Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Yes, another browser redirect


  • Please log in to reply
11 replies to this topic

#1 KJA

KJA

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:04:24 PM

Posted 26 October 2010 - 06:20 PM

After downloading some PDF files from the Ohio's govenment D.O.T web site one of our company computers has caught the bug that redirects search results. Along with the redirect problem the infected computer also has error messages relating to svchost.exe (5.1.2600.5512 in Flash10cx 10) and Generic Host Process for Win32 Services (SZApp Name: svhost.exe, SZApp Ver: 5.1.2600.5512, SZModName: ntdll.dll, SZModVer: 5.1.2600.5755). Sorry if these clues are vague, I was not here when the messages appeared, only going by user's notes.

I have ran some ativirus scans using AVG, Malwarebytes and SUPERantispyware. Some cookies were removed but no malware found. I have removed the infected computer from the company network as I fear this could spread. Will be back in the office in the morning to continue but have notification email on if any follow up questions are required that do not involve being at the computer.

Regards,

Ken Alesi

Requesting help info as follows:



DDS (Ver_10-10-21.02) - NTFSx86
Run by valerieg at 18:19:14.53 on Tue 10/26/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1008 [GMT -4:00]


============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\AVG\AVG9\avgwdsvc.exe
C:\Program Files\Acroprint\Attendance Rx\arxsvc.exe
C:\Program Files\Acroprint\Attendance Rx\ARXTQ100N.exe
C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\Program Files\AVG\AVG9\avgnsx.exe
C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
C:\Program Files\Panasonic\Panasonic-DMS\Panasonic NUS\PamService.exe
C:\Program Files\Panasonic\TrapMonitor\Trapmnnt.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\AVG\AVG9\avgchsvx.exe
C:\Program Files\AVG\AVG9\avgrsx.exe
C:\Program Files\AVG\AVG9\avgcsrvx.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Acroprint\Attendance Rx\AttendanceRx.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\valerieg\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mSearch Bar =
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [<NO NAME>] c:\program files\internet explorer\iexplore.exe http://www.symantec.com/techsupp/servlet/ProductMessages?module=2007&error=0&language=en&product=SymNRT&version=2008.0.3.16&build=Symantec&a=00000082.00000001.00000001&b=00000082.0000000f.0000001b&c=00000082.0000001e.0000004a&d=00000082.00000046.000000b5
mRun: [amd_dc_opt] c:\program files\amd\dual-core optimizer\amd_dc_opt.exe
mRun: [PDF Complete] "c:\program files\pdf complete\pdfsty.exe"
mRun: [SetRefresh] c:\program files\compaq\setrefresh\SetRefresh.exe
mRun: [Recguard] c:\windows\sminst\Recguard.exe
mRun: [Reminder] c:\windows\creator\Remind_XP.exe
mRun: [Scheduler] c:\windows\sminst\Scheduler.exe
mRun: [JobHisInit] c:\program files\rmclient\JobHisInit.exe
mRun: [MplSetUp] c:\program files\rmclient\MplSetUp.exe
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVG9_TRAY] c:\progra~1\avg\avg9\avgtray.exe
mRun: [Panasonic Application Manager Agent] c:\program files\panasonic\panasonic-dms\panasonic nus\PamDlg.exe
mRun: [NA1Messenger] c:\ups\wstd\UPSNA1Msgr.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [itype] "c:\program files\microsoft intellitype pro\itype.exe"
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
StartupFolder: c:\docume~1\valerieg\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office97\office\MSOFFICE.EXE
StartupFolder: c:\documents and settings\valerieg\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\attend~1.lnk - c:\program files\acroprint\attendance rx\AttendanceRx.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\panaso~1.lnk - c:\program files\panasonic\panasonic-dms\port controller\Mfpscdl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\servic~1.lnk - c:\program files\microsoft sql server\80\tools\binn\sqlmangr.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\upswor~2.lnk - c:\ups\wstd\WSTDMessaging.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\upswor~1.lnk - c:\ups\wstd\wstdPldReminder.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: DisablePersonalDirChange = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: microsoft.com\*.update
Trusted Zone: ups.com\www
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {33564D57-9980-0010-8000-00AA00389B71} - hxxp://codecs.microsoft.com/codecs/i386/wmv9dmo.cab
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1150565249750
DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} - file:///C:/Program%20Files/Acadm%206/AcDcToday.ocx
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} - file://c:\program files\acadm 6\InstBanr.ocx
DPF: {C6637286-300D-11D4-AE0A-0010830243BD} - file://c:\program files\acadm 6\InstFred.ocx
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131-win.cab
DPF: {CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/1.3.1/jinstall-131_02-win.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://globalshopsolutions.webex.com/client/T25L/webex/ieatgpc.cab
DPF: {F281A59C-7B65-11D3-8617-0010830243BD} - file://c:\program files\acadm 6\AcPreview.ocx
DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - hxxp://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
TCP: {A1F830F7-3F5F-4C15-A0F1-9D6BD88B4FDC} = 192.168.0.2,74.218.99.70
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg9\avgpp.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\valerieg\applic~1\mozilla\firefox\profiles\jzt5gcsj.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-11-28 216400]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-11-28 29584]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-4-30 243024]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 avg9wd;AVG Free WatchDog;c:\program files\avg\avg9\avgwdsvc.exe [2010-7-16 308136]
R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\wstd\mssql$upswsdbserver\binn\sqlservr.exe -supswsdbserver --> c:\ups\wstd\mssql$upswsdbserver\binn\sqlservr.exe -sUPSWSDBSERVER [?]
R2 Panasonic Application Manager Service;Panasonic Application Manager Service;c:\program files\panasonic\panasonic-dms\panasonic nus\PamService.exe [2008-10-15 20480]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2008-3-5 540184]
S2 arxservice;arxservice;c:\program files\acroprint\attendance rx\arxservice.exe [2008-4-15 61440]
S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [2005-8-3 4736]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [2005-8-3 8960]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\wstd\mssql$upswsdbserver\binn\sqlagent.exe -i upswsdbserver --> c:\ups\wstd\mssql$upswsdbserver\binn\sqlagent.EXE -i UPSWSDBSERVER [?]

