . 2010-06-04 05:02 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-06-04 05:00 . 2010-06-04 05:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-02 05:59 . 2010-06-02 05:59 10240 ----a-w- c:\windows\system32\drivers\vgxyyvaa.sys
2010-06-01 13:19 . 2010-06-01 13:19 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-06-01 06:49 . 2010-06-01 06:49 10240 ----a-w- c:\windows\system32\drivers\wvysnqok.sys
2010-06-01 04:09 . 2010-06-01 04:09 -------- d-sh--w- c:\documents and settings\Emelita Sumague\PrivacIE
2010-06-01 02:35 . 2010-06-01 02:35 -------- d-sh--w- c:\documents and settings\Emelita Sumague\IECompatCache
2010-06-01 02:26 . 2010-06-01 02:26 -------- d-sh--w- c:\documents and settings\Emelita Sumague\IETldCache
2010-06-01 02:26 . 2010-06-01 02:26 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-06-01 02:18 . 2010-06-01 02:18 -------- d-----w- c:\windows\ie8updates
2010-06-01 02:13 . 2010-06-01 02:15 -------- dc-h--w- c:\windows\ie8
2010-06-01 02:12 . 2010-06-01 02:12 -------- d-----w- c:\program files\Microsoft
2010-06-01 02:12 . 2010-06-01 02:12 -------- d-----w- c:\program files\MSN Toolbar
2010-06-01 02:11 . 2010-06-01 02:12 -------- d-----w- c:\program files\Bing Bar Installer
2010-06-01 02:08 . 2010-06-01 02:19 -------- d--h--w- c:\windows\msdownld.tmp
2010-06-01 02:04 . 2010-04-16 11:43 41984 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-06-01 02:04 . 2010-02-25 06:24 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-06-01 02:04 . 2010-02-25 06:24 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-06-01 01:59 . 2010-06-01 04:05 -------- d-----w- c:\documents and settings\Emelita Sumague\Local Settings\Application Data\hwraphrvm
2010-06-01 01:44 . 2010-06-01 01:44 10240 ----a-w- c:\windows\system32\drivers\olhorhek.sys
2010-05-31 23:54 . 2010-05-31 23:54 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-05-31 14:57 . 2010-05-31 14:57 10240 ----a-w- c:\windows\system32\drivers\nhezbzkq.sys
2010-05-31 14:57 . 2010-05-31 14:57 300800 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\OneCare Protection\LocalCopy\{FF18C548-57F8-9D62-2D27-416E65FFC9A1}-ywknbhotssd.exe
2010-05-29 18:06 . 2010-06-01 00:07 -------- d-----w- c:\documents and settings\Emelita Sumague\Local Settings\Application Data\rltfdnyvb
2010-05-29 14:20 . 2010-05-29 17:13 -------- d-----w- c:\documents and settings\Emelita Sumague\Local Settings\Application Data\ifkixwkfh
2010-05-29 12:48 . 2010-05-29 12:48 10240 ----a-w- c:\windows\system32\drivers\yxlhawjp.sys
2010-05-29 03:41 . 2010-05-29 03:41 -------- d-----w- c:\documents and settings\Emelita Sumague\Application Data\Malwarebytes
2010-05-29 03:41 . 2010-05-29 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-05-29 03:10 . 2010-05-29 03:10 -------- d-----w- c:\documents and settings\Emelita Sumague\Local Settings\Application Data\Threat Expert
2010-05-29 01:58 . 2010-05-29 17:52 -------- d-----w- c:\program files\Spyware Doctor
2010-05-29 01:57 . 2010-05-29 17:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-05-28 04:44 . 2010-05-29 12:03 -------- d-----w- c:\documents and settings\Emelita Sumague\Local Settings\Application Data\uxhxcjxxc
2010-05-28 04:44 . 2010-05-28 04:44 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard
2010-05-28 04:34 . 2010-05-28 04:34 -------- d-----w- c:\windows\system32\en

