Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

100% CPU usage after virus attack/removal


  • Please log in to reply
13 replies to this topic

#1 cubsfan518

cubsfan518

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:26 AM

Posted 28 July 2010 - 06:41 PM

Hello,

A little over a week ago, my laptop was infected with Antivirus System Pro. I followed the removal guide on this site, and the fake antivirus warnings went away. Everything seemed fine until random internet explorer windows would pop up when I was using Google Chrome and not even running IE. I ran Ad-Aware, Spybot S&D, and Super AntiSpyware, as well as my own Avast antivirus. The IE pop ups eventually went away, but now my computer is running painfully slow. At startup, cpu usage stays at 100% for 10-15 minutes, during which I cannot use any programs. Before the infection, I was able to be surfing the internet from a restart in under 2 minutes. In the Task Manager, no processes show up as using any cpu percentage except for an occasional flicker of background processes that should be running, such as Avast, my touchpad and hotkey utility, etc., but the cpu usage is constantly 100% under the performance tab with no processes showing any cpu usage 90% of the time. After 10-15 minutes, the cpu usage drops down and I'm able to open and use programs, but they are still unnaturally slow, and sometimes the cpu usage shoots back up to 100% for several minutes and I must wait for it to drop down again before continuing what I was doing. I ran Ad-Aware, Spybot S&D, Super AntiSpyware, and Malwarebytes again, but none of these programs found anything. I followed the prep guide and posted the requested logs below. Thanks for your help.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Tyler R at 10:42:29.06 on Wed 07/28/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1308 [GMT -5:00]

AV: avast! Antivirus *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe 4
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
svchost.exe 4
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\acs.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\Documents and Settings\Tyler R\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearch Bar = hxxp://www.google.com/ie
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyServer = http=127.0.0.1:5643
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {F35CE83E-9EBF-40D5-AE87-53F982389740} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\tyler r\local settings\application data\google\update\GoogleUpdate.exe" /c
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockwave 11\SwHelper_1151601.exe -Update -1151601 -"Mozilla/5.0_(Windows;_U;_Windows_NT_5.1;_en-US)_AppleWebKit/532.5_(KHTML,_like_Gecko)_Chrome/4.1.249.1042_Safari/532.5" -"http://militantplatypus.com/games/gamepage.php?game=demolition%20race"
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Toshiba Hotkey Utility] "c:\program files\toshiba\windows utilities\Hotkey.exe" /lang en
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [TPSMain] TPSMain.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10b.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\progra~1\speedb~1\sblsp.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {1340C00E-B1FF-4117-B993-E58FF774A605} - hxxp://www.playrealbaseball.com/include/launchRBO_v1.1.0.0.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxp://rpma04ln.rush.edu/iNotes6W.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240694908218
DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} - hxxp://dominicks.lifepics.com/net/Uploader/LPUploader45.cab
DPF: {C4577C19-00D1-4756-B4EF-01634E5064E0} - hxxp://www.playrealbaseball.com/include/launchRBO.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://bestbuy.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
TCP: {7C0E9482-B25F-4CD8-9D26-2A09498A3E54} = 208.67.222.222,208.67.220.220
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-4-7 165456]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-7 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-30 40384]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2006-6-28 98816]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\speedb~1\videoacceleratorservice.exe -start -scm --> c:\progra~1\speedb~1\VideoAcceleratorService.exe -start -scm [?]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-30 40384]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-30 40384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-7 136176]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-8-21 30192]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-7-12 1352832]
S3 PEEK5;PEEK5 Protocol Driver;\??\c:\docume~1\alluse~1\docume~1\mypict~1\sample~1\runesc~1\aircra~1.1-w\aircra~1.1\bin\peek5.sys --> c:\docume~1\alluse~1\docume~1\mypict~1\sample~1\runesc~1\aircra~1.1-w\aircra~1.1\bin\PEEK5.SYS [?]
S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2004-12-1 438912]

=============== Created Last 30 ================

2010-07-28 15:30:32 0 ----a-w- c:\documents and settings\tyler r\defogger_reenable
2010-07-27 22:50:24 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-07-27 22:50:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-07-26 20:28:55 0 d-----w- c:\docume~1\alluse~1\applic~1\PlotSoft
2010-07-26 20:28:54 0 d-----w- c:\program files\PlotSoft
2010-07-26 19:35:05 32768 ----a-w- c:\windows\system32\DemoContextMenu.dll
2010-07-26 19:35:05 2063360 ----a-w- c:\windows\system32\QuickPDFAX0719.dll
2010-07-26 19:04:00 0 d-----w- c:\documents and settings\tyler r\Calibre Library
2010-07-26 19:03:51 0 d-----w- c:\docume~1\tylerr~1\applic~1\calibre
2010-07-26 19:01:58 0 d-----w- c:\program files\Calibre2
2010-07-23 19:24:46 0 d-----w- C:\ATI
2010-07-23 19:05:48 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-22 22:08:57 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-07-22 19:36:38 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-22 19:14:01 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-20 22:36:45 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-20 22:17:39 0 d-----w- c:\docume~1\tylerr~1\applic~1\Malwarebytes
2010-07-20 22:17:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-20 22:17:23 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-13 22:09:08 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 21:42:26 38848 ----a-w- c:\windows\avastSS.scr