=============== Created Last 30 ================

2010-10-26 18:57:31 -------- d-sha-r- C:\cmdcons
2010-10-26 18:34:07 98816 ----a-w- c:\windows\sed.exe
2010-10-26 18:34:07 79872 ----a-w- c:\windows\MBR.exe
2010-10-26 18:34:07 256512 ----a-w- c:\windows\PEV.exe
2010-10-26 18:34:07 161792 ----a-w- c:\windows\SWREG.exe
2010-10-25 22:17:13 714752 -c--a-w- c:\windows\system32\dllcache\ntdll.dll
2010-10-25 22:17:13 714752 ----a-w- c:\windows\system32\ntdll.dll
2010-10-23 16:10:58 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-10-23 15:28:51 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-23 15:28:51 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-23 15:28:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-22 18:40:42 -------- d-----w- c:\windows\system32\wbem\repository\FS
2010-10-22 18:40:42 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-22 14:26:26 -------- d-----w- c:\docume~1\valerieg\applic~1\SUPERAntiSpyware.com
2010-10-22 13:58:42 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-22 13:22:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware(2)
2010-10-21 20:49:40 -------- d-----w- c:\docume~1\valerieg\applic~1\Malwarebytes
2010-10-21 20:49:36 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-10-13 11:32:43 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 11:32:42 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 11:32:31 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-13 11:17:16 -------- d-----w- C:\_AcroTemp

==================== Find3M ====================

2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2002-08-15 16:54:38 3198976 ----a-w- c:\program files\ViewSonicregistration.exe

============= FINISH: 18:20:31.34 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:24 PM

Posted 26 October 2010 - 06:37 PM

Hi, KJA :)

:welcome:

You may be infected with a backdoor trojan. I would suggest you backup your important documents before proceeding.

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 KJA

KJA
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:04:24 PM

Posted 26 October 2010 - 08:15 PM

Hello JSntgRvr!

Wow! Had i known that a responce would be that quick, I would have stayed at the office and tried to clear the computer of its troubles this evening. I appreciate the rapid responce. I will follow your instructions as soon as I get into the office. One question I do have is what is safe to backup? Is there any data that should not be backed up?

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:24 PM

Posted 26 October 2010 - 09:23 PM

Anything, other than applications or system files, should always be backed-up. A document that isn't backed-up is a document you wont miss if lost.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 KJA

KJA
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:04:24 PM

Posted 27 October 2010 - 09:50 AM

After running TDDSKiller the following report was created. It asked for a reboot so I did. Computer rebooted. Will not continue until I here back from you.