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-07 03:18 . 2010-03-26 19:52 -------- d-----w- c:\documents and settings\Emelita Sumague\Application Data\Skype
2010-06-06 17:51 . 2010-03-26 19:55 -------- d-----w- c:\documents and settings\Emelita Sumague\Application Data\skypePM
2010-06-04 03:35 . 2010-06-03 01:46 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-06-04 03:15 . 2008-08-19 06:22 -------- d-----w- c:\program files\Microsoft Windows OneCare Live
2010-06-03 14:42 . 2010-06-03 14:42 10240 ----a-w- c:\windows\system32\drivers\uorvifeo.sys
2010-06-03 04:52 . 2010-06-03 04:52 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-03 04:52 . 2010-06-03 04:52 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-03 04:52 . 2010-06-03 04:52 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-03 04:51 . 2010-06-03 04:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-06-03 04:38 . 2010-06-03 04:38 63488 ----a-w- c:\documents and settings\Emelita Sumague\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-06-03 04:38 . 2010-06-03 04:38 52224 ----a-w- c:\documents and settings\Emelita Sumague\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-06-03 04:38 . 2010-06-03 04:38 117760 ----a-w- c:\documents and settings\Emelita Sumague\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-06-03 04:37 . 2010-06-03 04:37 -------- d-----w- c:\documents and settings\Emelita Sumague\Application Data\SUPERAntiSpyware.com
2010-05-29 17:45 . 2006-02-25 08:03 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-05-29 17:44 . 2006-02-25 08:03 -------- d-----w- c:\program files\Common Files\AOL
2010-05-02 21:31 . 2008-01-28 00:24 77880 ----a-w- c:\documents and settings\Millie's Pink IPOD\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 21:05 . 2009-04-03 00:30 77880 ----a-w- c:\documents and settings\Mellie's Yellow Ipod\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 20:21 . 2009-07-12 04:39 77880 ----a-w- c:\documents and settings\Mellie itouch\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 19:44 . 2008-01-14 16:07 77880 ----a-w- c:\documents and settings\Mellie Green ipod\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 16:03 . 2005-12-16 06:28 77880 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-02 03:55 . 2005-12-16 04:12 86811 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2010-04-29 22:39 . 2010-06-04 03:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-06-04 03:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-03-26 19:55 . 2010-03-26 19:55 56 ---ha-w- c:\windows\system32\ezsidmv.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-31 313472]
"Skype"="c:\program files\Skype\Phone\Skype.exe" [2010-03-09 26100520]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-05-18 2397424]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-25 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-25 118784]
"Apoint"="c:\program files\Apoint\Apoint.exe" [2004-11-18 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_05\bin\jusched.exe" [2005-08-27 36975]
"SonyPowerCfg"="c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-11-29 217088]
"ISBMgr.exe"="c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2"="c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-10-12 151552]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-11-30 7335936]
"Switcher.exe"="c:\program files\Sony\Wireless Switch Setting Utility\Switcher.exe" [2005-11-24 167936]
"DISCover"="c:\program files\DISC\DISCover.exe" [2005-12-02 1064960]
"DiscUpdateManager"="c:\program files\DISC\DiscUpdateMgr.exe" [2005-12-02 61440]
"VAIOCameraUtility"="c:\program files\Sony\VAIO Camera Utility\VCUServe.exe" [2005-12-01 69632]
"PeachtreePrefetcher.exe"="c:\progra~1\SAGESO~1\PEACHT~1\PeachtreePrefetcher.exe" [2007-08-29 32768]
"OneCareUI"="c:\program files\Microsoft Windows OneCare Live\winssnotify.exe" [2010-02-06 65256]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-03-13 342312]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-11-12 288088]

