Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Extremely Slow Computer/High CPU/BSoDs/Can you help?


  • This topic is locked This topic is locked
15 replies to this topic

#1 wrmerkel

wrmerkel

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 PM

Posted 11 November 2010 - 11:00 PM

Hi All - this is a plea for help that I hoped I wouldn't have to make, so many thanks for advance for reading even this far. I have a recently built (and clean) Athlon BE-2400 system, 2GB RAM, XP Pro SP3/Avira AV that until recently was running like the wind. I generally run what I think is a pretty tight ship, defragging drives and registry, scanning with MBAM/SpybotS&D/Adaware regularly. But in the past two weeks the machine has just been dragging in a serious way. CPU usage is WAAAY up almost all the time, with no apparent apps accessing it (system idle processes show the highest usage by far). I haven't been able to run MBAM except for in safe mode, but it hasn't been finding anything. SuperAntiSpyware running fine, not finding anything ever. Spybot found a few things that looked fairly innocuous so I deleted them, but nothing has improved. I've tried a rootkit detector and came up empty. I've read and followed the instructions you've posted prior to posting in this forum, but none of those actions helped. So that brings me to this posting. Please let me know what info you'd like me to provide prior to going any further and I'll respond asap.

Best regards,
Bill
Arlington, VA

Edited by wrmerkel, 11 November 2010 - 11:00 PM.


BC AdBot (Login to Remove)

 


#2 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:11 PM

Posted 11 November 2010 - 11:24 PM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine.

If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.

Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.

If you have already posted a DDS log, please do so again, as your situation may have changed.
Use the 'Add Reply' and add the new log to this thread.

Thanks and again sorry for the delay.

We need to see some information about what is happening in your machine. Please perform the following scan:
  • Download DDS by sUBs from one of the following links. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explaination about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE

We also need a new log from the GMER anti-rootkit scanner. Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#3 wrmerkel

wrmerkel
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 PM

Posted 12 November 2010 - 06:45 AM

I am posting the DDS output below. GMER starts but hangs every time so I don't have the output from that. GMER will show the initial screen and a few lines, but when I check the proper boxes and execute, it gets a few files into the scan and hangs for good. Please let me know if there's anything I can do to get GMER to run to completion.

Thanks!
Bill

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

DDS (Ver_10-11-10.01) - NTFSx86 NETWORK
Run by Administrator at 23:50:14.92 on Thu 11/11/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1609 [GMT -5:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Administrator\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = my.yahoo.com
BHO: Octh Class: {000123b4-9b42-4900-b3f7-f4b073efc214} - c:\program files\orbitdownloader\orbitcth.dll
BHO: SnagIt Toolbar Loader: {00c6482d-c502-44c8-8409-fce54ad9c208} - c:\program files\techsmith\snagit 8\SnagItBHO.dll
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~2\office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: SnagIt: {8ff5e183-abde-46eb-b09e-d2aab95cabe3} - c:\program files\techsmith\snagit 8\SnagItIEAddin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Grab Pro: {c55bbcd6-41ad-48ad-9953-3609c48eacc7} - c:\program files\orbitdownloader\GrabPro.dll
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
IE: {8FCCDD73-C9F3-443a-AB53-7A25FD925808} - c:\program files\bitbuddy\BitBuddy.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~2\office14\GROOVEEX.DLL
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\admini~1\applic~1\mozilla\firefox\profiles\eg2dc83v.default\
FF - plugin: c:\progra~1\micros~2\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~2\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-10-14 64160]
S1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-10-16 11608]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-10-16 60936]
S3 Cap713x;Cap713x Video Capture;c:\windows\system32\drivers\Cap713x.sys [2004-6-9 502784]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1029456]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 ONJIAUUOYUF;ONJIAUUOYUF;c:\docume~1\bill\locals~1\temp\onjiauuoyuf.exe --> c:\docume~1\bill\locals~1\temp\ONJIAUUOYUF.exe [?]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 RLRPDN;RLRPDN;c:\docume~1\bill\locals~1\temp\rlrpdn.exe --> c:\docume~1\bill\locals~1\temp\RLRPDN.exe [?]
S3 uvnc_service;uvnc_service;c:\program files\ultravnc\winvnc.exe [2009-5-4 1693128]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
S4 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-10-16 135336]
S4 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-10-16 267944]

