Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Browsser redirect virus


  • This topic is locked This topic is locked
22 replies to this topic

#1 jilda

jilda

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 24 August 2010 - 01:35 PM

Ok, so for the last 2 weeks I've been trying to make it through the prep guide and post my problems. When trying to use IE, Firefox or Google I'm redirected to other sites. I can get to your site by using the address bar. I get redirected then I arrow back and Avast pops up telling me it has blocked a trojan (3xs) I also have SuperAntiSpyWare and MalwareBytes. Avast won't update and the other two are missing something. When downloading DDS I lost my desktop until I rebooted (2xs), problems loading the backup programs, and if I minimize bleeping computer window to copy and paste the logs as told to do in the guide the computer freezes and I have to resort to the reset button (3xs) I finally tried opening the log files first, then going to your site using the link in removal guide I finally got everything right hit the post button and I get - Page has been reset- try again! Soooo, twice more I try to post, same thing. I'm now bypassing the link and hope this works. As you might have guessed, I'M JUST A LITTLE BIT UUUUPPPPSSSEEETTTT! LOL HAHAHAHAHAHAHAHAHAHAHAHA Please help soon

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:07 AM

Posted 30 August 2010 - 09:57 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

Please include a clear description of the problems you're having, along with any steps you may have performed so far.

Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.

Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.
We need to create an OTL Report
  1. Please download OTL from one of the following mirrors:
  2. Save it to your desktop.
  3. Double click on the icon on your desktop.
  4. Click the "Scan All Users" checkbox.
  5. In the custom scan box paste the following:
    CODE
    msconfig
    safebootminimal
    activex
    drivers32
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    nvraid.sys
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    %systemroot%\system32\drivers\*.sys /90
  6. Push the button.
  7. Two reports will open, copy and paste them in a reply here:
    • OTL.txt <-- Will be opened
    • Extra.txt<--Will be minimized

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. I suggest you do this and select Immediate E-Mail notification and click on Proceed. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

After 5 days if a topic is not replied to we assume it has been abandoned and it is closed.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 jilda

jilda
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 30 August 2010 - 07:13 PM

OK so I've been trying to post the logs and keep getting a window saying that the connection has been reset while the page was loading. Maybe this time, uh no. So I just now cut the logs out of the post to see if I can post.



#4 jilda

jilda
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 30 August 2010 - 07:22 PM

I tried to post the logs again and got the same message. Help!!

#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:07 AM

Posted 31 August 2010 - 02:36 AM

Hi,

ok, let's try something with a shorter log then.

Please download MBRCheck.exe to your desktop.
  1. Double click to run it
  2. It will prompt you with some text
  3. Left click on title bar (where program name and path is written)
  4. From menu chose Edit -> Select All
  5. Now just click Enter key on keyboard to copy selected text
  6. Now paste that text here for me.

If you can't post the complete log, just let me know what mbr code it detected.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 jilda

jilda
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 31 August 2010 - 10:49 AM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 2 (build 2600)
Logical Drives Mask: 0x0000003c

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
74 GB \\.\PhysicalDrive1 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
Press ENTER to exit...


#7 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:07 AM

Posted 01 September 2010 - 04:20 AM

Hi,
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.
  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l C:\TDSSKiller.txt

  • If it says "Hidden service detected" DO NOT type anything in. Just press Enter on your keyboard to not do anything to the file.
  • When it is done, a log file should be created on your C: drive called "TDSSKiller.txt" please copy and paste the contents of that file here.

If things go well you should be able to post long logs after that.

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#8 jilda

jilda
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 01 September 2010 - 02:00 PM