==================== Find3M ====================

2010-07-26 20:47:36 979764 ----a-w- c:\windows\fonts\CAMBRIA1.ttf
2010-07-26 20:47:36 946420 ----a-w- c:\windows\fonts\CAMBRIA0.ttf
2010-07-23 19:30:45 99 ----a-w- c:\documents and settings\tyler r\jagex_runescape_preferences2.dat
2010-07-23 19:29:19 46 ----a-w- c:\documents and settings\tyler r\jagex_runescape_preferences.dat
2010-05-18 21:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
2010-05-02 05:22:50 1851264 ----a-w- c:\windows\system32\win32k.sys
2007-09-28 20:19:56 11368352 -c--a-w- c:\program files\FirstClass.exe
2008-08-23 17:53:31 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082320080824\index.dat

============= FINISH: 10:43:37.51 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:26 AM

Posted 07 August 2010 - 12:06 PM

Hello cubsfan518

Welcome to BleepingComputer smile.gif
==========================

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#3 cubsfan518

cubsfan518
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:26 AM

Posted 07 August 2010 - 03:28 PM

Hello kahdah,

Thank you for helping me. Combofix has been running for almost 2 hours now. It backed-up the registry, but it seems to be stuck at the screen that says: "Scanning for infected files...This typically doesn't take more than 10 minutes. However, scan times for badly infected machines may easily double." I am writing this reply on another computer and have not touched the laptop since it started running Combofix. Should I attempt to close the combofix window and reboot, or should I continue to wait? Also, between the time I started the topic and your reply, I ran a couple more virus scans in safe mode and they found a couple things but the original problem I described still persists, so the logs in my first post might be out of date. Thanks again for your help.

#4 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:26 AM

Posted 07 August 2010 - 04:46 PM

Hmm ok try to do this hit ctrl+alt+delete on the keyboard all at once.
This should bring up task manager,
Then from within Task manager click on the processes tab across the top.
Scroll through the process list and see which one is hanging up and then right click on it and choose kill process.

See then if that free's it up to run.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#5 cubsfan518

cubsfan518
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:26 AM

Posted 07 August 2010 - 06:02 PM

I opened task manager on my laptop like you said, but the cpu usage is 0%, no processes are using anything except system idle process using 99%, which I know is normal. So Combofix is still open and still says the same thing from my previous post. What should I do now? Thanks.

#6 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:26 AM

Posted 07 August 2010 - 06:10 PM

Ok go ahead and close out of the blue command prompt window then reboot delete your version of Combofix and then re-download it and try it again.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#7 cubsfan518

cubsfan518
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:26 AM

Posted 07 August 2010 - 09:27 PM

Hello again,

I hard shutdown the laptop because the program wouldn't shutdown, restarted the computer, deleted the ComboFix.exe, re-downloaded it, ran it again and it worked. Just so you know, when the program started up there was a warning message: "Warning!! This machine is infected with the Whistler Bootkit!! Make sure your antivirus programs are disabled before clicking ok." And then there was another message: "Rootkit!! ComboFix has detected the presence of rootkit activity and needs to reboot the machine." I let it reboot and it ran the program when it started back up. The log is posted below. Thanks again.



ComboFix 10-08-07.01 - Tyler R 08/07/2010 20:41:37.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1512 [GMT -5:00]
Running from: c:\documents and settings\Tyler R\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common
c:\windows\Downloaded Program Files\popcaploader.inf

Infected copy of c:\windows\system32\drivers\disk.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ZSDFG
-------\Legacy_ZXSDERFBUKJFYSHLHDFRSTDZHDFASHTG


((((((((((((((((((((((((( Files Created from 2010-07-08 to 2010-08-08 )))))))))))))))))))))))))))))))
.