Ken



2010/10/27 10:35:11.0605 TDSS rootkit removing tool 2.4.5.1 Oct 26 2010 11:28:49
2010/10/27 10:35:11.0605 ================================================================================
2010/10/27 10:35:11.0605 SystemInfo:
2010/10/27 10:35:11.0605
2010/10/27 10:35:11.0605 OS Version: 5.1.2600 ServicePack: 3.0
2010/10/27 10:35:11.0605 Product type: Workstation
2010/10/27 10:35:11.0605 ComputerName: VALERIE
2010/10/27 10:35:11.0605 UserName: valerieg
2010/10/27 10:35:11.0605 Windows directory: C:\WINDOWS
2010/10/27 10:35:11.0605 System windows directory: C:\WINDOWS
2010/10/27 10:35:11.0605 Processor architecture: Intel x86
2010/10/27 10:35:11.0605 Number of processors: 1
2010/10/27 10:35:11.0605 Page size: 0x1000
2010/10/27 10:35:11.0605 Boot type: Normal boot
2010/10/27 10:35:11.0605 ================================================================================
2010/10/27 10:35:11.0824 Initialize success
2010/10/27 10:35:17.0840 ================================================================================
2010/10/27 10:35:17.0840 Scan started
2010/10/27 10:35:17.0840 Mode: Manual;
2010/10/27 10:35:17.0840 ================================================================================
2010/10/27 10:35:18.0418 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS\system32\drivers\ac97intc.sys
2010/10/27 10:35:18.0496 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/10/27 10:35:18.0543 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/10/27 10:35:18.0590 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2010/10/27 10:35:18.0653 adpu320 (0ea9b1f0c6c90a509c8603775366adb7) C:\WINDOWS\system32\DRIVERS\adpu320.sys
2010/10/27 10:35:18.0731 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/10/27 10:35:18.0918 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/10/27 10:35:18.0996 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2010/10/27 10:35:19.0043 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2010/10/27 10:35:19.0153 AmdK8 (efbb0956baed786e137351b5ca272aef) C:\WINDOWS\system32\DRIVERS\AmdK8.sys
2010/10/27 10:35:19.0246 AmdLLD (e7314d43cd2be981d8bc4826b50eaf05) C:\WINDOWS\system32\DRIVERS\AmdLLD.sys
2010/10/27 10:35:19.0465 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/10/27 10:35:19.0621 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/10/27 10:35:19.0746 ati2mtag (c702e0c01a24d45662af91f43397d72c) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/10/27 10:35:19.0809 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/10/27 10:35:19.0856 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/10/27 10:35:19.0918 AvgLdx86 (b8c187439d27aba430dd69fdcf1fa657) C:\WINDOWS\System32\Drivers\avgldx86.sys
2010/10/27 10:35:19.0996 AvgMfx86 (53b3f979930a786a614d29cafe99f645) C:\WINDOWS\System32\Drivers\avgmfx86.sys
2010/10/27 10:35:20.0043 AvgTdiX (22e3b793c3e61720f03d3a22351af410) C:\WINDOWS\System32\Drivers\avgtdix.sys
2010/10/27 10:35:20.0215 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/10/27 10:35:20.0481 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/10/27 10:35:20.0543 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/10/27 10:35:20.0606 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/10/27 10:35:20.0700 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/10/27 10:35:21.0059 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/10/27 10:35:21.0153 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/10/27 10:35:21.0247 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
2010/10/27 10:35:21.0293 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/10/27 10:35:21.0340 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/10/27 10:35:21.0387 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2010/10/27 10:35:21.0481 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/10/27 10:35:21.0512 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2010/10/27 10:35:21.0653 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/10/27 10:35:21.0762 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/10/27 10:35:21.0825 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/10/27 10:35:21.0872 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/10/27 10:35:21.0950 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/10/27 10:35:22.0028 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/10/27 10:35:22.0090 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/10/27 10:35:22.0262 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/10/27 10:35:22.0340 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/10/27 10:35:22.0387 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/10/27 10:35:22.0512 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/10/27 10:35:22.0653 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/10/27 10:35:22.0731 i81x (06b7ef73ba5f302eecc294cdf7e19702) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
2010/10/27 10:35:22.0887 iAimFP0 (7b5b44efe5eb9dadfb8ee29700885d23) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
2010/10/27 10:35:22.0934 iAimFP1 (eb1f6bab6c22ede0ba551b527475f7e9) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
2010/10/27 10:35:22.0965 iAimFP2 (03ce989d846c1aa81145cb22fcb86d06) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
2010/10/27 10:35:22.0997 iAimFP3 (525849b4469de021d5d61b4db9be3a9d) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
2010/10/27 10:35:23.0044 iAimFP4 (589c2bcdb5bd602bf7b63d210407ef8c) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
2010/10/27 10:35:23.0075 iAimFP5 (0308aef61941e4af478fa1a0f83812f5) C:\WINDOWS\system32\DRIVERS\wADV07nt.sys
2010/10/27 10:35:23.0106 iAimFP6 (714038a8aa5de08e12062202cd7eaeb5) C:\WINDOWS\system32\DRIVERS\wADV08nt.sys
2010/10/27 10:35:23.0137 iAimFP7 (7bb3aa595e4507a788de1cdc63f4c8c4) C:\WINDOWS\system32\DRIVERS\wADV09nt.sys
2010/10/27 10:35:23.0153 iAimTV0 (d83bdd5c059667a2f647a6be5703a4d2) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
2010/10/27 10:35:23.0169 iAimTV1 (ed968d23354daa0d7c621580c012a1f6) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
2010/10/27 10:35:23.0200 iAimTV3 (d738273f218a224c1ddac04203f27a84) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
2010/10/27 10:35:23.0215 iAimTV4 (0052d118995cbab152daabe6106d1442) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
2010/10/27 10:35:23.0262 iAimTV5 (791cc45de6e50445be72e8ad6401ff45) C:\WINDOWS\system32\DRIVERS\wATV10nt.sys
2010/10/27 10:35:23.0278 iAimTV6 (352fa0e98bc461ce1ce5d41f64db558d) C:\WINDOWS\system32\DRIVERS\wATV06nt.sys
2010/10/27 10:35:23.0340 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/10/27 10:35:23.0637 IntcAzAudAddService (58b079ba8c4a53406a02d66069451ce5) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/10/27 10:35:23.0715 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/10/27 10:35:23.0747 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/10/27 10:35:23.0794 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/10/27 10:35:23.0840 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/10/27 10:35:23.0887 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/10/27 10:35:23.0934 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/10/27 10:35:24.0090 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/10/27 10:35:24.0122 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/10/27 10:35:24.0169 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/10/27 10:35:24.0200 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/10/27 10:35:24.0294 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/10/27 10:35:24.0372 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/10/27 10:35:24.0450 LLUSBFLT (4ed28529be6266bc3c1eb18be925314a) C:\WINDOWS\system32\drivers\llusbflt.sys