Salutations
I'm not sure if this is what you wanted. I've never extracted from a zip folder so it took me awhile. My friends keep telling me to just reformat and reload XP but after fighting 3 months just to get here I'm determined to WIN!
2010/09/01 11:40:47.0594 TDSS rootkit removing tool 2.4.1.4 Aug 31 2010 16:55:25
2010/09/01 11:40:47.0594 ================================================================================
2010/09/01 11:40:47.0594 SystemInfo:
2010/09/01 11:40:47.0594
2010/09/01 11:40:47.0594 OS Version: 5.1.2600 ServicePack: 2.0
2010/09/01 11:40:47.0594 Product type: Workstation
2010/09/01 11:40:47.0594 ComputerName: THEGOBLINSBLADE
2010/09/01 11:40:47.0594 UserName: Administrator
2010/09/01 11:40:47.0594 Windows directory: C:\WINDOWS
2010/09/01 11:40:47.0594 System windows directory: C:\WINDOWS
2010/09/01 11:40:47.0594 Processor architecture: Intel x86
2010/09/01 11:40:47.0594 Number of processors: 1
2010/09/01 11:40:47.0594 Page size: 0x1000
2010/09/01 11:40:47.0594 Boot type: Normal boot
2010/09/01 11:40:47.0594 ================================================================================
2010/09/01 11:40:47.0859 Initialize success
2010/09/01 11:40:56.0626 ================================================================================
2010/09/01 11:40:56.0626 Scan started
2010/09/01 11:40:56.0626 Mode: Manual;
2010/09/01 11:40:56.0626 ================================================================================
2010/09/01 11:40:57.0282 Aavmker4 (467f062f76e07512ecc1f5f60aab2988) C:\WINDOWS\system32\drivers\Aavmker4.sys
2010/09/01 11:40:57.0469 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/09/01 11:40:57.0548 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/09/01 11:40:57.0657 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2010/09/01 11:40:57.0751 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2010/09/01 11:40:57.0829 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
2010/09/01 11:40:58.0251 aswFsBlk (0c0b08847f2f24baa7bd43d8f2c6c8b0) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2010/09/01 11:40:58.0313 aswMon2 (aa504fa592c9ed79174cb06b8ae340aa) C:\WINDOWS\system32\drivers\aswMon2.sys
2010/09/01 11:40:58.0345 aswRdr (f385ffd39165453fda96736aa3edfd9d) C:\WINDOWS\system32\drivers\aswRdr.sys
2010/09/01 11:40:58.0438 aswSP (45adea26bf613a54fed64ecdd12e58a7) C:\WINDOWS\system32\drivers\aswSP.sys
2010/09/01 11:40:58.0485 aswTdi (c4ee975c87176f1900662d2874233c7f) C:\WINDOWS\system32\drivers\aswTdi.sys
2010/09/01 11:40:58.0563 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/09/01 11:40:58.0595 atapi (b4cd4dcc2f5746912932a841464a66c5) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/09/01 11:40:58.0595 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\atapi.sys. Real md5: b4cd4dcc2f5746912932a841464a66c5, Fake md5: cdfe4411a69c224bd1d11b2da92dac51
2010/09/01 11:40:58.0610 atapi - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/09/01 11:40:58.0688 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/09/01 11:40:58.0751 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/09/01 11:40:58.0829 bcm4sbxp (068523d2cd260069b19ad68adea0d739) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
2010/09/01 11:40:58.0970 BCMModem (41347688046d49cde0f6d138a534f73d) C:\WINDOWS\system32\DRIVERS\BCMSM.sys
2010/09/01 11:40:59.0126 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/09/01 11:40:59.0220 cbcb (86d1aace75ca954f0ac2d935b8930e40) C:\WINDOWS\system32\cbcb.sys
2010/09/01 11:40:59.0235 Suspicious file (NoAccess): C:\WINDOWS\system32\cbcb.sys. md5: 86d1aace75ca954f0ac2d935b8930e40
2010/09/01 11:40:59.0235 cbcb - detected Locked file (1)
2010/09/01 11:40:59.0313 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/09/01 11:40:59.0376 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/09/01 11:40:59.0470 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/09/01 11:40:59.0516 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/09/01 11:40:59.0610 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/09/01 11:40:59.0923 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/09/01 11:41:00.0017 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2010/09/01 11:41:00.0110 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2010/09/01 11:41:00.0188 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/09/01 11:41:00.0267 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2010/09/01 11:41:00.0360 dot4 (ad7fc1963b152b3728e3c4f83554a576) C:\WINDOWS\system32\DRIVERS\Dot4.sys
2010/09/01 11:41:00.0423 Dot4Print (77ce63a8a34ae23d9fe4c7896d1debe7) C:\WINDOWS\system32\DRIVERS\Dot4Prt.sys
2010/09/01 11:41:00.0454 Dot4Scan (bd05306428da63369692477ddc0f6f5f) C:\WINDOWS\system32\DRIVERS\Dot4Scan.sys
2010/09/01 11:41:00.0501 dot4usb (6ec3af6bb5b30e488a0c559921f012e1) C:\WINDOWS\system32\DRIVERS\dot4usb.sys
2010/09/01 11:41:00.0626 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/09/01 11:41:00.0704 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/09/01 11:41:00.0782 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/09/01 11:41:00.0860 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2010/09/01 11:41:00.0923 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/09/01 11:41:01.0001 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2010/09/01 11:41:01.0079 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/09/01 11:41:01.0126 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/09/01 11:41:01.0204 GEARAspiWDM (4ac51459805264affd5f6fdfb9d9235f) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2010/09/01 11:41:01.0282 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/09/01 11:41:01.0376 hidusb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/09/01 11:41:01.0517 HTTP (cb77bb47e67e84deb17ba29632501730) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/09/01 11:41:01.0689 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/09/01 11:41:01.0798 ialm (44b7d5a4f2bd9fe21aea0bb0bace38c4) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/09/01 11:41:01.0892 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/09/01 11:41:02.0032 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/09/01 11:41:02.0157 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/09/01 11:41:02.0220 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2010/09/01 11:41:02.0282 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/09/01 11:41:02.0329 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/09/01 11:41:02.0407 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/09/01 11:41:02.0470 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/09/01 11:41:02.0548 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/09/01 11:41:02.0626 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/09/01 11:41:02.0720 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/09/01 11:41:02.0798 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/09/01 11:41:02.0876 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2010/09/01 11:41:02.0939 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/09/01 11:41:03.0095 MDFSYSNT (5ee26d656edab11eecc5e1de6a378fd2) C:\WINDOWS\system32\drivers\MDFSYSNT.sys