2010-08-04 21:44 . 2010-08-04 21:44 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-08-04 20:33 . 2010-08-04 20:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-08-04 16:37 . 2010-08-04 16:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-04 16:21 . 2010-08-04 16:21 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-26 20:28 . 2010-07-26 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\PlotSoft
2010-07-26 20:28 . 2010-07-26 20:28 -------- d-----w- c:\program files\PlotSoft
2010-07-26 19:35 . 2010-05-03 23:44 2063360 ----a-w- c:\windows\system32\QuickPDFAX0719.dll
2010-07-26 19:35 . 2010-03-09 19:54 32768 ----a-w- c:\windows\system32\DemoContextMenu.dll
2010-07-26 19:04 . 2010-07-26 22:05 -------- d-----w- c:\documents and settings\Tyler R\Calibre Library
2010-07-26 19:03 . 2010-07-26 19:31 -------- d-----w- c:\documents and settings\Tyler R\Application Data\calibre
2010-07-26 19:01 . 2010-07-26 19:02 -------- d-----w- c:\program files\Calibre2
2010-07-23 19:24 . 2010-07-23 19:24 -------- d-----w- C:\ATI
2010-07-23 19:05 . 2010-06-22 09:36 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-22 19:36 . 2010-07-22 19:36 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-20 22:36 . 2010-07-20 22:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-20 22:30 . 2010-07-20 22:30 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-20 22:17 . 2010-07-20 22:17 -------- d-----w- c:\documents and settings\Tyler R\Application Data\Malwarebytes
2010-07-20 22:17 . 2010-07-20 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-20 22:17 . 2010-08-07 17:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 22:03 . 2010-07-20 22:03 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-07-20 22:03 . 2010-07-20 22:03 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-07-19 20:34 . 2010-07-19 20:34 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-19 20:28 . 2010-07-20 23:42 -------- d-----w- c:\documents and settings\Tyler R\Local Settings\Application Data\mfmeskvht
2010-07-13 22:09 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 21:42 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-07 17:48 . 2008-02-02 02:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-07 17:41 . 2008-11-16 03:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-07 17:41 . 2008-11-16 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-04 20:34 . 2010-08-04 20:34 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-04 20:34 . 2010-08-04 20:34 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-04 20:34 . 2010-08-04 20:34 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-03 19:11 . 2008-11-16 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-03 18:29 . 2008-06-13 15:48 -------- d-----w- c:\program files\CCleaner
2010-07-23 19:30 . 2009-10-30 21:04 99 ----a-w- c:\documents and settings\Tyler R\jagex_runescape_preferences2.dat
2010-07-23 19:29 . 2008-07-01 14:43 46 ----a-w- c:\documents and settings\Tyler R\jagex_runescape_preferences.dat
2010-07-23 19:25 . 2006-08-21 18:20 -------- d-----w- c:\program files\ATI Technologies
2010-07-23 19:06 . 2006-08-21 18:37 -------- d-----w- c:\program files\Common Files\Java
2010-07-23 19:06 . 2010-07-23 19:06 503808 ----a-w- c:\documents and settings\Tyler R\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6e07b095-n\msvcp71.dll
2010-07-23 19:06 . 2010-07-23 19:06 61440 ----a-w- c:\documents and settings\Tyler R\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-20709394-n\decora-sse.dll
2010-07-23 19:06 . 2010-07-23 19:06 499712 ----a-w- c:\documents and settings\Tyler R\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6e07b095-n\jmc.dll
2010-07-23 19:06 . 2010-07-23 19:06 348160 ----a-w- c:\documents and settings\Tyler R\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6e07b095-n\msvcr71.dll
2010-07-23 19:06 . 2010-07-23 19:06 12800 ----a-w- c:\documents and settings\Tyler R\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-20709394-n\decora-d3d.dll
2010-07-23 19:05 . 2006-08-21 18:37 -------- d-----w- c:\program files\Java
2010-06-30 20:21 . 2010-04-17 20:28 46 ----a-w- c:\windows\system32\config\systemprofile\jagex_runescape_preferences.dat
2010-06-30 20:17 . 2010-04-17 20:29 99 ----a-w- c:\windows\system32\config\systemprofile\jagex_runescape_preferences2.dat
2010-06-28 20:57 . 2008-03-08 18:28 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2008-03-08 18:28 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2008-04-08 02:10 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2008-03-08 18:28 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2008-03-08 18:28 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2008-03-08 18:28 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2008-04-08 02:10 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2008-03-08 18:28 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-27 23:26 . 2006-08-21 19:02 -------- d-----w- c:\program files\Picasa2
2010-06-21 21:16 . 2010-06-21 21:14 -------- d-----w- c:\program files\iTunes
2010-06-21 21:15 . 2010-06-21 21:15 -------- d-----w- c:\program files\iPod
2010-06-21 21:15 . 2009-12-26 23:32 -------- d-----w- c:\program files\Common Files\Apple
2010-06-21 21:08 . 2010-06-21 21:08 -------- d-----w- c:\program files\Bonjour
2010-06-21 21:04 . 2010-06-21 21:04 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-14 14:31 . 2006-08-21 17:23 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2007-09-28 20:19 . 2007-09-28 20:19 11368352 -c--a-w- c:\program files\FirstClass.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-12 344064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-07 761946]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-08-01 1773568]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 1077322]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-06 16262656]
"SkyTel"="SkyTel.EXE" [2006-05-17 2879488]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-18 89541]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-8-21 155648]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=c:\windows\pss\ WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnk
backup=c:\windows\pss\dlbcserv.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Tyler R^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\Tyler R\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Tyler R^Start Menu^Programs^Startup^PowerReg Scheduler.exe]
path=c:\documents and settings\Tyler R\Start Menu\Programs\Startup\PowerReg Scheduler.exe
backup=c:\windows\pss\PowerReg Scheduler.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-05-08 01:15 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-04 20:12 133104 ----atw- c:\documents and settings\Tyler R\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2002-11-22 19:49 188416 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
2002-11-22 19:48 348160 ----a-w- c:\windows\system32\hphmon04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
2002-11-22 19:50 49152 -c--a-w- c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 09:40 218032 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
2005-12-16 09:41 188416 -c--a-w- c:\program files\ltmoh\ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
2008-04-14 00:12 169984 -c--a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 16:42 69632 -c--a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shockwave Updater]
2009-07-31 13:40 468408 ----a-w- c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
2005-06-01 03:00 282624 ----a-w- c:\windows\system32\TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Universal Installer]
2008-03-18 19:50 984616 -c--a-w- c:\program files\ComcastUI\Universal Installer\uinstaller.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"MskService"=2 (0x2)
"MpfService"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Tyler R\\My Documents\\My Games\\TmNationsForever\\TmForever.exe"=
"c:\\Documents and Settings\\Tyler R\\My Documents\\Warcraft III\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/7/2008 9:10 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/7/2008 9:10 PM 17744]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [6/28/2006 1:50 PM 98816]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/7/2010 5:04 PM 136176]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/21/2006 2:02 PM 30192]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 PEEK5;PEEK5 Protocol Driver;\??\c:\docume~1\ALLUSE~1\DOCUME~1\MYPICT~1\SAMPLE~1\RUNESC~1\AIRCRA~1.1-W\AIRCRA~1.1\bin\PEEK5.SYS --> c:\docume~1\ALLUSE~1\DOCUME~1\MYPICT~1\SAMPLE~1\RUNESC~1\AIRCRA~1.1-W\AIRCRA~1.1\bin\PEEK5.SYS [?]
S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [12/1/2004 6:35 PM 438912]
.
Contents of the 'Scheduled Tasks' folder

