Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Missing or hidden Windows components.


  • Please log in to reply
3 replies to this topic

#1 RJGallagher

RJGallagher

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 02 July 2010 - 02:31 AM

Here it goes.

I'm running Windows XP Professional
any versions or service packs are unknown because they are not accessible.

Also not accessible are the following:
Control Panel (no longer listed anywhere)
Folder Options (no longer listed anywhere)
screen options (includes wallpaper, screen savers, resolutions and the works)

Any access tried is met with a message stating about lack of Administrator privileges.
Of course it's the same if I'm in the Administrator profile (in or out of safe mode)

While browsing the internet there are constant redirects no matter what browser I may be using.

When going after windows updates the browser won't even bring up the Microsoft web site.

Multiple programs have been run including:
AVAST anti virus (currently running in the background)
HighJackThis
UnHackMe
Malwarebytes Anti-Maleware
AVG anti-Spyware
RegRun Reanimator
(The machine would not let me install McAfee because of the same admin privileges problem.)

Each was able to find and remove some things but not all (This machine is jacked up!)

The AVAST still will pop up with a blocked Trojan Horse it lists as winlogon.exe which is located in C:\WINDOWS\system32\winlogon.exe

I tried downloading the dds program to create a log but I get an error and it shuts down whenever I try to run it.

I'm including the latest Gmer and HiJackThis log and hope with someones help I can get this resolved.

Please let me know if there is anything else I may be able to provide to help.