2010/10/27 10:35:24.0497 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/10/27 10:35:24.0528 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/10/27 10:35:24.0731 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/10/27 10:35:24.0825 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/10/27 10:35:24.0887 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/10/27 10:35:24.0950 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/10/27 10:35:25.0028 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/10/27 10:35:25.0075 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/10/27 10:35:25.0137 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/10/27 10:35:25.0184 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/10/27 10:35:25.0231 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/10/27 10:35:25.0434 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/10/27 10:35:25.0528 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/10/27 10:35:25.0591 MXOPSWD (216ac775320f64de28cfeb7c179c4ff9) C:\WINDOWS\system32\DRIVERS\mxopswd.sys
2010/10/27 10:35:25.0669 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/10/27 10:35:25.0747 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/10/27 10:35:25.0778 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/10/27 10:35:25.0841 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/10/27 10:35:25.0887 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/10/27 10:35:25.0950 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/10/27 10:35:26.0122 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/10/27 10:35:26.0216 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/10/27 10:35:26.0278 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/10/27 10:35:26.0419 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
2010/10/27 10:35:26.0466 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/10/27 10:35:26.0512 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/10/27 10:35:26.0559 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/10/27 10:35:26.0763 P3 (c90018bafdc7098619a4a95b046b30f3) C:\WINDOWS\system32\DRIVERS\p3.sys
2010/10/27 10:35:26.0825 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/10/27 10:35:26.0888 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/10/27 10:35:26.0950 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/10/27 10:35:26.0997 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/10/27 10:35:27.0075 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/10/27 10:35:27.0122 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/10/27 10:35:27.0294 PLUsbbc2 (deb5a23f8625d7d84daff899478a4893) C:\WINDOWS\system32\Drivers\usbbc2.sys
2010/10/27 10:35:27.0450 Point32 (e552d6598670b1e7655cb73d562e0cd9) C:\WINDOWS\system32\DRIVERS\point32.sys
2010/10/27 10:35:27.0497 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/10/27 10:35:27.0559 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/10/27 10:35:27.0606 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/10/27 10:35:27.0669 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/10/27 10:35:27.0794 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/10/27 10:35:27.0841 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/10/27 10:35:27.0856 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/10/27 10:35:27.0888 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/10/27 10:35:27.0950 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/10/27 10:35:27.0997 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/10/27 10:35:28.0044 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/10/27 10:35:28.0091 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/10/27 10:35:28.0231 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/10/27 10:35:28.0341 RTL8023xp (3529828ec571fb2f64f6b142f9109993) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
2010/10/27 10:35:28.0466 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/10/27 10:35:28.0481 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/10/27 10:35:28.0544 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/10/27 10:35:28.0606 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/10/27 10:35:28.0685 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/10/27 10:35:28.0841 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/10/27 10:35:28.0981 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/10/27 10:35:29.0075 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/10/27 10:35:29.0169 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/10/27 10:35:29.0216 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/10/27 10:35:29.0247 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/10/27 10:35:29.0278 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2010/10/27 10:35:29.0325 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2010/10/27 10:35:29.0356 Symmpi (f2b7e8416f508368ac6730e2ae1c614f) C:\WINDOWS\system32\DRIVERS\symmpi.sys
2010/10/27 10:35:29.0403 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2010/10/27 10:35:29.0513 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2010/10/27 10:35:29.0575 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/10/27 10:35:29.0700 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/10/27 10:35:29.0747 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/10/27 10:35:29.0794 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/10/27 10:35:29.0856 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/10/27 10:35:29.0966 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/10/27 10:35:30.0075 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\drivers\Update.sys
2010/10/27 10:35:30.0231 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/10/27 10:35:30.0341 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/10/27 10:35:30.0403 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/10/27 10:35:30.0466 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/10/27 10:35:30.0528 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/10/27 10:35:30.0560 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/10/27 10:35:30.0606 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/10/27 10:35:30.0669 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2010/10/27 10:35:30.0716 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/10/27 10:35:30.0857 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/10/27 10:35:30.0966 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2010/10/27 10:35:31.0044 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/10/27 10:35:31.0169 \HardDisk0\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/10/27 10:35:31.0169 ================================================================================
2010/10/27 10:35:31.0169 Scan finished
2010/10/27 10:35:31.0169 ================================================================================
2010/10/27 10:35:31.0185 Detected object count: 1
2010/10/27 10:36:10.0467 \HardDisk0\MBR - will be cured after reboot
2010/10/27 10:36:10.0467 Rootkit.Win32.TDSS.tdl4(\HardDisk0\MBR) - User select action: Cure
2010/10/27 10:37:43.0923 Deinitialize success