2010-06-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-07 20:24]

2010-08-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-07 20:24]

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3878683979-652201305-810867215-1006Core.job
- c:\documents and settings\Tyler R\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 20:12]

2010-08-07 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3878683979-652201305-810867215-1006UA.job
- c:\documents and settings\Tyler R\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 20:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\progra~1\SPEEDB~1\sblsp.dll
TCP: {7C0E9482-B25F-4CD8-9D26-2A09498A3E54} = 208.67.222.222,208.67.220.220
DPF: {1340C00E-B1FF-4117-B993-E58FF774A605} - hxxp://www.playrealbaseball.com/include/launchRBO_v1.1.0.0.cab
DPF: {C4577C19-00D1-4756-B4EF-01634E5064E0} - hxxp://www.playrealbaseball.com/include/launchRBO.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
.
- - - - ORPHANS REMOVED - - - -

ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
MSConfigStartUp-Ad-Watch - c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
MSConfigStartUp-MSKDetectorExe - c:\program files\McAfee\SpamKiller\MSKDetct.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-07 20:53
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,70,06,52,17,ca,b0,1d,48,96,31,6f,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,70,06,52,17,ca,b0,1d,48,96,31,6f,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(564)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(620)
c:\progra~1\SPEEDB~1\sblsp.dll
c:\program files\SpeedBit Video Accelerator\ConfigDB.dll
c:\program files\SpeedBit Video Accelerator\Accelerator.dll
c:\windows\system32\WININET.dll
c:\program files\SpeedBit Video Accelerator\Collector.dll

- - - - - - - > 'explorer.exe'(2692)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\acs.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\TOSHIBA\ConfigFree\CFSvcs.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\windows\system32\TODDSrv.exe
c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe
c:\progra~1\SPEEDB~1\VideoAcceleratorEngine.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\AGRSMMSG.exe
c:\windows\system32\TPSBattM.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-08-07 20:59:56 - machine was rebooted
ComboFix-quarantined-files.txt 2010-08-08 01:59
ComboFix2.txt 2008-12-19 16:51
ComboFix3.txt 2008-12-18 23:45

Pre-Run: 26,235,334,656 bytes free
Post-Run: 26,304,970,752 bytes free

- - End Of File - - 4315BBB8FD4BF43EA1EFA64D8494EEC7


#8 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:26 AM

Posted 08 August 2010 - 08:32 AM

Just to inform you of the dangers of the type of infection that you had we had removed both rootkit's but becasue data could have been comprimised I feel the need to alert you to the dangers.

One or more of the identified infections is a backdoor trojan or rootkit.

This type of infection has the capabilities to allows hacker to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and has been killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#9 cubsfan518

cubsfan518
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:26 AM

Posted 08 August 2010 - 01:54 PM

Hello,

I've decided to not reformat/reinstall. I got this laptop my freshman year of high school, and now I'll be leaving for my first year of college in september, so the only files on it are school files. There aren't any files I wouldn't share with anyone, and I will be closely monitoring my various online accounts. The computer is already much faster. I will be waiting for your next instructions. Thanks.

#10 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:26 AM

Posted 08 August 2010 - 02:19 PM

1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

CODE
Folder::
c:\documents and settings\Tyler R\Local Settings\Application Data\mfmeskvht

File::
c:\documents and settings\Tyler R\Start Menu\Programs\Startup\PowerReg Scheduler.exe
c:\windows\pss\PowerReg Scheduler.exe

Registry::
[-HKLM\~\startupfolder\C:^Documents and Settings^Tyler R^Start Menu^Programs^Startup^PowerReg Scheduler.exe]

RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]



3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following report/log into your next reply:
  • Combofix.txt
==Update Run Malwarebytes

Please update\run Malwarebytes' Anti-Malware.

Double Click the Malwarebytes Anti-Malware icon to run the application.
  • Click on the update tab then click on Check for updates.
  • If an update is found, it will download and install the latest version.
  • Once the update has loaded, go to the Scanner tab and select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
=====
Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#11 cubsfan518

cubsfan518
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:26 AM

Posted 09 August 2010 - 09:31 PM

Hello,

I did all the scans. Malwarebytes didn't find anything, but Kaspersky did. The logs are posted below(ComboFix, Malwarebytes, and then Kaspersky). Thanks.