Thank you
RJ


GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-02 03:11:43
Windows 5.1.2600
Running: gmer.exe; Driver: C:\DOCUME~1\Frenchei\LOCALS~1\Temp\pwtyypog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0x9E2CBCD2]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0x9E2CBB8E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0x9E2CC142]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0x9E2CC06C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0x9E2CB764]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0x9E2CBC68]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0x9E2CB6A4]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0x9E2CB708]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0x9E2CBD88]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0x9E2CC210]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0x9E2CBD48]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0x9E2CBEC8]
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess [0xB0D1D812]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x9E2D8B9C]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x9E2D89C0]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x9E2D8AFA]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!KeInitializeInterrupt + A60 804D4E75 13 Bytes [0E, 90, 83, EC, 04, C7, 04, ...] {PUSH CS; NOP ; SUB ESP, 0x4; MOV DWORD [ESP], 0x82ad4ce0; RETF }
.text ntoskrnl.exe!KeInitializeInterrupt + B79 804D4F8E 1 Byte [06]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 170 804FC688 4 Bytes [D2, BC, 2C, 9E]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 1B0 804FC6C8 4 Bytes [8E, BB, 2C, 9E]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 208 804FC720 4 Bytes [42, C1, 2C, 9E]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 210 804FC728 4 Bytes [6C, C0, 2C, 9E]
.text ntoskrnl.exe!KeI386Call16BitCStyleFunction + 21C 804FC734 4 Bytes [64, B7, 2C, 9E]
.text ...
PAGE ntoskrnl.exe!ObInsertObject 80570F3E 5 Bytes JMP 9E2D5F6C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!NtCreateSection 805711D5 7 Bytes JMP 9E2D89C4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwCreateProcessEx 80580346 7 Bytes JMP 9E2D8BA0 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ZwLoadDriver 805A74A9 7 Bytes JMP 9E2D8AFE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
PAGE ntoskrnl.exe!ObMakeTemporaryObject 805B6C56 5 Bytes JMP 9E2D45B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software)
? mruid.sys The system cannot find the file specified. !
.text MountMgr.sys F76A9200 4 Bytes [C1, 01, 00, 00]
.text MountMgr.sys F76A9205 13 Bytes [08, 00, 00, 00, 02, 00, 00, ...]
.text MountMgr.sys F76A9213 249 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text MountMgr.sys F76A930D 34 Bytes [00, 5C, 00, 56, 00, 6F, 00, ...]
.text MountMgr.sys F76A9330 5 Bytes [69, 00, 74, 00, 65]
.text ...
.text C:\WINDOWS\system32\drivers\MountMgr.sys section is writeable [0xF76A9200, 0x22AA4, 0xE8000020]
.data C:\WINDOWS\system32\drivers\MountMgr.sys unknown last section [0xF76CBCE0, 0xD0A0, 0xC8000040]
.text Ntfs.sys F758F687 13 Bytes [0E, 90, 83, EC, 04, C7, 04, ...] {PUSH CS; NOP ; SUB ESP, 0x4; MOV DWORD [ESP], 0x82ae76d4; RETF }
.text Ntfs.sys F7590428 13 Bytes [0E, 90, 83, EC, 04, C7, 04, ...] {PUSH CS; NOP ; SUB ESP, 0x4; MOV DWORD [ESP], 0x82aea1b4; RETF }
.text Ntfs.sys F75910B1 13 Bytes [0E, 90, 83, EC, 04, C7, 04, ...] {PUSH CS; NOP ; SUB ESP, 0x4; MOV DWORD [ESP], 0x82ade0dd; RETF }
PAGE Ntfs.sys F75A9200 13 Bytes [0E, 90, 83, EC, 04, C7, 04, ...] {PUSH CS; NOP ; SUB ESP, 0x4; MOV DWORD [ESP], 0x82ad1025; RETF }
PAGE Ntfs.sys F75A9DA5 13 Bytes [0E, 90, 83, EC, 04, C7, 04, ...] {PUSH CS; NOP ; SUB ESP, 0x4; MOV DWORD [ESP], 0x82adebcd; RETF }
PAGE ...
.text tcpip.sys!IPRegisterARP + FFFD9B88 9E3B2380 13 Bytes [0E, 90, 83, EC, 04, C7, 04, ...] {PUSH CS; NOP ; SUB ESP, 0x4; MOV DWORD [ESP], 0x82ace155; RETF }
.text tcpip.sys!IPTransmit + 1881 9E3B56AF 13 Bytes [0E, 90, 83, EC, 04, C7, 04, ...] {PUSH CS; NOP ; SUB ESP, 0x4; MOV DWORD [ESP], 0x82accf9a; RETF }
.text tcpip.sys!IPTransmit + 77E7 9E3BB615 13 Bytes [0E, 90, 83, EC, 04, C7, 04, ...] {PUSH CS; NOP ; SUB ESP, 0x4; MOV DWORD [ESP], 0x82ae8f72; RETF }
.text tcpip.sys!IPRegisterARP + 6879 9E3DF071 4 Bytes [F4, 04, 40, 82]
.text tcpip.sys!IPRegisterARP + 6CE8 9E3DF4E0 4 Bytes [5C, 12, 69, 82] {POP ESP; ADC CH, [ECX-0x7e]}
.text tcpip.sys!IPRegisterARP + 870B 9E3E0F03 4 Bytes [4C, F3, 67, 82]
PAGELK tcpip.sys!IPRegisterARP + 2020A 9E3F8A02 4 Bytes [1C, 54, 69, 82]
? C:\WINDOWS\System32\affc.sys The process cannot access the file because it is being used by another process.
.text wanarp.sys B110C0C1 13 Bytes [0E, 90, 83, EC, 04, C7, 04, ...] {PUSH CS; NOP ; SUB ESP, 0x4; MOV DWORD [ESP], 0x82ad1718; RETF }

---- User code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\winlogon.exe[712] C:\WINDOWS\system32\winlogon.exe section is executable [0x01064000, 0xA000, 0xE0000060]
.rsrc C:\WINDOWS\system32\winlogon.exe[712] C:\WINDOWS\system32\winlogon.exe entry point in ".rsrc" section [0x0106D200]
.text C:\Program Files\Mozilla Firefox\firefox.exe[3200] ntdll.dll!LdrLoadDll 77F569D2 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp affc.sys
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Control\Session Manager@PendingFileRenameOperations ???6?>?????6????PCI\VEN_10DE&DEV_02F9&REV_A2?PCI\VEN_10DE&DEV_02F9?PCI\VEN_10DE&CC_050000?PCI\VEN_10DE&CC_0500?PCI\VEN_10DE?PCI\CC_050000?PCI\CC_0500???????{4D36E97D-E325-11CE-BFC1-08002BE10318}??????? ???6????????????????N??6???I????Dge????????5???????e??? ???6???S??????s1???????5??????s????????+???????????????6???????e?????????????????????6????Telephony???PCI standard PCI-to-PCI bridge?????????????????????s?? ?????????????????? ???????6???????????????????????????????f??? ???????5?????6????????????????????(???????????????????????? ???????6?????6?? ???????????&??????????????1??PCI\VEN_10DE&DEV_02FA&SUBSYS_60061509&REV_A2?PCI\VEN_10DE&DEV_02FA&SUBSYS_60061509?PCI\VEN_10DE&DEV_02FA&CC_050000?PCI\VEN_10DE&DEV_02FA&CC_0500??????X??6???????????????????????????????????+??? ???e????N??8????????D???????????????????????????N??6????????D??????? ??6?????????????n?????????+???????e?????6????PCI\VEN_10DE&DEV_02FA&REV_A2?PCI\VEN_10DE&DEV_02FA?PCI\VEN_10DE&CC_050000?PCI\VEN_10DE&CC_0500?PCI\VEN_10DE?PCI\CC_050000?PCI\CC_05
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs C:\WINDOWS\system32\wowfx.dll
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@UserData 0x04 0x00 0x00 0x00