2010/09/01 11:41:03.0142 MDPMGRNT (54d441f64ce6da15820ef49cd705376f) C:\WINDOWS\system32\drivers\MDPMGRNT.sys
2010/09/01 11:41:03.0220 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/09/01 11:41:03.0282 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2010/09/01 11:41:03.0345 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/09/01 11:41:03.0392 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/09/01 11:41:03.0454 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/09/01 11:41:03.0501 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/09/01 11:41:03.0595 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/09/01 11:41:03.0751 MRxSmb (025af03ce51645c62f3b6907a7e2be5e) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/09/01 11:41:03.0829 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2010/09/01 11:41:03.0907 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/09/01 11:41:03.0970 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/09/01 11:41:04.0001 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/09/01 11:41:04.0079 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/09/01 11:41:04.0142 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/09/01 11:41:04.0189 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2010/09/01 11:41:04.0267 N100 (c7eb926899ff4575b630087ea4c7af61) C:\WINDOWS\system32\DRIVERS\n100325.sys
2010/09/01 11:41:04.0345 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/09/01 11:41:04.0423 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2010/09/01 11:41:04.0486 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/09/01 11:41:04.0548 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/09/01 11:41:04.0626 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/09/01 11:41:04.0720 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/09/01 11:41:04.0767 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/09/01 11:41:04.0829 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/09/01 11:41:04.0892 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/09/01 11:41:04.0970 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2010/09/01 11:41:05.0064 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/09/01 11:41:05.0158 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/09/01 11:41:05.0204 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/09/01 11:41:05.0283 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/09/01 11:41:05.0345 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/09/01 11:41:05.0392 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/09/01 11:41:05.0454 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/09/01 11:41:05.0533 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/09/01 11:41:05.0626 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2010/09/01 11:41:05.0689 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/09/01 11:41:06.0001 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/09/01 11:41:06.0064 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/09/01 11:41:06.0095 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/09/01 11:41:06.0361 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/09/01 11:41:06.0423 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/09/01 11:41:06.0470 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/09/01 11:41:06.0517 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/09/01 11:41:06.0595 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/09/01 11:41:06.0689 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/09/01 11:41:06.0814 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/09/01 11:41:06.0939 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/09/01 11:41:07.0033 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/09/01 11:41:07.0158 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/09/01 11:41:07.0251 serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/09/01 11:41:07.0361 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/09/01 11:41:07.0408 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/09/01 11:41:07.0533 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/09/01 11:41:07.0626 smwdm (31fd0707c7dbe715234f2823b27214fe) C:\WINDOWS\system32\drivers\smwdm.sys
2010/09/01 11:41:07.0798 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2010/09/01 11:41:07.0892 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/09/01 11:41:07.0986 Srv (ea554a3ffc3f536fe8320eb38f5e4843) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/09/01 11:41:08.0064 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/09/01 11:41:08.0127 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/09/01 11:41:08.0189 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2010/09/01 11:41:08.0392 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/09/01 11:41:08.0517 Tcpip (1dbf125862891817f374f407626967f4) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/09/01 11:41:08.0595 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/09/01 11:41:08.0705 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/09/01 11:41:08.0767 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/09/01 11:41:08.0908 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2010/09/01 11:41:09.0048 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
2010/09/01 11:41:09.0142 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/09/01 11:41:09.0205 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/09/01 11:41:09.0252 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/09/01 11:41:09.0314 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/09/01 11:41:09.0361 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/09/01 11:41:09.0423 usbstor (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/09/01 11:41:09.0486 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/09/01 11:41:09.0564 V0230Vfx (a0c643d5f8c60f12faa6e3454dfe9c32) C:\WINDOWS\system32\DRIVERS\V0230Vfx.sys
2010/09/01 11:41:09.0658 V0230VID (4dda6f6d396cb34171aa36ad025fdc76) C:\WINDOWS\system32\DRIVERS\V0230VID.sys
2010/09/01 11:41:09.0799 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2010/09/01 11:41:09.0939 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/09/01 11:41:10.0017 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/09/01 11:41:10.0095 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2010/09/01 11:41:10.0236 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/09/01 11:41:10.0424 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2010/09/01 11:41:10.0502 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/09/01 11:41:10.0627 ================================================================================
2010/09/01 11:41:10.0627 Scan finished
2010/09/01 11:41:10.0627 ================================================================================
2010/09/01 11:41:10.0627 Detected object count: 2