ComboFix 10-08-07.01 - Tyler R 08/09/2010 13:03:33.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1379 [GMT -5:00]
Running from: c:\documents and settings\Tyler R\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Tyler R\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

FILE ::
"c:\documents and settings\Tyler R\Start Menu\Programs\Startup\PowerReg Scheduler.exe"
"c:\windows\pss\PowerReg Scheduler.exe"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Tyler R\Local Settings\Application Data\mfmeskvht

.
((((((((((((((((((((((((( Files Created from 2010-07-09 to 2010-08-09 )))))))))))))))))))))))))))))))
.

2010-08-08 18:31 . 2010-08-08 18:31 -------- d-----w- c:\windows\LastGood
2010-08-04 21:44 . 2010-08-04 21:44 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-08-04 20:34 . 2010-08-04 20:34 63488 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-04 20:34 . 2010-08-04 20:34 52224 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-08-04 20:34 . 2010-08-04 20:34 117760 ----a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-04 20:33 . 2010-08-04 20:33 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-08-04 16:37 . 2010-08-04 16:37 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-08-04 16:21 . 2010-08-04 16:21 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-07-26 20:28 . 2010-07-26 20:28 -------- d-----w- c:\documents and settings\All Users\Application Data\PlotSoft
2010-07-26 20:28 . 2010-07-26 20:28 -------- d-----w- c:\program files\PlotSoft
2010-07-26 19:35 . 2010-05-03 23:44 2063360 ----a-w- c:\windows\system32\QuickPDFAX0719.dll
2010-07-26 19:35 . 2010-03-09 19:54 32768 ----a-w- c:\windows\system32\DemoContextMenu.dll
2010-07-26 19:04 . 2010-07-26 22:05 -------- d-----w- c:\documents and settings\Tyler R\Calibre Library
2010-07-26 19:03 . 2010-07-26 19:31 -------- d-----w- c:\documents and settings\Tyler R\Application Data\calibre
2010-07-26 19:01 . 2010-07-26 19:02 -------- d-----w- c:\program files\Calibre2
2010-07-23 19:24 . 2010-07-23 19:24 -------- d-----w- C:\ATI
2010-07-23 19:06 . 2010-07-23 19:06 503808 ----a-w- c:\documents and settings\Tyler R\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6e07b095-n\msvcp71.dll
2010-07-23 19:06 . 2010-07-23 19:06 61440 ----a-w- c:\documents and settings\Tyler R\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-20709394-n\decora-sse.dll
2010-07-23 19:06 . 2010-07-23 19:06 499712 ----a-w- c:\documents and settings\Tyler R\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6e07b095-n\jmc.dll
2010-07-23 19:06 . 2010-07-23 19:06 348160 ----a-w- c:\documents and settings\Tyler R\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-6e07b095-n\msvcr71.dll
2010-07-23 19:06 . 2010-07-23 19:06 12800 ----a-w- c:\documents and settings\Tyler R\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-20709394-n\decora-d3d.dll
2010-07-23 19:05 . 2010-06-22 09:36 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-22 19:36 . 2010-07-22 19:36 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-20 22:36 . 2010-07-20 22:36 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-20 22:30 . 2010-07-20 22:30 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE
2010-07-20 22:17 . 2010-07-20 22:17 -------- d-----w- c:\documents and settings\Tyler R\Application Data\Malwarebytes
2010-07-20 22:17 . 2010-07-20 22:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-07-20 22:17 . 2010-08-07 17:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-20 22:03 . 2010-07-20 22:03 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2010-07-20 22:03 . 2010-07-20 22:03 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2010-07-19 20:34 . 2010-07-19 20:34 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
2010-07-13 22:09 . 2010-06-14 14:31 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 21:42 . 2010-06-28 20:57 38848 ----a-w- c:\windows\avastSS.scr