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\mountmgr.sys (size mismatch) 195968/37504 bytes executable

---- EOF - GMER 1.0.15 ----

*************************************************************************

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:27:12 AM, on 7/2/2010
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\McAfee\Common Framework\udaterui.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [oeedspeu] C:\Program Files\Wcvfrxyc\oeedspeu.exe
O4 - HKLM\..\Run: [clcl16] C:\WINDOWS\System32\clcl16.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\TEMP\win29D3.exe
O4 - HKLM\..\Run: [ntcnycmd] KB69262074.exe
O4 - HKLM\..\Run: [trdmens] C:\WINDOWS\System32\plstsme.exe
O4 - HKLM\..\Run: [shdned] C:\WINDOWS\System32\bcdheeld.exe
O4 - HKLM\..\Run: [ygmnuing] C:\Program Files\Vfnvhcld\ygmnuing.exe
O4 - HKLM\..\Run: [fmcwioxm] C:\Program Files\Rnxafhnh\fmcwioxm.exe
O4 - HKLM\..\Run: [_] c:\windows\system32\drivers\wmq.exe
O4 - HKLM\..\Run: [lscwkbxq] C:\Program Files\Pdbxviaz\lscwkbxq.exe
O4 - HKLM\..\Run: [dmjev.exe] C:\WINDOWS\System32\dmjev.exe
O4 - HKLM\..\Run: [dmlgn.exe] C:\WINDOWS\System32\dmlgn.exe
O4 - HKLM\..\Run: [svpsbnnc] C:\Program Files\Zdbzqlnv\svpsbnnc.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [{1D-DF-F2-2C-ZN}] c:\windows\system32\dsrng.exe CHD001
O4 - HKLM\..\Run: [ShareSearcher] c:\winlprc.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avast5] C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe /nogui
O4 - HKCU\..\Run: [ISMModule4] "C:\Program Files\ISM\ISMModule4.exe"
O4 - HKCU\..\Run: [Iza] C:\WINDOWS\system32\??crosoft.NET\?hkntfs.exe
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe
O4 - HKCU\..\Run: [WinTouch] c:\docume~1\frenchei\applic~1\wintouch\wintouch.exe
O4 - HKCU\..\Run: [ntcnycmd] KB69262074.exe
O4 - HKCU\..\Run: [trdmens] C:\WINDOWS\System32\plstsme.exe
O4 - HKCU\..\Run: [shdned] C:\WINDOWS\System32\bcdheeld.exe
O4 - HKCU\..\Run: [ISMPack5] "C:\Program Files\ISM2\ISMPack5.exe"
O4 - HKCU\..\Run: [DoNotDelete] C:\WINDOWS\System32\explore.exe
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe
O4 - HKCU\..\Run: [main] C:\WINDOWS\System32\drivers\system.exe
O4 - HKCU\..\Run: [default] C:\Documents and Settings\Frenchei\winmain.exe
O4 - HKCU\..\RunOnce: [sysinit] C:\WINDOWS\System32\drivers\system.exe
O4 - HKCU\..\RunOnce: [winmz] C:\Documents and Settings\Frenchei\winmain.exe
O4 - HKUS\S-1-5-18\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinAVX] C:\WINDOWS\System32\WinAvXX.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1278041948249
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Mail Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: avast! Web Scanner - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: Routing and Remote Access RemoteAccessNla (RemoteAccessNla) - Unknown owner - C:\WINDOWS\System32\A1z.exe (file missing)
O23 - Service: Remote Procedure Call (RPC) RpcSsProtectedStorage (RpcSsProtectedStorage) - Unknown owner - C:\WINDOWS\System32\file.exe (file missing)
O23 - Service: Performance Logs and Alerts SysmonLogNtLmSsp (SysmonLogNtLmSsp) - Unknown owner - C:\WINDOWS\System32\1033n.exe (file missing)
O23 - Service: Universal Plug and Play Device Host upnphostTermService (upnphostTermService) - Unknown owner - C:\WINDOWS\System32\A1n.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows NT\profsywuypr.html