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:24 PM

Posted 27 October 2010 - 10:37 AM

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

Enter 'Y' and hit ENTER for more options, or 'N' to exit:


Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 KJA

KJA
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:04:24 PM

Posted 27 October 2010 - 11:18 AM

After running MBRCheck, no infection was found. A report was produced on the desk top.

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003c

Kernel Drivers (total 120):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806D0000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EEB000 fltmgr.sys
0xB9ED9000 sr.sys
0xB9EC2000 KSecDD.sys
0xB9E35000 Ntfs.sys
0xB9E08000 NDIS.sys
0xB9DEE000 Mup.sys
0xB9887000 \SystemRoot\system32\DRIVERS\AmdK8.sys
0xB938E000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xB937A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB95DD000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB95CD000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB9357000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA3D8000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB9333000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3E0000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB930B000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB92F1000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xB95BD000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA580000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB92DD000 \SystemRoot\system32\DRIVERS\parport.sys
0xBA6B5000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB95AD000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA584000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB92C6000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB959D000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB958D000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA3E8000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB92B5000 \SystemRoot\system32\DRIVERS\psched.sys
0xB957D000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA3F0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB9285000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB956D000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA400000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA408000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5CE000 \SystemRoot\system32\DRIVERS\swenum.sys
0xBA5A0000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB955D000 \SystemRoot\system32\DRIVERS\AmdLLD.sys
0xBA128000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA138000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5D0000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xB0DBB000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xB0D97000 \SystemRoot\system32\drivers\portcls.sys
0xBA148000 \SystemRoot\system32\drivers\drmk.sys
0xBA5D6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA78D000 \SystemRoot\System32\Drivers\Null.SYS
0xBA5D8000 \SystemRoot\System32\Drivers\Beep.SYS
0xBA418000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xBA420000 \SystemRoot\System32\drivers\vga.sys
0xBA5DA000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA5DC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xBA428000 \SystemRoot\System32\Drivers\Msfs.SYS
0xBA430000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA574000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB0D3C000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB0CE3000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB0CA9000 \SystemRoot\System32\Drivers\avgtdix.sys
0xB0C83000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xBA168000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xBA438000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB0C5B000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB0C39000 \SystemRoot\System32\drivers\afd.sys
0xBA178000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB0C17000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xBA440000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xB0BEC000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB0B7C000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xBA1B8000 \SystemRoot\System32\Drivers\Fips.SYS
0xB9271000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB9269000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xBA448000 \SystemRoot\System32\Drivers\avgmfx86.sys
0xB0B20000 \SystemRoot\System32\Drivers\avgldx86.sys