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-08 18:52 . 2008-07-01 14:43 46 ----a-w- c:\documents and settings\Tyler R\jagex_runescape_preferences.dat
2010-08-08 18:51 . 2009-10-30 21:04 99 ----a-w- c:\documents and settings\Tyler R\jagex_runescape_preferences2.dat
2010-08-07 17:48 . 2008-02-02 02:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-07 17:41 . 2008-11-16 03:22 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-08-07 17:41 . 2008-11-16 03:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-08-03 19:11 . 2008-11-16 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-08-03 18:29 . 2008-06-13 15:48 -------- d-----w- c:\program files\CCleaner
2010-07-27 06:30 . 2010-07-27 06:30 8462336 ----a-w- c:\windows\system32\SET56.tmp
2010-07-23 19:25 . 2006-08-21 18:20 -------- d-----w- c:\program files\ATI Technologies
2010-07-23 19:06 . 2006-08-21 18:37 -------- d-----w- c:\program files\Common Files\Java
2010-07-23 19:05 . 2006-08-21 18:37 -------- d-----w- c:\program files\Java
2010-06-30 20:21 . 2010-04-17 20:28 46 ----a-w- c:\windows\system32\config\systemprofile\jagex_runescape_preferences.dat
2010-06-30 20:17 . 2010-04-17 20:29 99 ----a-w- c:\windows\system32\config\systemprofile\jagex_runescape_preferences2.dat
2010-06-28 20:57 . 2008-03-08 18:28 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2008-03-08 18:28 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2008-04-08 02:10 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2008-03-08 18:28 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2008-03-08 18:28 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2008-03-08 18:28 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2008-04-08 02:10 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2008-03-08 18:28 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2010-06-27 23:26 . 2006-08-21 19:02 -------- d-----w- c:\program files\Picasa2
2010-06-21 21:16 . 2010-06-21 21:14 -------- d-----w- c:\program files\iTunes
2010-06-21 21:15 . 2010-06-21 21:15 -------- d-----w- c:\program files\iPod
2010-06-21 21:15 . 2009-12-26 23:32 -------- d-----w- c:\program files\Common Files\Apple
2010-06-21 21:08 . 2010-06-21 21:08 -------- d-----w- c:\program files\Bonjour
2010-06-21 21:04 . 2010-06-21 21:04 72504 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.2.0.61\SetupAdmin.exe
2010-06-14 14:31 . 2006-08-21 17:23 744448 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
2010-05-18 21:35 . 2010-05-18 21:35 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35 . 2010-05-18 21:35 107808 ----a-w- c:\windows\system32\dns-sd.exe
2007-09-28 20:19 . 2007-09-28 20:19 11368352 -c--a-w- c:\program files\FirstClass.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-12-12 344064]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-07 761946]
"Toshiba Hotkey Utility"="c:\program files\Toshiba\Windows Utilities\Hotkey.exe" [2006-08-01 1773568]
"PadTouch"="c:\program files\TOSHIBA\Touch and Launch\PadExe.exe" [2005-12-06 1077322]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-26 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-06 16262656]
"SkyTel"="SkyTel.EXE" [2006-05-17 2879488]
"AGRSMMSG"="AGRSMMSG.exe" [2006-03-18 89541]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10b.exe" [2009-02-03 240544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-8-21 155648]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ WinCinema Manager.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ WinCinema Manager.lnk
backup=c:\windows\pss\ WinCinema Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnk
backup=c:\windows\pss\dlbcserv.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk
backup=c:\windows\pss\KODAK Software Updater.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Tyler R^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=c:\documents and settings\Tyler R\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2010-05-08 01:15 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2008-09-04 20:12 133104 ----atw- c:\documents and settings\Tyler R\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
2002-11-22 19:49 188416 -c--a-w- c:\windows\system32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHmon04]
2002-11-22 19:48 348160 ----a-w- c:\windows\system32\hphmon04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD04]
2002-11-22 19:50 49152 -c--a-w- c:\program files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 09:40 218032 -c--a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LtMoh]
2005-12-16 09:41 188416 -c--a-w- c:\program files\ltmoh\ltmoh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
2008-04-14 00:12 169984 -c--a-w- c:\windows\pchealth\helpctr\binaries\msconfig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-03-18 02:53 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
2002-04-17 16:42 69632 -c--a-w- c:\program files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shockwave Updater]
2009-07-31 13:40 468408 ----a-w- c:\windows\system32\Adobe\Shockwave 11\SwHelper_1151601.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 16:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TPSMain]
2005-06-01 03:00 282624 ----a-w- c:\windows\system32\TPSMain.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Universal Installer]
2008-03-18 19:50 984616 -c--a-w- c:\program files\ComcastUI\Universal Installer\uinstaller.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WMPNetworkSvc"=3 (0x3)
"MskService"=2 (0x2)
"MpfService"=2 (0x2)
"mcupdmgr.exe"=3 (0x3)
"McTskshd.exe"=2 (0x2)
"McShield"=2 (0x2)
"McDetect.exe"=2 (0x2)
"IDriverT"=3 (0x3)
"gusvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Tyler R\\My Documents\\My Games\\TmNationsForever\\TmForever.exe"=
"c:\\Documents and Settings\\Tyler R\\My Documents\\Warcraft III\\Warcraft III\\Warcraft III.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [4/7/2008 9:10 PM 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [4/7/2008 9:10 PM 17744]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [6/28/2006 1:50 PM 98816]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm --> c:\progra~1\SPEEDB~1\VideoAcceleratorService.exe -start -scm [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/7/2010 5:04 PM 136176]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [8/21/2006 2:02 PM 30192]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 PEEK5;PEEK5 Protocol Driver;\??\c:\docume~1\ALLUSE~1\DOCUME~1\MYPICT~1\SAMPLE~1\RUNESC~1\AIRCRA~1.1-W\AIRCRA~1.1\bin\PEEK5.SYS --> c:\docume~1\ALLUSE~1\DOCUME~1\MYPICT~1\SAMPLE~1\RUNESC~1\AIRCRA~1.1-W\AIRCRA~1.1\bin\PEEK5.SYS [?]
S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [12/1/2004 6:35 PM 438912]
.
Contents of the 'Scheduled Tasks' folder

2010-06-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 17:34]

2010-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-07 20:24]

2010-08-08 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-07 20:24]

2010-07-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3878683979-652201305-810867215-1006Core.job
- c:\documents and settings\Tyler R\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 20:12]

2010-08-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-3878683979-652201305-810867215-1006UA.job
- c:\documents and settings\Tyler R\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-09-04 20:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
LSP: c:\progra~1\SPEEDB~1\sblsp.dll
TCP: {7C0E9482-B25F-4CD8-9D26-2A09498A3E54} = 208.67.222.222,208.67.220.220
DPF: {1340C00E-B1FF-4117-B993-E58FF774A605} - hxxp://www.playrealbaseball.com/include/launchRBO_v1.1.0.0.cab
DPF: {C4577C19-00D1-4756-B4EF-01634E5064E0} - hxxp://www.playrealbaseball.com/include/launchRBO.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-09 13:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(560)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(616)
c:\progra~1\SPEEDB~1\sblsp.dll
c:\program files\SpeedBit Video Accelerator\ConfigDB.dll
c:\program files\SpeedBit Video Accelerator\Accelerator.dll
c:\windows\system32\WININET.dll
c:\program files\SpeedBit Video Accelerator\Collector.dll