#9 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:07 AM

Posted 03 September 2010 - 02:53 AM

Hi,

please run ComboFix next:
Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Temporarily disable isable your AntiVirus and AntiSpyware applications. They may otherwise interfere with our tools
    Usually this can be done via a right click on the System Tray icon, check this tutorial for disabling the most common security programs: Link

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:



Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#10 jilda

jilda
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 03 September 2010 - 03:52 AM

Hi I waited up for you.
ComboFix 10-09-02.01 - Administrator 09/03/2010 1:21.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1527.1229 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Downloaded Program Files\popcaploader.dll
c:\windows\Downloaded Program Files\popcaploader.inf

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty had a snack tongue.gif
.
((((((((((((((((((((((((( Files Created from 2010-08-03 to 2010-09-03 )))))))))))))))))))))))))))))))
.

2010-08-22 02:35 . 2010-08-22 02:35 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-08-13 06:37 . 2010-08-13 06:37 -------- d-----w- c:\windows\system32\LogFiles
2010-08-13 04:26 . 2010-08-13 04:26 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-08-13 04:25 . 2010-08-13 04:25 -------- d-----w- c:\program files\Trend Micro
2010-08-13 04:25 . 2010-08-13 04:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-08-11 21:44 . 2010-08-11 21:44 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-13c7af9e-n\msvcp71.dll
2010-08-11 21:44 . 2010-08-11 21:44 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-13c7af9e-n\jmc.dll
2010-08-11 21:44 . 2010-08-11 21:44 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-13c7af9e-n\msvcr71.dll
2010-08-11 21:44 . 2010-08-11 21:44 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-691c82ee-n\decora-sse.dll
2010-08-11 21:44 . 2010-08-11 21:44 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-691c82ee-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-15 21:41 . 2008-01-13 03:34 -------- d-----w- c:\program files\O2M
2010-07-31 04:06 . 2010-05-24 02:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-31 04:03 . 2006-02-03 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-07-31 04:03 . 2006-02-03 17:56 -------- d-----w- c:\program files\Common Files\AOL
2010-07-31 04:01 . 2006-02-03 18:13 -------- d-----w- c:\program files\Common Files\aolshare
2010-07-16 22:14 . 2010-07-16 22:14 -------- d-----w- c:\program files\Cobian Backup 8
2010-06-28 20:57 . 2010-07-19 18:02 38848 ----a-w- c:\windows\avastSS.scr
2010-06-28 20:57 . 2007-02-10 18:19 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2007-02-10 18:19 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-05-20 06:02 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2007-02-10 18:19 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2007-02-10 18:19 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2007-02-10 18:19 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-05-20 06:02 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2007-02-10 18:19 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-08 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuEjectPC"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^AOL OpenRide.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\AOL OpenRide.lnk
backup=c:\windows\pss\AOL OpenRide.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2004-12-14 10:12 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVFX Engine]
2006-06-09 09:11 24576 ------w- c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
2003-08-29 12:59 122880 ----a-w- c:\windows\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Live! Cam Manager]
2006-06-01 00:00 143360 ------w- c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A960]
2003-09-21 15:21 270336 ----a-w- c:\program files\Dell AIO Printer A960\dlbfbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-09-26 00:52 50736 ----a-w- c:\program files\Common Files\AOL\1165530467\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-10-19 16:59 126976 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-10-19 16:59 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-03-15 02:05 257088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2005-12-05 00:38 437008 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MDDiskProtect.exe]
2005-04-15 20:54 106496 ----a-r- c:\program files\Mediafour\MacDrive\MDDiskProtect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mediafour Mac Volume Notifications]
2002-12-17 20:43 61440 ----a-r- c:\program files\Common Files\Mediafour\MACVNTFY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-13 00:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-06-29 13:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-03 04:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 10:43 83608 ----a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-08 19:40 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
2002-04-25 01:37 1544192 ----a-w- c:\program files\support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\V0230Mon.exe]
2006-09-07 09:01 32768 ----a-w- c:\windows\V0230Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1165530467\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=