=============== Created Last 30 ================

2010-11-12 04:47:40 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Mozilla
2010-11-12 04:02:58 -------- d-----w- c:\docume~1\admini~1\applic~1\SUPERAntiSpyware.com
2010-11-12 03:29:43 -------- d-----w- c:\docume~1\admini~1\applic~1\Malwarebytes
2010-11-12 03:05:51 -------- d-sha-r- C:\cmdcons
2010-11-12 03:03:13 98816 ----a-w- c:\windows\sed.exe
2010-11-12 03:03:13 89088 ----a-w- c:\windows\MBR.exe
2010-11-12 03:03:13 256512 ----a-w- c:\windows\PEV.exe
2010-11-12 03:03:13 161792 ----a-w- c:\windows\SWREG.exe
2010-11-12 03:01:00 -------- d-----w- c:\docume~1\admini~1\applic~1\Avira
2010-11-12 02:23:54 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Adobe
2010-11-12 02:22:09 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
2010-11-12 01:43:51 -------- d-----w- c:\docume~1\admini~1\applic~1\TuneUp Software
2010-11-12 01:41:00 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
2010-11-12 01:40:59 -------- d-----w- c:\docume~1\admini~1\locals~1\applic~1\Microsoft
2010-11-03 02:28:24 -------- d-----w- c:\program files\TagScanner
2010-10-31 02:32:39 -------- d-----w- c:\program files\CCleaner
2010-10-31 01:13:16 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-10-28 04:22:15 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-10-28 04:22:15 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-10-28 04:16:54 -------- d-----w- c:\program files\iPod
2010-10-28 04:14:24 -------- d-----w- c:\docume~1\alluse~1\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-10-28 04:14:23 -------- d-----w- c:\program files\iTunes
2010-10-28 04:04:28 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-10-28 04:04:28 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-10-28 04:02:17 -------- d-----w- c:\program files\Bonjour
2010-10-24 02:18:28 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-10-19 13:10:47 -------- d-----w- c:\program files\Process Explorer
2010-10-19 01:48:51 57344 ------w- c:\windows\system32\ImageDrive.cpl
2010-10-19 01:48:50 89184 ------w- c:\windows\system32\drivers\imagedrv.sys
2010-10-19 01:46:03 38912 ----a-w- c:\windows\system32\picn20.dll
2010-10-19 01:45:25 544768 ----a-w- c:\windows\system32\imagx5.dll
2010-10-19 01:45:23 569344 ----a-w- c:\windows\system32\imagr5.dll
2010-10-19 01:45:22 283920 ----a-w- c:\windows\system32\ImagXpr5.dll
2010-10-19 01:45:15 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2010-10-18 13:31:54 -------- d-----w- C:\downloads
2010-10-18 13:31:31 -------- d-----w- c:\program files\Orbitdownloader
2010-10-17 11:10:50 -------- d-----w- c:\windows\system32\NtmsData
2010-10-17 00:18:38 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-10-17 00:18:31 -------- d-----w- c:\program files\Avira
2010-10-17 00:18:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Avira
2010-10-16 21:15:56 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2010-10-16 21:14:01 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-10-16 00:44:24 -------- d-----w- c:\windows\pss
2010-10-15 04:09:27 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-10-14 04:37:56 455680 -c----w- c:\windows\system32\dllcache\mrxsmb.sys
2010-10-14 04:32:40 2146304 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-10-14 04:32:39 2189952 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-10-14 04:32:37 2024448 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-10-14 04:30:24 272128 -c----w- c:\windows\system32\dllcache\bthport.sys
2010-10-14 04:17:14 13312 -c----w- c:\windows\system32\dllcache\iecompat.dll
2010-10-14 04:17:02 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2010-10-14 04:17:01 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2010-10-14 04:17:01 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2010-10-14 04:17:01 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2010-10-14 04:17:01 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2010-10-14 04:17:01 1986560 -c----w- c:\windows\system32\dllcache\iertutil.dll
2010-10-14 04:17:01 11080192 -c----w- c:\windows\system32\dllcache\ieframe.dll
2010-10-14 02:11:51 95672 ----a-w- c:\program files\mozilla firefox\plugins\nppdf32.dll