--
End of file - 8335 bytes



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:53 AM

Posted 06 July 2010 - 07:00 AM

Hello RJGallagher

Welcome to BleepingComputer smile.gif
==========================
You are seriously infected.


Looking at your system now, one or more of the identified infections is a backdoor Trojan\Rootkit.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.
=======
Download TDSSKiller and save it to your Desktop.
  • Right click on the file and choose extract all extract the file to your desktop then run it.
  • If prompted to restart the computer type in Y then it will restart.
  • Or if you are prompted with a hidden service warning do go ahead and delete it.
  • Once completed it will create a log in your C:\ drive
  • Please post the contents of that log
========

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 RJGallagher

RJGallagher
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:53 AM

Posted 06 July 2010 - 11:44 AM

Thank you so much for your quick response.

Fortunately the previous owners of this machine only used it for music, games and pix and nothing really personal or financial. thumbup2.gif

I followed your instructions and the tdsskiller log follows.

My problem occurred when running ComboFix.

I was able to download the file to my desktop without incident but when I tried to run it I only got the little ComboFix box with the status bar. It completed then finished without any prompt or any log being posted to the C: drive.

I performed this with all my anti-virus, anti spyware and anti maleware programs disabled and with my firewall turned off. I also tried it in safe mode which also produced no log. I tried both links that you provided just in case one was having a problem but received the same result from both.

Here goes the tdss log and thanks again for your assistance. Hope to hear from you soon.

12:02:05:577 3672 TDSS rootkit removing tool 2.3.2.2 Jun 30 2010 17:23:49
12:02:05:577 3672 ================================================================================
12:02:05:577 3672 SystemInfo:

12:02:05:577 3672 OS Version: 5.1.2600 ServicePack: 0.0
12:02:05:577 3672 Product type: Workstation
12:02:05:577 3672 ComputerName: FRENCHIE
12:02:05:593 3672 UserName: Frenchei
12:02:05:593 3672 Windows directory: C:\WINDOWS
12:02:05:593 3672 System windows directory: C:\WINDOWS
12:02:05:593 3672 Processor architecture: Intel x86
12:02:05:593 3672 Number of processors: 1
12:02:05:593 3672 Page size: 0x1000
12:02:05:655 3672 Boot type: Normal boot
12:02:05:655 3672 ================================================================================
12:02:05:999 3672 Initialize success
12:02:05:999 3672
12:02:05:999 3672 Scanning Services ...
12:02:06:468 3672 Raw services enum returned 288 services
12:02:06:468 3672
12:02:06:468 3672 Scanning Drivers ...
12:02:06:921 3672 Aavmker4 (467f062f76e07512ecc1f5f60aab2988) C:\WINDOWS\System32\drivers\Aavmker4.sys
12:02:07:358 3672 ACPI (45e0d94158ca0ec71ff12dbb81b39ed3) C:\WINDOWS\System32\DRIVERS\ACPI.sys
12:02:07:765 3672 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\System32\drivers\ACPIEC.sys
12:02:08:374 3672 aec (b45a744ca0a15a59d8b0307ce9741e92) C:\WINDOWS\System32\drivers\aec.sys
12:02:08:655 3672 AFD (560dce566000fed5bbfcbca321dbb84b) C:\WINDOWS\System32\drivers\afd.sys
12:02:08:874 3672 affc (927512d65c9164f8e1a7e8f3701f6b3a) C:\WINDOWS\System32\affc.sys
12:02:08:890 3672 Suspicious file (NoAccess): C:\WINDOWS\System32\affc.sys. md5: 927512d65c9164f8e1a7e8f3701f6b3a
12:02:09:343 3672 AgereSoftModem (34f27c7d71f1c49c7d3857f28b42f544) C:\WINDOWS\System32\DRIVERS\AGRSM.sys
12:02:11:202 3672 ALCXWDM (706aa8374b4fc02d8a42493f16d5c3a4) C:\WINDOWS\System32\drivers\ALCXWDM.SYS
12:02:12:093 3672 aswMon2 (aa504fa592c9ed79174cb06b8ae340aa) C:\WINDOWS\System32\drivers\aswMon2.sys
12:02:12:249 3672 aswRdr (f385ffd39165453fda96736aa3edfd9d) C:\WINDOWS\System32\drivers\aswRdr.sys
12:02:12:515 3672 aswSP (45adea26bf613a54fed64ecdd12e58a7) C:\WINDOWS\System32\drivers\aswSP.sys
12:02:12:702 3672 aswTdi (c4ee975c87176f1900662d2874233c7f) C:\WINDOWS\System32\drivers\aswTdi.sys
12:02:12:905 3672 AsyncMac (03f403b07a884fc2aa54a0916c410931) C:\WINDOWS\System32\DRIVERS\asyncmac.sys
12:02:13:093 3672 atapi (a64013e98426e1877cb653685c5c0009) C:\WINDOWS\System32\DRIVERS\atapi.sys
12:02:13:530 3672 Atmarpc (8d735ca1cbdb0081b0e3b9ff0eb222d0) C:\WINDOWS\System32\DRIVERS\atmarpc.sys
12:02:13:765 3672 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\System32\DRIVERS\audstub.sys
12:02:13:843 3672 AVG Anti-Spyware Driver (d6f4c1450699901048818b0c3aaf7a17) C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
12:02:14:046 3672 AvgAsCln (856b0cee009946bf2d327e6b24fe7e3f) C:\WINDOWS\System32\DRIVERS\AvgAsCln.sys
12:02:14:187 3672 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\System32\drivers\Beep.sys
12:02:14:358 3672 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\System32\drivers\cbidf2k.sys
12:02:14:655 3672 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\System32\drivers\Cdaudio.sys
12:02:14:858 3672 Cdfs (bab95bbefd0676eab2dc02cf88c99fc5) C:\WINDOWS\System32\drivers\Cdfs.sys
12:02:15:108 3672 Cdrom (cb762e814f602229a574f4d78d3d6a30) C:\WINDOWS\System32\DRIVERS\cdrom.sys
12:02:15:280 3672 Changer (f9ecf83eb508fa050bb5cbf75dcc117f) C:\WINDOWS\System32\drivers\Changer.sys
12:02:15:890 3672 Disk (43a10cd19d648e57ed039a6caa667a56) C:\WINDOWS\System32\DRIVERS\disk.sys
12:02:16:233 3672 dmboot (e18132d39407aadca6b1d19adf408a8a) C:\WINDOWS\System32\drivers\dmboot.sys
12:02:16:608 3672 dmio (aca44e9a8e2ff7c833664263c8478629) C:\WINDOWS\System32\drivers\dmio.sys