R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.SYS [4/30/2006 7:57 AM 16640]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/19/2010 11:02 PM 165456]
R1 cbcb;cbcb;c:\windows\system32\cbcb.sys [5/19/2010 10:49 PM 74752]
R1 MDFSYSNT;MDFSYSNT;c:\windows\system32\drivers\MDFSYSNT.SYS [9/13/2006 11:53 AM 213888]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/19/2010 11:02 PM 17744]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/17/2010 4:44 PM 135664]
S3 N100;Compaq Ethernet or Fast Ethernet NIC Driver;c:\windows\system32\drivers\n100325.sys [5/28/2005 2:41 PM 128000]
S3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [3/24/2006 2:00 AM 6272]
S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [9/29/2006 2:01 AM 500480]
.
Contents of the 'Scheduled Tasks' folder

2010-08-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 20:15]

2010-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-17 23:44]

2010-09-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-17 23:44]
.
.
------- Supplementary Scan -------
.
mStart Page = hxxp://www.comcast.net/
mWindow Title = Microsoft Internet Explorer presented by Comcast
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\la54h14t.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

ShellIconOverlayIdentifiers-Mediafour Mac Volume Icons - (no file)
MSConfigStartUp-avast! - c:\progra~1\ALWILS~1\Avast4\ashDisp.exe
MSConfigStartUp-F-StopW - c:\program files\FSI\F-Prot\F-StopW.EXE
MSConfigStartUp-FRISK FP-Scheduler - c:\program files\FSI\F-Prot\F-Sched.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-03 01:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1614895754-1450960922-682003330-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG04.00.00.01SERVER"="7E667CAEEE52FC057BBC54E23B555D3C17CEF358CF6535BE08C901A8BB48E0ED4E3C809F891A4D4431BE71EBA1343C117DA3B3EDF2A9534F1B3ABF86F0D176FBF2A0AF04DEE40588A12819946C9F4C5A7E4533CDA38662D46D14CFC125AA437C846AA729B107BD2381776C188BE63BA60DFCB7C11FE5C940CC8ABCD37F767EE0D05358D9B8FC2924BA1263B262FDCF49CDF7DC9B95D201C4BE32E6C021F7785FD6FA07699F6688E2E93D45294AFCDF581D45FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E6678EDD5E5BE2F6E667A6171C11EC38DE3DA6A0AC4980AC79331F388C2030E6734E410821749AFBF51FCEB773873A379315E209170C25475C1404C0305892C7B4D944D5CAD22179172CA6408FEB5B962C9F534B3527272DA9E6AA7BD53867108BB711888AAB885397BA235F509FC9DC3010A43DD0126000F8E1CFD26239E72F4F8668FAEC70A2B989322C0215AB09190DB600FE340D2C4F36E083342B75E3D6084BE08AF833D220B25E7B16AC3E33A0684BE62E9EFE777103202B90FB2B3F7C73EC631B25AE92BC8E712210DDA7740B19E42CF041F146FE31447FDD923DEF5A03362D925FBCEC8A4AFE0068605C90B42902F66F41122DD5CBD18D1724B28370DCD6D0DB855C03C94B80CD19E2F5D93E5A844557B9B357168FB435375637177DD9E334656C34887DA4D0952284B0BB8A20AF64D7B8CB03266ABA2DC245985E0B09D191225C8AC6EBA330B6875B6E33429F2FFA27407381AE83167C3DFD4AA1E1A97DF58991CB1921C4C3E3D16FB2D053368FFDFBC669BA1C325C00310564BB0FB2264294BA076FEA3B15228B3F27BA6A73423A15358FA7208389692CD11F9A66CCEFAE43FCF0CE5EEE8E4EC4BA98A87F9A9C4F32E96B57B0B7FB3CC0CE5BC2FD56E0C21770614F52780217914778694823D732173628EB05C2F4D203D91CCCAE60E55D97A0D41D6027227E88BEDADDC0B891A80D62119B1D4D1BD88D4786E018B0CC2FCE0E6979E8FD89DB45EC79FA2AB94B5061A61A303735F94FFC5EE7419AC0CA404CACE3B68EB2B258689231CA09BB6A1864325889D9897F0B7459ADBF5E3D76E7A1642D3E39307FF595660169A38438446AA407974E107C359867E943CB0ACA556691CF8C9295B304F39090888790E2EACC9602E1A1BF29C993AB55C792B9260A3503FCB18B34F7AB2F2D27EE858FF9FAE7124D83A4469F99933DCA5CA4184E5BABFD8652D592D7E5F6CD32F2B06474319B138DA8EC845DCBC827C7A4B6A1E974ED3AE6A5E9EBC4037FF84284E0A7ABA2CC0D0C95538DC6D569697058C48804D021E3B8F982AF9225FEA58CA433A2DC37E4E5389FF42B1F0530758AC00B318BC3F09ABB2D9D7EF943B2C2E9668657282A50F72331B2"
.
Completion time: 2010-09-03 01:28:26
ComboFix-quarantined-files.txt 2010-09-03 08:28