0xBA450000 \SystemRoot\system32\DRIVERS\NuidFltr.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
0xB0AA5000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
0xB9261000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xBA458000 \SystemRoot\system32\DRIVERS\point32.sys
0xBA208000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xB0A8D000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5E8000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB0D8F000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA460000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA6B8000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF055000 \SystemRoot\System32\ati2cqag.dll
0xBF09D000 \SystemRoot\System32\atikvmag.dll
0xBF0E3000 \SystemRoot\System32\ati3duag.dll
0xBF330000 \SystemRoot\System32\ativvaxx.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xAE785000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xAE510000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xAE300000 \SystemRoot\system32\DRIVERS\srv.sys
0xADCFB000 \SystemRoot\system32\drivers\wdmaud.sys
0xAE0C0000 \SystemRoot\system32\drivers\sysaudio.sys
0xAD8D2000 \SystemRoot\System32\Drivers\HTTP.sys
0xAD230000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xBA380000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 60):
0 System Idle Process
4 System
640 C:\WINDOWS\system32\smss.exe
704 csrss.exe
732 C:\WINDOWS\system32\winlogon.exe
776 C:\WINDOWS\system32\services.exe
788 C:\WINDOWS\system32\lsass.exe
948 C:\WINDOWS\system32\ati2evxx.exe
964 C:\WINDOWS\system32\svchost.exe
1064 svchost.exe
1152 C:\WINDOWS\system32\svchost.exe
1204 svchost.exe
1308 svchost.exe
1412 C:\WINDOWS\system32\BRSVC01A.EXE
1444 C:\WINDOWS\system32\BRSS01A.EXE
1436 C:\WINDOWS\system32\spoolsv.exe
1524 svchost.exe
1568 C:\Program Files\Acroprint\Attendance Rx\arxservice.exe
1752 C:\Program Files\AVG\AVG9\avgwdsvc.exe
1764 C:\Program Files\Acroprint\Attendance Rx\arxsvc.exe
1792 C:\Program Files\Acroprint\Attendance Rx\ARXTQ100N.exe
1832 C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
1868 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
1888 C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
212 C:\UPS\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe
280 C:\Program Files\Panasonic\Panasonic-DMS\Panasonic NUS\PamService.exe
372 C:\Program Files\AVG\AVG9\avgnsx.exe
476 C:\Program Files\Panasonic\TrapMonitor\Trapmnnt.exe
572 C:\Program Files\PDF Complete\pdfsvc.exe
1184 sqlbrowser.exe
1928 C:\WINDOWS\system32\searchindexer.exe
2740 alg.exe
2800 C:\WINDOWS\system32\ati2evxx.exe
2808 C:\Program Files\AVG\AVG9\avgchsvx.exe
2816 C:\Program Files\AVG\AVG9\avgrsx.exe
2944 C:\Program Files\AVG\AVG9\avgcsrvx.exe
3636 C:\WINDOWS\explorer.exe
4004 C:\Program Files\PDF Complete\pdfsty.exe
596 C:\WINDOWS\SMINST\Scheduler.exe
1320 C:\Program Files\QuickTime\qttask.exe
2084 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
580 C:\PROGRA~1\AVG\AVG9\avgtray.exe
2152 C:\Program Files\Panasonic\Panasonic-DMS\Panasonic NUS\PamDlg.exe
2280 C:\UPS\WSTD\UPSNA1Msgr.exe
2340 C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
2240 C:\Program Files\Microsoft IntelliType Pro\itype.exe
2528 C:\Program Files\Microsoft IntelliPoint\ipoint.exe
508 C:\Program Files\TomTom HOME 2\HOMERunner.exe
2284 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
2696 C:\WINDOWS\system32\ctfmon.exe
2920 C:\Program Files\Acroprint\Attendance Rx\AttendanceRx.exe
3100 C:\Program Files\Panasonic\Panasonic-DMS\Port Controller\Mfpscdl.exe
3092 C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
3128 C:\UPS\WSTD\WSTDMessaging.exe
932 C:\Program Files\Windows Desktop Search\WindowsSearch.exe
3376 C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
3996 C:\Program Files\Microsoft Office97\Office\MSOFFICE.EXE
3620 C:\WINDOWS\system32\searchprotocolhost.exe
3344 searchfilterhost.exe
3684 C:\Documents and Settings\valerieg\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000010`2102cc00 (NTFS)

PhysicalDrive0 Model Number: WDCWD800JD-60LSA5, Rev: 10.01E03

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Hewlett-Packard MBR code detected
SHA1: 6DE5B7C1EEAFBE901B2807597A84F9F19604E031


Done!




ComboFix scanned and did not ask for a reboot. The following report was created:


ComboFix report:

ComboFix 10-10-26.02 - valerieg 10/27/2010 12:04:01.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1918.1241 [GMT -4:00]
Running from: c:\documents and settings\valerieg\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-09-27 to 2010-10-27 )))))))))))))))))))))))))))))))
.