c:\documents and settings\Emelita Sumague\Start Menu\Programs\Startup\
Cyber-shot Viewer Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2006-9-9 155648]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\VESWinlogon]
2005-05-21 01:42 73728 ----a-w- c:\windows\system32\VESWinlogon.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\OneCareMP]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\DISC\\DISCover.exe"=
"c:\\Program Files\\DISC\\DiscStreamHub.exe"=
"c:\\Program Files\\DISC\\myFTP.exe"=
"c:\\Program Files\\Sony\\VAIO Media 5.0\\Vc.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 11:25 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 11:41 AM 67656]
R2 faproct;Circuit City Firedog Advisor ProcessTriggerDriver;c:\windows\system32\drivers\faproct.sys [6/17/2007 9:35 AM 4864]
R2 faunidrv;UniDriver for Firedog Advisor;c:\windows\system32\drivers\faunidrv.sys [3/21/2007 3:55 PM 5376]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R2 OcHealthMon;Windows Live OneCare Health Monitor;c:\program files\Microsoft Windows OneCare Live\OcHealthMon.exe [2/5/2010 5:19 PM 26120]
R2 Pervasive.SQL Workgroup Engine;Pervasive.SQL Workgroup Engine;c:\windows\system32\srvany.exe [1/30/2008 9:37 PM 13608]
R3 SonyImgF;Sony Image Conversion Filter Driver;c:\windows\system32\drivers\SonyImgF.sys [12/15/2005 7:52 PM 28800]
R3 ti21sony;ti21sony;c:\windows\system32\drivers\ti21sony.sys [12/15/2005 7:52 PM 217472]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]
.
Contents of the 'Scheduled Tasks' folder

2010-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]

2007-06-06 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe [2008-07-10 00:05]

2010-06-07 c:\windows\Tasks\User_Feed_Synchronization-{B9F00EA6-5259-4F6F-BFF8-A7F28BB23CF8}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:31]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
uStart Page = hxxp://www.msn.com
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:5555
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
IE: {{898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-VAIO Recovery - c:\windows\Sonysys\VAIO Recovery\PartSeal.exe
HKLM-Run-PartSeal - c:\windows\Sonysys\VAIO Recovery\PartSeal.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-06 20:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86EE1D01]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf7522f28
\Driver\ACPI -> ACPI.sys @ 0xf7395cb8
\Driver\atapi -> atapi.sys @ 0xf732f852
IoDeviceObjectType -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntkrnlpa.exe @ 0x805836a8
ParseProcedure -> ntkrnlpa.exe @ 0x805827e8
NDIS: Intel® PRO/Wireless 3945ABG Network Connection -> SendCompleteHandler -> NDIS.sys @ 0xf7212bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7201a0d
SendHandler -> NDIS.sys @ 0xf7215b40
user & kernel MBR OK

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
@DACL=(02 0000)
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
@DACL=(02 0000)
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
@DACL=(02 0000)
"Installed"="1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(940)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\VESWinlogon.dll

- - - - - - - > 'lsass.exe'(1000)
c:\windows\system32\WININET.dll
.
Completion time: 2010-06-06 20:42:35
ComboFix-quarantined-files.txt 2010-06-07 03:42

Pre-Run: 53,003,419,648 bytes free
Post-Run: 53,041,491,968 bytes free

- - End Of File - - CD1679AD59D984770E255DED3BDF45AE





#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:20 AM

Posted 06 June 2010 - 11:26 PM

good evening

I have not tried turning the wireless LAN on to try to see if internet is working. Is it safe to do this? Also, should I manually install the Microsoft Windows Recovery Console and then run combofix again?



try to go online, we will deal with the recovery console next - dont run combofix untill I tell you,


be back soon with more instructions - test internet and let me know


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:20 AM

Posted 06 June 2010 - 11:34 PM

greetings

looking thru your logs I need you to do the following.

TDSSKiller:
  • Please Download TDSSKiller.zip and save it on your desktop.
  • extract (unzip) its contents to your Desktop.
  • double-click the TDSSKiller Folder on your desktop.
  • right-click on TDSSKiller.exe and click Copy then Paste it directly on to your Desktop.
  • Highlight and copy the text in the codebox below.
CODE
"%userprofile%\desktop\tdsskiller.exe" -l "%userprofile%\desktop\tdsskiller.txt"
  • Click Start, click Run... and paste the text above into the Open: line and click OK.
  • If malicious services or files have been detected, the utility will prompt to reboot the PC in order to complete the disinfection procedure. Please reboot when prompted.
  • After reboot, the driver will delete malicious registry keys and files as well as remove itself from the services list.
  • a log file should be created on your C: drive named something like TDSSKiller 2.1.1 Dec 20 2009 02:40:02
  • To find the log click Start then Computer then Vista ( C:).
  • Please post the contents of that log in your next reply


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 Gil Milet

Gil Milet
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:20 AM

Posted 07 June 2010 - 09:47 PM

good evening gringo, yes my internet is working using the same procedure (i.e turning off the firewall temporarily and manually typing in my network key and password in network connection properties). should i proceed with the next steps (i.e. tdss killer)?

kind regards,

gil milet

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:09:20 AM

Posted 07 June 2010 - 09:48 PM

yes please do


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 Gil Milet

Gil Milet
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:20 AM

Posted 07 June 2010 - 10:09 PM

Hi again Gringo!