12:02:16:749 3672 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\System32\drivers\dmload.sys
12:02:16:890 3672 DMusic (ef05974d47d56fa8387f170f05bae5e7) C:\WINDOWS\System32\drivers\DMusic.sys
12:02:17:187 3672 drmkaud (aa94e0cbd79db63100d0eae061eb69bc) C:\WINDOWS\System32\drivers\drmkaud.sys
12:02:17:343 3672 Fastfat (998bbf32a142910b5e539df4225df892) C:\WINDOWS\System32\drivers\Fastfat.sys
12:02:17:546 3672 Fdc (19c5c7eac0190a42522290bf002f64ea) C:\WINDOWS\System32\drivers\Fdc.sys
12:02:17:812 3672 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\System32\drivers\Fips.sys
12:02:17:999 3672 Flpydisk (21e41e89b9b191b685f99b7a8885310b) C:\WINDOWS\System32\drivers\Flpydisk.sys
12:02:18:140 3672 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\System32\drivers\Fs_Rec.sys
12:02:18:343 3672 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\System32\DRIVERS\ftdisk.sys
12:02:18:499 3672 gameenum (90d951a8876631e617ed64a9ddf0bafc) C:\WINDOWS\System32\DRIVERS\gameenum.sys
12:02:18:687 3672 Gpc (13591e0a02e85de2a388f3ec4bd206df) C:\WINDOWS\System32\DRIVERS\msgpc.sys
12:02:19:296 3672 i8042prt (54ae656490b33f84b4417194aa127b25) C:\WINDOWS\System32\DRIVERS\i8042prt.sys
12:02:19:483 3672 Imapi (ec8846f604b96b0a74b8c26a2bd3dc22) C:\WINDOWS\System32\drivers\Imapi.sys
12:02:19:874 3672 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys
12:02:20:030 3672 IpInIp (f56dd863ba732a4e8ee58d486c31250f) C:\WINDOWS\System32\DRIVERS\ipinip.sys
12:02:20:187 3672 IpNat (561e2aede82cae972d572c60d4e090bf) C:\WINDOWS\System32\DRIVERS\ipnat.sys
12:02:20:343 3672 IPSec (87ad207bc4437f215508024559d72f30) C:\WINDOWS\System32\DRIVERS\ipsec.sys
12:02:20:515 3672 IRENUM (b43201394646b7e98c89056edda686b5) C:\WINDOWS\System32\DRIVERS\irenum.sys
12:02:20:655 3672 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\System32\DRIVERS\isapnp.sys
12:02:20:827 3672 Kbdclass (9c30cd464d87102497fd7c32910e6253) C:\WINDOWS\System32\DRIVERS\kbdclass.sys
12:02:20:968 3672 klmd23 (316353165feba3d0538eaa9c2f60c5b7) C:\WINDOWS\System32\drivers\klmd.sys
12:02:21:155 3672 kmixer (ecd42891ecc1ca80fcb849511d3df186) C:\WINDOWS\System32\drivers\kmixer.sys
12:02:21:374 3672 KSecDD (abc70e8b89cce44731a346deb764bf95) C:\WINDOWS\System32\drivers\KSecDD.sys
12:02:21:655 3672 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\System32\drivers\mnmdd.sys
12:02:21:858 3672 Modem (7760873e4ec17f288e61f00044dea000) C:\WINDOWS\System32\drivers\Modem.sys
12:02:22:015 3672 Mouclass (e534ccba5714e8bfff4fb97d6453898f) C:\WINDOWS\System32\DRIVERS\mouclass.sys
12:02:22:249 3672 MountMgr (490e5679a9d664582b4df7d346258481) C:\WINDOWS\System32\drivers\MountMgr.sys
12:02:22:249 3672 Suspicious file (Forged): C:\WINDOWS\System32\drivers\MountMgr.sys. Real md5: 490e5679a9d664582b4df7d346258481, Fake md5: d4face53a1c48cf8419b4cf494d2ee2e
12:02:22:530 3672 MRxDAV (d30cba20cc355d3648b9fed5bb55a9d5) C:\WINDOWS\System32\DRIVERS\mrxdav.sys
12:02:22:827 3672 MRxSmb (a3ad34d36242e92c86b0c1bfbd131255) C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
12:02:23:093 3672 Msfs (a1831538e119363d0d90d757ac8a2012) C:\WINDOWS\System32\drivers\Msfs.sys
12:02:23:296 3672 MSKSSRV (73ff6ddeac27839583fe6a2573ee60ca) C:\WINDOWS\System32\drivers\MSKSSRV.sys
12:02:23:421 3672 MSPCLOCK (bd8a0dcf208c27e20416bf9e8aed9cf9) C:\WINDOWS\System32\drivers\MSPCLOCK.sys
12:02:23:546 3672 MSPQM (f6a726b8832db1f88326b8be98b11981) C:\WINDOWS\System32\drivers\MSPQM.sys