2010-10-25 23:40 . 2010-10-25 23:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-10-25 22:47 . 2010-10-25 22:47 -------- d-----w- c:\documents and settings\valerieg\Local Settings\Application Data\Mozilla
2010-10-25 22:17 . 2010-10-25 22:09 714752 -c--a-w- c:\windows\system32\dllcache\ntdll.dll
2010-10-25 22:17 . 2010-10-25 22:09 714752 ----a-w- c:\windows\system32\ntdll.dll
2010-10-23 16:10 . 2010-10-23 16:10 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-10-23 15:28 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-10-23 15:28 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-10-23 15:28 . 2010-10-23 15:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-10-22 18:40 . 2010-10-22 18:40 -------- d-----w- c:\windows\system32\wbem\Repository
2010-10-22 17:56 . 2010-10-22 17:56 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2010-10-22 17:55 . 2010-10-22 17:55 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2010-10-22 14:26 . 2010-10-22 14:26 -------- d-----w- c:\documents and settings\valerieg\Application Data\SUPERAntiSpyware.com
2010-10-22 13:59 . 2010-10-22 13:59 -------- d-----w- c:\documents and settings\administrator.HAISSFABRIPART\Application Data\SUPERAntiSpyware.com
2010-10-22 13:58 . 2010-10-23 16:11 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-22 13:55 . 2010-10-22 13:55 -------- d-----w- c:\documents and settings\administrator.HAISSFABRIPART\PrivacIE
2010-10-22 13:53 . 2010-10-22 13:53 -------- d-----w- c:\documents and settings\administrator.HAISSFABRIPART\Local Settings\Application Data\Identities
2010-10-22 13:53 . 2010-10-22 13:53 -------- d-----w- c:\documents and settings\administrator.HAISSFABRIPART\Local Settings\Application Data\Adobe
2010-10-22 13:51 . 2010-10-22 13:51 -------- d-----w- c:\documents and settings\administrator.HAISSFABRIPART\IETldCache
2010-10-21 20:53 . 2010-10-21 20:53 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2010-10-21 20:49 . 2010-10-21 20:49 -------- d-----w- c:\documents and settings\valerieg\Application Data\Malwarebytes
2010-10-21 20:49 . 2010-10-21 20:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-10-13 11:32 . 2010-09-18 06:53 953856 -c----w- c:\windows\system32\dllcache\mfc40u.dll
2010-10-13 11:32 . 2010-09-18 06:53 974848 -c----w- c:\windows\system32\dllcache\mfc42.dll
2010-10-13 11:32 . 2010-08-23 16:12 617472 -c----w- c:\windows\system32\dllcache\comctl32.dll
2010-10-13 11:17 . 2010-10-13 11:22 -------- d-----w- C:\_AcroTemp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-18 16:23 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-04 12:00 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-04 12:00 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-01 11:51 . 2004-08-04 12:00 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2004-08-04 12:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2004-08-04 12:00 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2004-08-04 12:00 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-08-19 23:23 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-23 16:12 . 2004-08-04 12:00 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45 . 2004-08-04 12:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2002-08-15 16:54 . 2006-07-07 15:27 3198976 ----a-w- c:\program files\ViewSonicregistration.exe
.

((((((((((((((((((((((((((((( SnapShot@2010-10-26_19.41.16 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-10-27 14:39 . 2010-10-27 14:39 16384 c:\windows\temp\Perflib_Perfdata_d4.dat
+ 2010-10-27 14:39 . 2010-10-27 14:39 16384 c:\windows\temp\Perflib_Perfdata_760.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-09-26 206184]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-28 2424560]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"<NO NAME>"="c:\program files\Internet Explorer\iexplore.exe" [2009-03-08 638816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"amd_dc_opt"="c:\program files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2007-03-14 77824]
"PDF Complete"="c:\program files\PDF Complete\pdfsty.exe" [2007-08-07 331288]
"SetRefresh"="c:\program files\Compaq\SetRefresh\SetRefresh.exe" [2003-11-20 525824]
"Recguard"="c:\windows\Sminst\Recguard.exe" [2006-05-12 1138688]
"Reminder"="c:\windows\Creator\Remind_XP.exe" [2006-03-31 761856]
"Scheduler"="c:\windows\SMINST\Scheduler.exe" [2006-07-10 872448]
"JobHisInit"="c:\program files\RMClient\JobHisInit.exe" [2003-05-30 135168]
"MplSetUp"="c:\program files\RMClient\MplSetUp.exe" [2000-11-05 40960]
"Synchronization Manager"="c:\windows\system32\mobsync.exe" [2008-04-14 143360]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-12-28 98304]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-09-21 198160]
"AVG9_TRAY"="c:\progra~1\AVG\AVG9\avgtray.exe" [2010-10-05 2067808]
"Panasonic Application Manager Agent"="c:\program files\Panasonic\Panasonic-DMS\Panasonic NUS\PamDlg.exe" [2008-12-16 49152]
"NA1Messenger"="c:\ups\WSTD\UPSNA1Msgr.exe" [2009-12-02 24576]
"Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2010-09-23 38840]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2010-09-22 640440]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2009-01-07 1496968]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2009-01-07 1468296]