Here is my tdss log. Hope I did it correctly! By the way, I am using the "infected" computer writing this reply.

Kind regards,

Gil Milet

19:58:08:828 3980 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
19:58:08:828 3980 ================================================================================
19:58:08:828 3980 SystemInfo:

19:58:08:828 3980 OS Version: 5.1.2600 ServicePack: 3.0
19:58:08:828 3980 Product type: Workstation
19:58:08:828 3980 ComputerName: MILLIE
19:58:08:828 3980 UserName: Emelita Sumague
19:58:08:828 3980 Windows directory: C:\WINDOWS
19:58:08:828 3980 Processor architecture: Intel x86
19:58:08:828 3980 Number of processors: 2
19:58:08:828 3980 Page size: 0x1000
19:58:08:828 3980 Boot type: Normal boot
19:58:08:828 3980 ================================================================================
19:58:09:250 3980 Initialize success
19:58:09:250 3980
19:58:09:250 3980 Scanning Services ...
19:58:09:859 3980 Raw services enum returned 395 services
19:58:09:875 3980
19:58:09:875 3980 Scanning Drivers ...
19:58:10:890 3980 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
19:58:10:937 3980 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
19:58:11:015 3980 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
19:58:11:093 3980 AegisP (12dafd934641dcf61e446313bc261ec2) C:\WINDOWS\system32\DRIVERS\AegisP.sys
19:58:11:171 3980 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
19:58:11:312 3980 ApfiltrService (b21fcbc58cb13bac70f74b5ac5da7409) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
19:58:11:343 3980 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
19:58:11:406 3980 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
19:58:11:625 3980 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
19:58:11:671 3980 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
19:58:11:750 3980 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
19:58:11:796 3980 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
19:58:12:046 3980 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
19:58:12:093 3980 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
19:58:12:265 3980 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
19:58:12:312 3980 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
19:58:12:390 3980 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
19:58:12:484 3980 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
19:58:12:515 3980 Compbatt (999c1a10ce2b1cea5f12a1dd89e4996c) C:\WINDOWS\system32\DRIVERS\compbatt.sys
19:58:12:515 3980 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\compbatt.sys. Real md5: 999c1a10ce2b1cea5f12a1dd89e4996c, Fake md5: 6e4c9f21f0fae8940661144f41b13203
19:58:12:515 3980 File "C:\WINDOWS\system32\DRIVERS\compbatt.sys" infected by TDSS rootkit ... 19:58:12:812 3980 Backup copy found, using it..
19:58:12:875 3980 will be cured on next reboot
19:58:12:937 3980 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
19:58:13:015 3980 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
19:58:13:218 3980 DMICall (526192bf7696f72e29777bf4a180513a) C:\WINDOWS\system32\DRIVERS\DMICall.sys
19:58:13:265 3980 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
19:58:13:343 3980 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
19:58:13:390 3980 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
19:58:13:421 3980 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
19:58:13:515 3980 E100B (d57a8fc800b501ac05b10d00f66d127a) C:\WINDOWS\system32\DRIVERS\e100b325.sys
19:58:13:562 3980 e1express (389cf2cded384be477c3b3f15747d495) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
19:58:13:640 3980 faproct (dff07ff79089e1c6bd18aa52e76ed2a5) C:\WINDOWS\system32\DRIVERS\faproct.sys
19:58:13:687 3980 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
19:58:13:718 3980 faunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\faunidrv.sys
19:58:13:750 3980 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
19:58:13:781 3980 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
19:58:13:812 3980 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
19:58:13:890 3980 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
19:58:14:046 3980 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
19:58:14:125 3980 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
19:58:14:203 3980 GEARAspiWDM (df6e37b27a9a1a498c6d9f29995b7a03) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
19:58:14:265 3980 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
19:58:14:328 3980 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
19:58:14:375 3980 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
19:58:14:453 3980 HSFHWAZL (acc46dda7fece95a253ae88cea172e12) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
19:58:14:625 3980 HSF_DPV (c9f4e7da78a02623abf78a4a34ce79b1) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
19:58:14:843 3980 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
19:58:14:984 3980 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
19:58:15:109 3980 ialm (81efe1c5542afb2570758f39ae3b1151) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
19:58:15:203 3980 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