12:02:23:749 3672 Mup (099a20936df7e93a4718a3577518a2f0) C:\WINDOWS\System32\drivers\Mup.sys
12:02:23:952 3672 NDIS (3efd4f59ba0a340de0a3ab984001dbf7) C:\WINDOWS\System32\drivers\NDIS.sys
12:02:24:171 3672 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\System32\DRIVERS\ndistapi.sys
12:02:24:312 3672 Ndisuio (da77857d9f9bc724d779df64da15164b) C:\WINDOWS\System32\DRIVERS\ndisuio.sys
12:02:24:515 3672 NdisWan (df101384699c87c70e9bd71ddf0e8509) C:\WINDOWS\System32\DRIVERS\ndiswan.sys
12:02:24:655 3672 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\System32\drivers\NDProxy.sys
12:02:24:858 3672 NetBIOS (9f880d46ef6dcc865b8ef5c5a4956e3b) C:\WINDOWS\System32\DRIVERS\netbios.sys
12:02:25:015 3672 NetBT (58a5116194bc0ad86a6bbdbdfa5e1240) C:\WINDOWS\System32\DRIVERS\netbt.sys
12:02:25:233 3672 Npfs (20aba9f035e3a98877480e34fcc4dcb3) C:\WINDOWS\System32\drivers\Npfs.sys
12:02:25:515 3672 Ntfs (70fae0dcfdfaa0838d6778fca028ce01) C:\WINDOWS\System32\drivers\Ntfs.sys
12:02:25:827 3672 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\System32\drivers\Null.sys
12:02:25:983 3672 nvata (11d1ad7e946538e02f9ef6a6e1792061) C:\WINDOWS\System32\DRIVERS\nvata.sys
12:02:26:171 3672 NVENETFD (2a7a2c6ab9631028b6e3a4159aa65705) C:\WINDOWS\System32\DRIVERS\NVENETFD.sys
12:02:26:312 3672 nvnetbus (20526a8827dc0956b5526aebcb6751a0) C:\WINDOWS\System32\DRIVERS\nvnetbus.sys
12:02:26:468 3672 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\System32\DRIVERS\nwlnkflt.sys
12:02:26:624 3672 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\System32\DRIVERS\nwlnkfwd.sys
12:02:26:780 3672 Parport (1424ffbf560627b07cce5082fa837f5c) C:\WINDOWS\System32\DRIVERS\parport.sys
12:02:26:937 3672 Partizan (6ddcf3f801ec15fe698f6a215cf30a1f) C:\WINDOWS\System32\drivers\Partizan.sys
12:02:27:124 3672 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\System32\drivers\PartMgr.sys
12:02:27:265 3672 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\System32\drivers\ParVdm.sys
12:02:27:468 3672 PCI (1f96eecdf5d1e3385ac44c6a457b381f) C:\WINDOWS\System32\DRIVERS\pci.sys
12:02:27:702 3672 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\System32\DRIVERS\pciide.sys
12:02:27:874 3672 Pcmcia (2f2d0d6bd48759ef4f17d569869c4a92) C:\WINDOWS\System32\drivers\Pcmcia.sys
12:02:28:765 3672 PptpMiniport (5849957dc3f7cae702e03b69744b9bfe) C:\WINDOWS\System32\DRIVERS\raspptp.sys
12:02:28:921 3672 Processor (72f923f0a0fdfbe3252579ca1d1d8948) C:\WINDOWS\System32\DRIVERS\processr.sys
12:02:29:108 3672 PSched (7fd061b0b0833d5106244b0cf2a1e68c) C:\WINDOWS\System32\DRIVERS\psched.sys
12:02:29:265 3672 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\System32\DRIVERS\ptilink.sys
12:02:29:452 3672 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\WINDOWS\System32\Drivers\PxHelp20.sys
12:02:30:187 3672 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\System32\DRIVERS\rasacd.sys
12:02:30:358 3672 Rasl2tp (01bd60cde35d8b60f46ebdf5358d7127) C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
12:02:30:499 3672 RasPppoe (888335b3be346119cf7b4eff3a3fca7c) C:\WINDOWS\System32\DRIVERS\raspppoe.sys
12:02:30:624 3672 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\System32\DRIVERS\raspti.sys
12:02:30:796 3672 Rdbss (de300831c74cff09091e954a1844bdbf) C:\WINDOWS\System32\DRIVERS\rdbss.sys
12:02:30:983 3672 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
12:02:31:187 3672 rdpdr (57f34f83e278dd804ba4a0593d789312) C:\WINDOWS\System32\DRIVERS\rdpdr.sys
12:02:31:405 3672 RDPWD (bcd7227ecf3757ddaedeeda7190b257a) C:\WINDOWS\System32\drivers\RDPWD.sys