- - - - - - - > 'explorer.exe'(3316)
c:\windows\system32\WININET.dll
c:\progra~1\WINDOW~2\wmpband.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
Completion time: 2010-08-09 13:12:29
ComboFix-quarantined-files.txt 2010-08-09 18:12
ComboFix2.txt 2010-08-08 01:59
ComboFix3.txt 2008-12-19 16:51
ComboFix4.txt 2008-12-18 23:45

Pre-Run: 25,894,404,096 bytes free
Post-Run: 25,871,253,504 bytes free

- - End Of File - - 1351516911EBCF9C3285ECDEBABB1C54



Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4411

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/9/2010 1:47:49 PM
mbam-log-2010-08-09 (13-47-49).txt

Scan type: Quick scan
Objects scanned: 145852
Time elapsed: 6 minute(s), 9 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



KASPERSKY ONLINE SCANNER 7.0: scan report
Monday, August 9, 2010
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Monday, August 09, 2010 16:23:46
Records in database: 4132940
Scan settings
scan using the following database extended
Scan archives yes
Scan e-mail databases yes
Scan area My Computer
C:\
D:\
Scan statistics
Objects scanned 102951
Threats found 3
Infected objects found 4
Suspicious objects found 0
Scan duration 05:26:36

File name Threat Threats count
C:\Documents and Settings\Tyler R\Application Data\Sun\Java\Deployment\cache\6.0\16\62da3790-4334b9a0 Infected: Trojan-Clicker.Win32.Cycler.gen 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\disk.sys.vir Infected: Rootkit.Win32.TDSS.ap 1
C:\Qoobox\Quarantine\MBR_HardDisk0.mbr Infected: Trojan-Clicker.Win32.Wistler.a 1
C:\System Volume Information\_restore{D7EECCCB-504A-4B73-84FE-DF9426EF622E}\RP386\A0159033.sys Infected: Rootkit.Win32.TDSS.ap 1
Selected area has been scanned.

#12 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:26 AM

Posted 10 August 2010 - 06:24 AM

Hi looks good the only file left on the machine is this one:
C:\Documents and Settings\Tyler R\Application Data\Sun\Java\Deployment\cache\6.0\16\62da3790-4334b9a0
Please go ahead and delete that file.
------------------------------------------
Also let me know how things are running and run DDS once more and post the dds.txt that opens up.
Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

#13 cubsfan518

cubsfan518
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:26 AM

Posted 10 August 2010 - 10:20 AM

Hello,

I deleted the one file, and the DDS log is posted below. Everything seems to be back to normal. There is no 100% cpu usage at startup, and everything seems to be at the same speed as before the infection. My parents wanted me to bring the laptop into a repair shop, which would have cost well over $250, but I knew you guys would be able to help me. Thank you for all your help.



DDS (Ver_10-03-17.01) - NTFSx86
Run by Tyler R at 10:05:01.39 on Tue 08/10/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1918.1439 [GMT -5:00]

AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\TPSMain.exe
C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\acs.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorService.exe
C:\PROGRA~1\SPEEDB~1\VideoAcceleratorEngine.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\TPSBattM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Tyler R\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: {F35CE83E-9EBF-40D5-AE87-53F982389740} - No File
uRun: [TOSCDSPD] c:\program files\toshiba\toscdspd\toscdspd.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Toshiba Hotkey Utility] "c:\program files\toshiba\windows utilities\Hotkey.exe" /lang en
mRun: [PadTouch] c:\program files\toshiba\touch and launch\PadExe.exe
mRun: [SmoothView] c:\program files\toshiba\toshiba zooming utility\SmoothView.exe
mRun: [Pinger] c:\toshiba\ivp\ism\pinger.exe /run
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [TPSMain] TPSMain.exe
mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10b.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ramasst.lnk - c:\windows\system32\RAMASST.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {FB858B22-55E2-413f-87F5-30ADC5552151} - c:\program files\plotsoft\pdfill\DownloadPDF.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\progra~1\speedb~1\sblsp.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader5.cab
DPF: {1340C00E-B1FF-4117-B993-E58FF774A605} - hxxp://www.playrealbaseball.com/include/launchRBO_v1.1.0.0.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} - hxxp://rpma04ln.rush.edu/iNotes6W.cab
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240694908218
DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - hxxp://mediaplayer.walmart.com/installer/install.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {AE6C4705-0F11-4ACB-BDD4-37F138BEF289} - hxxp://dominicks.lifepics.com/net/Uploader/LPUploader45.cab
DPF: {C4577C19-00D1-4756-B4EF-01634E5064E0} - hxxp://www.playrealbaseball.com/include/launchRBO.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://www.ritzpix.com/net/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://bestbuy.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A}
TCP: {7C0E9482-B25F-4CD8-9D26-2A09498A3E54} = 208.67.222.222,208.67.220.220
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-4-7 165456]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-4-7 17744]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-30 40384]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2006-6-28 98816]
R2 VideoAcceleratorService;VideoAcceleratorService;c:\progra~1\speedb~1\videoacceleratorservice.exe -start -scm --> c:\progra~1\speedb~1\VideoAcceleratorService.exe -start -scm [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-5-7 136176]
S3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-30 40384]
S3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-1-30 40384]
S3 GoogleDesktopManager-110309-193829;Google Desktop Manager 5.9.911.3589;c:\program files\google\google desktop search\GoogleDesktop.exe [2006-8-21 30192]
S3 PEEK5;PEEK5 Protocol Driver;\??\c:\docume~1\alluse~1\docume~1\mypict~1\sample~1\runesc~1\aircra~1.1-w\aircra~1.1\bin\peek5.sys --> c:\docume~1\alluse~1\docume~1\mypict~1\sample~1\runesc~1\aircra~1.1-w\aircra~1.1\bin\PEEK5.SYS [?]
S3 TNET1130;802.11 WLAN;c:\windows\system32\drivers\TNET1130.sys [2004-12-1 438912]