c:\documents and settings\valerieg\Start Menu\Programs\Startup\
Microsoft Office Shortcut Bar.Lnk - c:\program files\Microsoft Office97\Office\MSOFFICE.EXE [1996-11-17 333824]
PowerReg Scheduler.exe [2008-8-8 225280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Attendance Rx.lnk - c:\program files\Acroprint\Attendance Rx\AttendanceRx.exe [2008-4-15 5947392]
Panasonic Communications Utility.lnk - c:\program files\Panasonic\Panasonic-DMS\Port Controller\Mfpscdl.exe [2010-1-12 176128]
Service Manager.lnk - c:\program files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-5-3 81920]
UPS WorldShip Messaging Utility.lnk - c:\ups\WSTD\WSTDMessaging.exe [2009-12-1 61440]
UPS WorldShip PLD Reminder Utility.lnk - c:\ups\WSTD\wstdPldReminder.exe [2009-12-1 40960]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2010-07-16 13:06 12536 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\SMINST\\Scheduler.exe"=
"c:\\Program Files\\Laplink\\PCmover\\PCmover.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Panasonic\\Panasonic-DMS\\Port Controller\\Mfpscdl.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1434:TCP"= 1434:TCP:UPS WorldShip MSDE Port

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/28/2008 3:10 PM 216400]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [4/30/2009 10:31 AM 243024]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [7/16/2010 9:06 AM 308136]
R2 MSSQL$UPSWSDBSERVER;MSSQL$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlservr.exe -sUPSWSDBSERVER [?]
R2 Panasonic Application Manager Service;Panasonic Application Manager Service;c:\program files\Panasonic\Panasonic-DMS\Panasonic NUS\PamService.exe [10/15/2008 12:08 PM 20480]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [3/5/2008 6:29 PM 540184]
S2 arxservice;arxservice;c:\program files\Acroprint\Attendance Rx\arxservice.exe [4/15/2008 4:32 PM 61440]
S3 LLUSBFLT;LLUSBFLT;c:\windows\system32\drivers\llusbflt.sys [8/3/2005 3:59 PM 4736]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [8/3/2005 3:59 PM 8960]
S3 SQLAgent$UPSWSDBSERVER;SQLAgent$UPSWSDBSERVER;c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER --> c:\ups\WSTD\MSSQL$UPSWSDBSERVER\Binn\sqlagent.EXE -i UPSWSDBSERVER [?]
.
Contents of the 'Scheduled Tasks' folder

2010-10-01 c:\windows\Tasks\C Drive Defrag.job
- c:\windows\system32\defrag.exe [2004-08-04 00:12]

2010-06-16 c:\windows\Tasks\Microsoft_Hardware_Launch_IPoint_exe.job
- c:\program files\Microsoft IntelliPoint\ipoint.exe [2009-01-07 19:46]

2010-06-16 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2009-01-07 19:23]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mSearch Bar =
IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Trusted Zone: microsoft.com\*.update
Trusted Zone: ups.com\www
TCP: {A1F830F7-3F5F-4C15-A0F1-9D6BD88B4FDC} = 192.168.0.2,74.218.99.70
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - hxxp://www.networksolutionsemailpopwizard.com/TrueSwitchEC.exe
FF - ProfilePath - c:\documents and settings\valerieg\Application Data\Mozilla\Firefox\Profiles\jzt5gcsj.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - prefs.js: network.proxy.type - 0
FF - component: c:\program files\real\realplayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-10-27 12:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(1296)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-10-27 12:12:08
ComboFix-quarantined-files.txt 2010-10-27 16:11
ComboFix2.txt 2010-10-26 20:59
ComboFix3.txt 2010-10-26 19:45

Pre-Run: 37,660,291,072 bytes free
Post-Run: 37,742,276,608 bytes free

- - End Of File - - 540B65204A53A1A40AA56A0E58850BDE




Thank you so much for your help.

Ken

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:24 PM

Posted 27 October 2010 - 12:30 PM

How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 KJA

KJA
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:04:24 PM

Posted 27 October 2010 - 12:47 PM

Computer seems to running fine. No redirects when a search result is clicked. No error messages since last scan (Combofix, about 1 hour and 45 minutes ago).

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:24 PM

Posted 27 October 2010 - 01:35 PM

Congratulations.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Follow these steps to uninstall Combofix.
  • Rename Combofix to Uninstall and click on it. It will launch and remove itself.

Manually remove any tool left.

Create a Restore point:
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • In the System Restore dialog box, click Create a restore point, and then click Next.
  • Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Spybot Search & Destroy - A powerful tool which can search and annihilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  • AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  • Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  • Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Miekiemoes.

Best wishes! Posted Image

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 KJA

KJA
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ohio
  • Local time:04:24 PM

Posted 27 October 2010 - 02:15 PM

Yes, I think you have cured the computer of its problems. I will clean up the programs and files as you suggest and clear all restore points / create a new clean restore point. I think I will also gather the employees and have a talk about safe internet / computer practices. I thank you for all the help you have provided. Should the symptoms return within a few hours, will you see a post here if I reply? Should I just start a new topic?

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,635 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:04:24 PM

Posted 27 October 2010 - 03:48 PM

I will keep the topic opened for a couple of days.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users