19:58:15:265 3980 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
19:58:15:453 3980 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
19:58:15:531 3980 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
19:58:15:593 3980 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
19:58:15:640 3980 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
19:58:15:734 3980 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
19:58:15:781 3980 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
19:58:15:843 3980 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
19:58:15:875 3980 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
19:58:15:921 3980 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
19:58:15:984 3980 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\WINDOWS\system32\drivers\klmd.sys
19:58:16:140 3980 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
19:58:16:187 3980 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
19:58:16:265 3980 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
19:58:16:328 3980 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
19:58:16:375 3980 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
19:58:16:406 3980 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
19:58:16:468 3980 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
19:58:16:531 3980 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
19:58:16:656 3980 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
19:58:16:734 3980 MpFilter (8bf5b8c88b83afa326ef090d8b5a77c6) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
19:58:16:796 3980 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
19:58:16:906 3980 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
19:58:17:031 3980 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
19:58:17:109 3980 MSFWDrv (62ad99d69e1f92780e61ba71962cd9b0) C:\WINDOWS\system32\DRIVERS\msfwdrv.sys
19:58:17:203 3980 MSFWHLPR (e7578ca31182623c71b60a4cff54f53e) C:\WINDOWS\system32\DRIVERS\msfwhlpr.sys
19:58:17:281 3980 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
19:58:17:312 3980 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
19:58:17:406 3980 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
19:58:17:515 3980 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
19:58:17:593 3980 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
19:58:17:625 3980 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
19:58:17:671 3980 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
19:58:17:718 3980 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
19:58:17:765 3980 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
19:58:17:859 3980 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
19:58:17:953 3980 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
19:58:18:203 3980 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
19:58:18:437 3980 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
19:58:18:875 3980 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
19:58:19:312 3980 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
19:58:19:406 3980 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
19:58:19:453 3980 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
19:58:19:500 3980 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
19:58:19:718 3980 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
19:58:19:890 3980 nv (16ee81f89c97d15da2b0dadb594ffc62) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
19:58:20:171 3980 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
19:58:20:203 3980 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
19:58:20:281 3980 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
19:58:20:343 3980 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
19:58:20:375 3980 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
19:58:20:421 3980 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
19:58:20:500 3980 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
19:58:20:546 3980 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
19:58:20:640 3980 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
19:58:20:921 3980 pfc (6c1618a07b49e3873582b6449e744088) C:\WINDOWS\system32\drivers\pfc.sys
19:58:20:953 3980 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
19:58:20:984 3980 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
19:58:21:031 3980 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
19:58:21:093 3980 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
19:58:21:171 3980 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
19:58:21:250 3980 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
19:58:21:281 3980 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
19:58:21:328 3980 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
19:58:21:375 3980 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
19:58:21:437 3980 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
19:58:21:484 3980 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
19:58:21:718 3980 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
19:58:21:796 3980 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
19:58:21:828 3980 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