=============== Created Last 30 ================

2010-08-09 18:40:33 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-09 18:40:31 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-09 18:00:21 0 d-----w- C:\ComboFix
2010-08-07 18:10:01 77312 ----a-w- c:\windows\MBR.exe
2010-08-07 18:10:01 256512 ----a-w- c:\windows\PEV.exe
2010-08-04 21:44:32 0 dc-h--w- c:\docume~1\alluse~1\applic~1\{BD986C1B-72EC-4B82-B47B-6CAC4E6F494E}
2010-07-26 20:28:55 0 d-----w- c:\docume~1\alluse~1\applic~1\PlotSoft
2010-07-26 20:28:54 0 d-----w- c:\program files\PlotSoft
2010-07-26 19:35:05 32768 ----a-w- c:\windows\system32\DemoContextMenu.dll
2010-07-26 19:35:05 2063360 ----a-w- c:\windows\system32\QuickPDFAX0719.dll
2010-07-26 19:04:00 0 d-----w- c:\documents and settings\tyler r\Calibre Library
2010-07-26 19:03:51 0 d-----w- c:\docume~1\tylerr~1\applic~1\calibre
2010-07-26 19:01:58 0 d-----w- c:\program files\Calibre2
2010-07-23 19:24:46 0 d-----w- C:\ATI
2010-07-23 19:05:48 423656 ----a-w- c:\windows\system32\deployJava1.dll
2010-07-22 19:36:38 95024 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2010-07-20 22:36:45 664 ----a-w- c:\windows\system32\d3d9caps.dat
2010-07-20 22:17:39 0 d-----w- c:\docume~1\tylerr~1\applic~1\Malwarebytes
2010-07-20 22:17:24 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-07-20 22:17:23 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-07-13 22:09:08 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-13 21:42:26 38848 ----a-w- c:\windows\avastSS.scr

==================== Find3M ====================

2010-08-08 18:52:05 46 ----a-w- c:\documents and settings\tyler r\jagex_runescape_preferences.dat
2010-08-08 18:51:33 99 ----a-w- c:\documents and settings\tyler r\jagex_runescape_preferences2.dat
2010-07-26 20:47:36 979764 ----a-w- c:\windows\fonts\CAMBRIA1.ttf
2010-07-26 20:47:36 946420 ----a-w- c:\windows\fonts\CAMBRIA0.ttf
2010-05-18 21:35:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-05-18 21:35:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2007-09-28 20:19:56 11368352 -c--a-w- c:\program files\FirstClass.exe
2008-08-23 17:53:31 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082320080824\index.dat

============= FINISH: 10:05:41.50 ===============


#14 kahdah

kahdah

  • Security Colleague
  • 11,138 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Florida
  • Local time:09:26 AM

Posted 10 August 2010 - 01:01 PM

You are very welcome. smile.gif

=======Cleanup
  • Click START then RUN
  • Now type Combofix /uninstall in the runbox and click OK. Note the space between the X and the Uninstall, it needs to be there.
===============Update Java

Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java SE Runtime Environment (JRE) and save it to your desktop.
  • Scroll down to where it says "(JRE) then click on it
  • Click the "Download" button to the right.
  • Select your Platform: "Windows".
  • Select your Language: "Multi-language".
  • Read the License Agreement, and then check the box that says: "Accept License Agreement".
  • Click Continue and the page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u21-windows-i586.exe to install the newest version.

Delete\uninstall anything else that we have used that is leftover.


After that your all set.


===The following are some articles and a Windows Update link that I like to suggest to people to prevent malware and general PC maintenance===

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Prevention article Some great guidelines to follow to prevent future infections please read the Prevention artice by Miekiemoes.

"How did I get infected in the first place?" Also this one by Tony Klein.

If your computer is slow Is a tutorial on what you can do if your computer is slow.

File sharing program dangers Reasons to stay away from File sharing programs for ex: BitTorrent,Limewire,Kazaa,emule,Utorrent etc...



===Free antimalware tools used for on demand scanning and cleaning no real time unless purchased===

Malwarebytes Antimalware
superantispyware

===Free antivirus links===

This is antivirus and antispyware.
Microsoft Security Essentials
This is free antispyware protection and Antivirus protection.
AVG free 9.0
This is just antivirus protection.
Antivir
This is antivirus and antispyware protection.
Avast


Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users