==================== Find3M ====================

2010-10-15 04:02:58 15688 ----a-w- c:\windows\system32\lsdelete.exe
2010-09-18 16:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-10 05:58:08 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58:06 43520 ------w- c:\windows\system32\licmgr10.dll
2010-09-10 05:58:06 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-08 15:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51:14 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42:52 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02:29 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57:43 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 12:52:45 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-26 02:53:21 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-26 02:53:20 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-26 02:39:33 604416 ----a-w- c:\windows\system32\TUProgSt.exe
2010-08-26 02:39:28 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2010-08-23 16:12:04 617472 ----a-w- c:\windows\system32\comctl32.dll
2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-08-16 08:45:00 590848 ----a-w- c:\windows\system32\rpcrt4.dll

============= FINISH: 23:50:28.15 ===============

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:11 PM

Posted 12 November 2010 - 07:36 AM

Hello,

Let's try a couple other scanners.

1.
Scan With RKUnHooker

  • Please Download Rootkit Unhooker Save it to your desktop.

    Note** it is zipped up in a .rar file - If you do not have a program to unzip this type of file -
    you can get a free one from here - http://www.7-zip.org/
  • Now double-click on RKUnhookerLE.exe to run it.
  • Click the Report tab, then click Scan.
  • Check (Tick) Drivers, Stealth. Uncheck the rest. then Click OK.
  • Wait till the scanner has finished and then click File, Save Report.
  • Save the report somewhere where you can find it. Click Close.
Copy the entire contents of the report and paste it in a reply here.

Note** you may get this warning it is ok, just ignore

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"



2.
Download Bootkit remover to your desktop

1. Extract the file to your desktop.
2. Double click Remover.exe to run it (Right click and run as Administrator for Vista).
3. It will show a Black screen with some data on it.
4. Right click on the screen and choose Select All.
5. Press Control+C (to copy the data).
6. Open a notepad, Click on Edit tab > paste.
7. Exit the Remover.exe window.
8. Please post the contents of the notepad when you reply.


3.
Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 wrmerkel

wrmerkel
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 PM

Posted 12 November 2010 - 07:49 PM

OK, here are the logs.