Pre-Run: 39,019,560,960 bytes free
Post-Run: 39,036,944,384 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 6607A236182AA5676A6E89878C9B2C46


#11 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:07 AM

Posted 03 September 2010 - 04:29 AM

Hi,

I hope you'll still be able to get up in the morning though! smile.gif

This looks like a good start, please run the following script to remove some leftovers:

Open notepad and copy/paste the text in the quotebox below into it:

CODE
http://www.bleepingcomputer.com/forums/topic342507.html
Driver::
cbcb
Collect::
c:\windows\system32\cbcb.sys


Save this as CFScript.txt





Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
How is the PC doing now?
regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#12 jilda

jilda
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 04 September 2010 - 02:07 AM

Whoops! I woke up this morning face forward on my desk my glasses mashing into my face. My computer is still redirecting.
Here's the log
ComboFix 10-09-03.01 - Administrator 09/03/2010 22:31:40.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1527.1082 [GMT -7:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Administrator\Desktop\CFScript.txt
AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

file zipped: c:\windows\system32\cbcb.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\cbcb.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CBCB
-------\Service_cbcb


((((((((((((((((((((((((( Files Created from 2010-08-04 to 2010-09-04 )))))))))))))))))))))))))))))))
.

2010-08-22 02:35 . 2010-08-22 02:35 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2010-08-13 06:37 . 2010-08-13 06:37 -------- d-----w- c:\windows\system32\LogFiles
2010-08-13 04:26 . 2010-08-13 04:26 -------- d-----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-08-13 04:25 . 2010-08-13 04:25 -------- d-----w- c:\program files\Trend Micro
2010-08-13 04:25 . 2010-08-13 04:25 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-08-11 21:44 . 2010-08-11 21:44 503808 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-13c7af9e-n\msvcp71.dll
2010-08-11 21:44 . 2010-08-11 21:44 499712 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-13c7af9e-n\jmc.dll
2010-08-11 21:44 . 2010-08-11 21:44 348160 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-13c7af9e-n\msvcr71.dll
2010-08-11 21:44 . 2010-08-11 21:44 61440 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-691c82ee-n\decora-sse.dll
2010-08-11 21:44 . 2010-08-11 21:44 12800 ----a-w- c:\documents and settings\Administrator\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-691c82ee-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-15 21:41 . 2008-01-13 03:34 -------- d-----w- c:\program files\O2M
2010-07-31 04:06 . 2010-05-24 02:47 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-07-31 04:03 . 2006-02-03 18:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2010-07-31 04:03 . 2006-02-03 17:56 -------- d-----w- c:\program files\Common Files\AOL
2010-07-31 04:01 . 2006-02-03 18:13 -------- d-----w- c:\program files\Common Files\aolshare
2010-07-16 22:14 . 2010-07-16 22:14 -------- d-----w- c:\program files\Cobian Backup 8
2010-06-28 20:57 . 2010-07-19 18:02 38848 ----a-w- c:\windows\avastSS.scr
2010-06-28 20:57 . 2007-02-10 18:19 165032 ----a-w- c:\windows\system32\aswBoot.exe
2010-06-28 20:37 . 2007-02-10 18:19 46672 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2010-06-28 20:37 . 2010-05-20 06:02 165456 ----a-w- c:\windows\system32\drivers\aswSP.sys
2010-06-28 20:33 . 2007-02-10 18:19 23376 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2010-06-28 20:32 . 2007-02-10 18:19 100176 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2010-06-28 20:32 . 2007-02-10 18:19 94544 ----a-w- c:\windows\system32\drivers\aswmon.sys
2010-06-28 20:32 . 2010-05-20 06:02 17744 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2010-06-28 20:32 . 2007-02-10 18:19 28880 ----a-w- c:\windows\system32\drivers\aavmker4.sys
.