12:02:31:593 3672 redbook (dd2183a5092feee8961a1e19abd1a0fc) C:\WINDOWS\System32\DRIVERS\redbook.sys
12:02:31:765 3672 RegGuard (37ecebdd930395a9c399fb18a3c236d3) C:\WINDOWS\System32\Drivers\regguard.sys
12:02:32:077 3672 serenum (65a7c4d86c153c82e33a552c217abb29) C:\WINDOWS\System32\DRIVERS\serenum.sys
12:02:32:233 3672 Serial (1a315877d2efcc2d0ff892d6bdb845b5) C:\WINDOWS\System32\DRIVERS\serial.sys
12:02:32:374 3672 Sfloppy (cc9f1e77ba1777a0d25b05b278731a7d) C:\WINDOWS\System32\drivers\Sfloppy.sys
12:02:32:780 3672 splitter (2c55620b197ed2ba93126b76396bff6e) C:\WINDOWS\System32\drivers\splitter.sys
12:02:32:952 3672 sr (f899a5d353dcbba12eacb379e7abfeee) C:\WINDOWS\System32\DRIVERS\sr.sys
12:02:33:187 3672 Srv (94619eb663216f9bf12f9b950fcab3c0) C:\WINDOWS\System32\DRIVERS\srv.sys
12:02:33:437 3672 swenum (064740c5c02de46723c4b8200ee876df) C:\WINDOWS\System32\DRIVERS\swenum.sys
12:02:33:608 3672 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\System32\drivers\swmidi.sys
12:02:34:265 3672 sysaudio (d0459f71807cce71fe26a52f2edebad9) C:\WINDOWS\System32\drivers\sysaudio.sys
12:02:34:483 3672 Tcpip (e7774698bb0d14b0710a9a31e209f9b6) C:\WINDOWS\System32\DRIVERS\tcpip.sys
12:02:34:655 3672 TDPIPE (1a96630babbd59e8b885eae0dfbe6a3e) C:\WINDOWS\System32\drivers\TDPIPE.sys
12:02:34:796 3672 TDTCP (d1c578c6b37713694c5edd7c2d7f7451) C:\WINDOWS\System32\drivers\TDTCP.sys
12:02:34:952 3672 TermDD (68b71eb2e79f60640b4b3a1a714317e5) C:\WINDOWS\System32\DRIVERS\termdd.sys
12:02:35:249 3672 Udfs (0bad94aa644ce926cdeb6e57fca09031) C:\WINDOWS\System32\drivers\Udfs.sys
12:02:35:562 3672 Update (164cfae1d766905f56c432acfc54f28c) C:\WINDOWS\System32\DRIVERS\update.sys
12:02:35:749 3672 usbhub (1766faa3a5079d0db3efb331dac587ed) C:\WINDOWS\System32\DRIVERS\usbhub.sys
12:02:35:890 3672 usbohci (ba6b6215621255f0cd231f08b7d5d8cb) C:\WINDOWS\System32\DRIVERS\usbohci.sys
12:02:36:030 3672 usbscan (96f74bd303006971de644bca1a7ed858) C:\WINDOWS\System32\DRIVERS\usbscan.sys
12:02:36:202 3672 USBSTOR (694f2b90124eb086c38c18da97a13e48) C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
12:02:36:343 3672 usbuhci (b8f6119fd7df389d823ba27a3023e150) C:\WINDOWS\System32\DRIVERS\usbuhci.sys
12:02:36:530 3672 VgaSave (1e379233dd5ead78bd367c94576a1fc2) C:\WINDOWS\System32\drivers\vga.sys
12:02:36:796 3672 VolSnap (6fdc9523ef81617cf5028f47fcaf0fbe) C:\WINDOWS\System32\drivers\VolSnap.sys
12:02:36:968 3672 Wanarp (484af08f15d1306ff2e8b64fe62a160c) C:\WINDOWS\System32\DRIVERS\wanarp.sys
12:02:37:296 3672 wdmaud (1106767a0647bf3be4535c91f74fe7da) C:\WINDOWS\System32\drivers\wdmaud.sys
12:02:37:452 3672 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
12:02:37:452 3672
12:02:37:452 3672 Completed
12:02:37:452 3672
12:02:37:452 3672 Results:
12:02:37:452 3672 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
12:02:37:452 3672 File objects infected / cured / cured on reboot: 0 / 0 / 0
12:02:37:468 3672
12:02:37:468 3672 KLMD(ARK) unloaded successfully


#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:12:53 AM

Posted 06 July 2010 - 12:35 PM

Ok please delete Combofix from off of the desktop and do the following:

Download Combofix from any of the links below. You must rename it before saving it. Rename it to kahdah.com then save it to your desktop.
Link 1
Link 2
--------------------------------------------------------------------

Double click on kahdah.com & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt



Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users