19:58:21:875 3980 s24trans (1cc074e0d48383d4e9bffc6a26c2a58a) C:\WINDOWS\system32\DRIVERS\s24trans.sys
19:58:22:046 3980 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
19:58:22:093 3980 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
19:58:22:187 3980 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
19:58:22:265 3980 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
19:58:22:328 3980 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
19:58:22:390 3980 SI3132 (716a724a447c559f122ea140d636fa48) C:\WINDOWS\system32\DRIVERS\SI3132.sys
19:58:22:562 3980 SiFilter (72cf151fb410e544904dbc7d7f29b796) C:\WINDOWS\system32\DRIVERS\SiWinAcc.sys
19:58:22:609 3980 SiRemFil (62fd549acf2943f89612a8777295fa57) C:\WINDOWS\system32\DRIVERS\SiRemFil.sys
19:58:22:656 3980 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
19:58:22:703 3980 SNC (be6038e0a7d2e2fe69107e41a0265831) C:\WINDOWS\system32\Drivers\SonyNC.sys
19:58:22:796 3980 SonyImgF (b98be9c307a7f6695203a294276f9cd8) C:\WINDOWS\system32\DRIVERS\SonyImgF.sys
19:58:22:843 3980 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
19:58:22:906 3980 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
19:58:22:968 3980 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
19:58:23:109 3980 STHDA (bbbc5bf9a5f1fb5d57e91b944d2e51a5) C:\WINDOWS\system32\drivers\sthda.sys
19:58:23:281 3980 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
19:58:23:328 3980 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
19:58:23:359 3980 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
19:58:23:437 3980 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
19:58:23:578 3980 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
19:58:23:656 3980 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
19:58:23:734 3980 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
19:58:23:828 3980 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
19:58:24:000 3980 ti21sony (403d3ed8b7f5e5a47e1e51fe5297c640) C:\WINDOWS\system32\drivers\ti21sony.sys
19:58:24:078 3980 tosporte (6a404454c6133e749be33892eb6ffa35) C:\WINDOWS\system32\DRIVERS\tosporte.sys
19:58:24:140 3980 Tosrfbd (e4901804c4d8d613fa3560de2c2e0261) C:\WINDOWS\system32\Drivers\tosrfbd.sys
19:58:24:171 3980 Tosrfbnp (613e09572f4c5b92ca6be8bdc4cc5b7d) C:\WINDOWS\system32\Drivers\tosrfbnp.sys
19:58:24:250 3980 Tosrfcom (5ba1ca3b3cddb1ddc67df473f05d1ec2) C:\WINDOWS\system32\Drivers\tosrfcom.sys
19:58:24:296 3980 Tosrfhid (7726332391d8fca1a491a17f592fd6b3) C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys
19:58:24:328 3980 tosrfnds (c52fd27b9adf3a1f22cb90e6bcf9b0cb) C:\WINDOWS\system32\DRIVERS\tosrfnds.sys
19:58:24:375 3980 Tosrfusb (7414a6461bc83a22b0ae009ace3e375b) C:\WINDOWS\system32\Drivers\tosrfusb.sys
19:58:24:437 3980 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
19:58:24:640 3980 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
19:58:24:703 3980 USBAAPL (026f7f224f088ee11e383bca448fff81) C:\WINDOWS\system32\Drivers\usbaapl.sys
19:58:24:750 3980 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
19:58:24:828 3980 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
19:58:24:859 3980 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
19:58:24:906 3980 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
19:58:24:937 3980 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
19:58:25:000 3980 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
19:58:25:171 3980 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
19:58:25:250 3980 usbvm321 (f9d550545afec1d581d2539f3488c4cd) C:\WINDOWS\system32\Drivers\usbvm321.sys
19:58:25:328 3980 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
19:58:25:390 3980 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
19:58:25:531 3980 w39n51 (73395a19fc86461a151d3c330604e8b3) C:\WINDOWS\system32\DRIVERS\w39n51.sys
19:58:25:765 3980 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
19:58:25:812 3980 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
19:58:25:921 3980 winachsf (c1d5cbd8aa0d674da1ba1bb189696396) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
19:58:25:984 3980 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
19:58:26:000 3980 Reboot required for cure complete..
19:58:26:437 3980 Cure on reboot scheduled successfully
19:58:26:437 3980
19:58:26:437 3980 Completed
19:58:26:437 3980
19:58:26:437 3980 Results:
19:58:26:437 3980 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
19:58:26:437 3980 File objects infected / cured / cured on reboot: 1 / 0 / 1
19:58:26:437 3980
19:58:26:437 3980 KLMD(ARK) unloaded successfully


#15 Gil Milet

Gil Milet
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:06:20 AM

Posted 07 June 2010 - 10:26 PM

Hi Gringo!

After I sent the above log using my infected computer, I was thrown out of the bleeping computer website. Also, I am still being redirected to other websites. Windows Live OneCare is also flashing the failure to remove the Alureon.H Virus. There are also other messages that the firewall blocked sites like 'myftp', and others that I did not have a chance to write. It looks like my computer still has a lot of issues.

Kind regards,




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users