((((((((((((((((((((((((((((( SnapShot@2010-09-03_08.26.32 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-04 05:36 . 2010-09-04 05:36 16384 c:\windows\temp\Perflib_Perfdata_d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-08 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-06-28 2837864]
"BCMSMMSG"="BCMSMMSG.exe" [2003-08-29 122880]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuEjectPC"= 1 (0x1)

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^AOL OpenRide.lnk]
path=c:\documents and settings\Administrator\Start Menu\Programs\Startup\AOL OpenRide.lnk
backup=c:\windows\pss\AOL OpenRide.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
2004-12-14 10:12 483328 ----a-w- c:\program files\Adobe\Acrobat 7.0\Distillr\acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVFX Engine]
2006-06-09 09:11 24576 ------w- c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
2003-08-29 12:59 122880 ----a-w- c:\windows\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative Live! Cam Manager]
2006-06-01 00:00 143360 ------w- c:\program files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell AIO Printer A960]
2003-09-21 15:21 270336 ----a-w- c:\program files\Dell AIO Printer A960\dlbfbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2006-09-26 00:52 50736 ----a-w- c:\program files\Common Files\AOL\1165530467\ee\aolsoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2005-10-19 16:59 126976 ----a-w- c:\windows\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2005-10-19 16:59 155648 ----a-w- c:\windows\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-03-15 02:05 257088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
2005-12-05 00:38 437008 ----a-w- c:\program files\Microsoft IntelliType Pro\itype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MDDiskProtect.exe]
2005-04-15 20:54 106496 ----a-r- c:\program files\Mediafour\MacDrive\MDDiskProtect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mediafour Mac Volume Notifications]
2002-12-17 20:43 61440 ----a-r- c:\program files\Common Files\Mediafour\MACVNTFY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2004-10-13 16:24 1694208 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-13 00:40 155648 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2007-06-29 13:24 286720 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2004-11-03 04:24 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-03-14 10:43 83608 ----a-w- c:\program files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2007-07-08 19:40 68856 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
2002-04-25 01:37 1544192 ----a-w- c:\program files\support.com\bin\tgcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\V0230Mon.exe]
2006-09-07 09:01 32768 ----a-w- c:\windows\V0230Mon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"gusvc"=3 (0x3)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1165530467\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=

R0 MDPMGRNT;MDPMGRNT;c:\windows\system32\drivers\MDPMGRNT.SYS [4/30/2006 7:57 AM 16640]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/19/2010 11:02 PM 165456]
R1 MDFSYSNT;MDFSYSNT;c:\windows\system32\drivers\MDFSYSNT.SYS [9/13/2006 11:53 AM 213888]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/19/2010 11:02 PM 17744]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [5/17/2010 4:44 PM 135664]
S3 N100;Compaq Ethernet or Fast Ethernet NIC Driver;c:\windows\system32\drivers\n100325.sys [5/28/2005 2:41 PM 128000]
S3 V0230Vfx;V0230Vfx;c:\windows\system32\drivers\V0230Vfx.sys [3/24/2006 2:00 AM 6272]
S3 V0230VID;Live! Cam Video IM Pro;c:\windows\system32\drivers\V0230VID.sys [9/29/2006 2:01 AM 500480]
.
Contents of the 'Scheduled Tasks' folder

2010-08-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 20:15]

2010-09-04 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-17 23:44]

2010-09-03 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-05-17 23:44]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.comcast.net/
mWindow Title = Microsoft Internet Explorer presented by Comcast
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_89D8574934B26AC4.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\la54h14t.default\
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://en-us.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-US:official
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-03 22:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1614895754-1450960922-682003330-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\System*]
"OODEFRAG04.00.00.01SERVER"="7E667CAEEE52FC057BBC54E23B555D3C17CEF358CF6535BE08C901A8BB48E0ED4E3C809F891A4D4431BE71EBA1343C117DA3B3EDF2A9534F1B3ABF86F0D176FBF2A0AF04DEE40588A12819946C9F4C5A7E4533CDA38662D46D14CFC125AA437C846AA729B107BD2381776C188BE63BA60DFCB7C11FE5C940CC8ABCD37F767EE0D05358D9B8FC2924BA1263B262FDCF49CDF7DC9B95D201C4BE32E6C021F7785FD6FA07699F6688E2E93D45294AFCDF581D45FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E6678EDD5E5BE2F6E667A6171C11EC38DE3DA6A0AC4980AC79331F388C2030E6734E410821749AFBF51FCEB773873A379315E209170C25475C1404C0305892C7B4D944D5CAD22179172CA6408FEB5B962C9F534B3527272DA9E6AA7BD53867108BB711888AAB885397BA235F509FC9DC3010A43DD0126000F8E1CFD26239E72F4F8668FAEC70A2B989322C0215AB09190DB600FE340D2C4F36E083342B75E3D6084BE08AF833D220B25E7B16AC3E33A0684BE62E9EFE777103202B90FB2B3F7C73EC631B25AE92BC8E712210DDA7740B19E42CF041F146FE31447FDD923DEF5A03362D925FBCEC8A4AFE0068605C90B42902F66F41122DD5CBD18D1724B28370DCD6D0DB855C03C94B80CD19E2F5D93E5A844557B9B357168FB435375637177DD9E334656C34887DA4D0952284B0BB8A20AF64D7B8CB03266ABA2DC245985E0B09D191225C8AC6EBA330B6875B6E33429F2FFA27407381AE83167C3DFD4AA1E1A97DF58991CB1921C4C3E3D16FB2D053368FFDFBC669BA1C325C00310564BB0FB2264294BA076FEA3B15228B3F27BA6A73423A15358FA7208389692CD11F9A66CCEFAE43FCF0CE5EEE8E4EC4BA98A87F9A9C4F32E96B57B0B7FB3CC0CE5BC2FD56E0C21770614F52780217914778694823D732173628EB05C2F4D203D91CCCAE60E55D97A0D41D6027227E88BEDADDC0B891A80D62119B1D4D1BD88D4786E018B0CC2FCE0E6979E8FD89DB45EC79FA2AB94B5061A61A303735F94FFC5EE7419AC0CA404CACE3B68EB2B258689231CA09BB6A1864325889D9897F0B7459ADBF5E3D76E7A1642D3E39307FF595660169A38438446AA407974E107C359867E943CB0ACA556691CF8C9295B304F39090888790E2EACC9602E1A1BF29C993AB55C792B9260A3503FCB18B34F7AB2F2D27EE858FF9FAE7124D83A4469F99933DCA5CA4184E5BABFD8652D592D7E5F6CD32F2B06474319B138DA8EC845DCBC827C7A4B6A1E974ED3AE6A5E9EBC4037FF84284E0A7ABA2CC0D0C95538DC6D569697058C48804D021E3B8F982AF9225FEA58CA433A2DC37E4E5389FF42B1F0530758AC00B318BC3F09ABB2D9D7EF943B2C2E9668657282A50F72331B2"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Alwil Software\Avast5\AvastSvc.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wdfmgr.exe
c:\windows\wanmpsvc.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2010-09-03 22:40:22 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-04 05:40
ComboFix2.txt 2010-09-03 08:28

Pre-Run: 38,937,976,832 bytes free
Post-Run: 38,850,256,896 bytes free

- - End Of File - - F13ADBE9E349A52F0595FEE1FDEAB30D


#13 jilda

jilda
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 04 September 2010 - 09:43 PM

Hi myrti! Computer is purring like a happy kitten and so am I. Now what?

#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:04:07 AM

Posted 05 September 2010 - 07:56 AM

Hi,

it seems the upload failed, could you please do it manually:

Please go to C:\qoobox\quarantine and locate the file [4]Submit_<date and time>.zip, where date and time are the date and time when you ran ComboFix.Afterwards please visit this site and follow the instructions for uploading the file.

Afterwards please run a scan with Eset to check for leftovers:
  1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  2. Click the button.
  3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    1. Click on to download the ESET Smart Installer. Save it to your desktop.
    2. Double click on the icon on your desktop.
  4. Check
  5. Click the button.
  6. Accept any security warnings from your browser.
  7. Check
  8. Push the Start button.
  9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  10. When the scan completes, push
  11. Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  12. Push the button.
  13. Push

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 jilda

jilda
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:07 PM

Posted 06 September 2010 - 01:42 PM

myrti,
Please excuse my ignorance but I don't understand what to do at "submit malware sample" link. There aren't any instructions and "Help" didn't. I forgot to mention that my computer doesn't want to shut down. I have to do it manually. Thanks for your patience

Edited by jilda, 06 September 2010 - 01:46 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users