1. Rootkit Unhooker Log

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #2
==============================================
>Drivers
==============================================
0xB7061000 C:\WINDOWS\system32\DRIVERS\nv4_mini.sys 6307840 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Miniport Driver, Version 182.06 )
0xBF012000 C:\WINDOWS\System32\nv4_disp.dll 6189056 bytes (NVIDIA Corporation, NVIDIA Compatible Windows 2000 Display driver, Version 182.06 )
0xB0792000 C:\WINDOWS\system32\drivers\RtkHDAud.sys 4874240 bytes (Realtek Semiconductor Corp., Realtek® High Definition Audio Function Driver)
0x804D7000 C:\WINDOWS\system32\ntkrnlpa.exe 2150400 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2150400 bytes
0x804D7000 RAW 2150400 bytes
0x804D7000 WMIxWDM 2150400 bytes
0xBF800000 Win32k 1855488 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1855488 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xAFF93000 C:\WINDOWS\system32\Drivers\CVPNDRVA.sys 589824 bytes (Cisco Systems, Inc., Cisco Systems VPN Client IPSec Driver)
0xB9E35000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xB6F35000 C:\WINDOWS\system32\DRIVERS\Cap713x.sys 503808 bytes (PSH, Cap713x)
0xB05B5000 C:\WINDOWS\system32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xB6E39000 C:\WINDOWS\system32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xB06E2000 C:\WINDOWS\system32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xAFE4B000 C:\WINDOWS\system32\DRIVERS\srv.sys 360448 bytes (Microsoft Corporation, Server driver)
0xB6E97000 C:\WINDOWS\system32\DRIVERS\rdpdr.sys 196608 bytes (Microsoft Corporation, Microsoft RDP Device redirector)
0xB9F79000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xB9E08000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xB0625000 C:\WINDOWS\system32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xB6FDE000 C:\WINDOWS\system32\DRIVERS\HDAudBus.sys 163840 bytes (Windows ® Server 2003 DDK provider, High Definition Audio Bus Driver v1.0a)
0xB06BA000 C:\WINDOWS\system32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xB9F23000 dmio.sys 155648 bytes (Microsoft Corp., Veritas Software, NT Disk Manager I/O Driver)
0xB0694000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xB076E000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xB7029000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xB0592000 C:\WINDOWS\system32\DRIVERS\avipbb.sys 143360 bytes (Avira GmbH, Avira Driver for Security Enhancement)
0xB7006000 C:\WINDOWS\system32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xB0672000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xB0650000 C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS 139264 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASKUTIL.SYS)
0x806E4000 ACPI_HAL 134400 bytes
0x806E4000 C:\WINDOWS\system32\hal.dll 134400 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xB9EEB000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xB9F49000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xB6F17000 C:\WINDOWS\system32\DRIVERS\dne2000.sys 122880 bytes (Deterministic Networks, Inc., Deterministic Network Enhancer)
0xB9DEE000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xB6FB0000 C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys 106496 bytes (Realtek Semiconductor Corporation , Realtek 10/100/1000 NDIS 5.1 Driver )
0xB9F0B000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xB057A000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xB9EC2000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xB6ED8000 C:\WINDOWS\system32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xB0240000 C:\WINDOWS\system32\DRIVERS\irda.sys 90112 bytes (Microsoft Corporation, IRDA Protocol Driver)
0xB02CE000 C:\WINDOWS\system32\DRIVERS\avgntflt.sys 86016 bytes (Avira GmbH, Avira Minifilter Driver)
0xB018B000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xB6FCA000 C:\WINDOWS\system32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xB704D000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xB073B000 C:\WINDOWS\system32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF000000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xB9ED9000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xB9F68000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xB6EC7000 C:\WINDOWS\system32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xB334F000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xBA178000 C:\WINDOWS\system32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xBA198000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xB36E2000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xBA0F8000 Lbd.sys 61440 bytes (Lavasoft AB, Boot Driver)
0xBA188000 C:\WINDOWS\system32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xB2C29000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xBA208000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xBA0E8000 C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xBA1B8000 C:\WINDOWS\system32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xBA1A8000 C:\WINDOWS\system32\DRIVERS\STREAM.SYS 53248 bytes (Microsoft Corporation, WDM CODEC Class Device Driver 2.0)
0xBA0C8000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xBA1D8000 C:\WINDOWS\system32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xB3692000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xBA168000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xBA0B8000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xBA1C8000 C:\WINDOWS\system32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xBA0A8000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xBA238000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xBA108000 PxHelp20.sys 40960 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xBA1F8000 C:\WINDOWS\system32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xBA0D8000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xB335F000 C:\WINDOWS\system32\DRIVERS\HIDCLASS.SYS 36864 bytes (Microsoft Corporation, Hid Class Library)
0xBA1E8000 C:\WINDOWS\system32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xB36A2000 C:\WINDOWS\system32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xAF774000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xBA158000 C:\WINDOWS\system32\DRIVERS\processr.sys 36864 bytes (Microsoft Corporation, Processor Device Driver)
0xB36B2000 C:\WINDOWS\system32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xB33BA000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xBA420000 C:\WINDOWS\system32\DRIVERS\usbccgp.sys 32768 bytes (Microsoft Corporation, USB Common Class Generic Parent Driver)
0xBA3B8000 C:\WINDOWS\system32\DRIVERS\usbehci.sys 32768 bytes (Microsoft Corporation, EHCI eUSB Miniport Driver)
0xBA3D8000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xB33EA000 C:\WINDOWS\system32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xBA328000 C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xBA458000 C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xBA3C8000 C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys 24576 bytes (GEAR Software Inc., CD DVD Filter)
0xBA408000 C:\WINDOWS\system32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xBA410000 C:\WINDOWS\system32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xB281C000 C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS 24576 bytes (SUPERAdBlocker.com and SUPERAntiSpyware.com, SASDIFSV.SYS)
0xB33CA000 C:\WINDOWS\system32\DRIVERS\ssmdrv.sys 24576 bytes (Avira GmbH, AVIRA SnapShot Driver)
0xB33C2000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xBA3E0000 C:\WINDOWS\system32\DRIVERS\irsir.sys 20480 bytes (Microsoft Corporation, Serial Infrared Driver)
0xB33E2000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xBA330000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xBA3F8000 C:\WINDOWS\system32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xBA3E8000 C:\WINDOWS\system32\DRIVERS\rasirda.sys 20480 bytes (Microsoft Corporation, IrDA WAN Miniport Driver)
0xBA400000 C:\WINDOWS\system32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xBA3F0000 C:\WINDOWS\system32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xBA3B0000 C:\WINDOWS\system32\DRIVERS\usbohci.sys 20480 bytes (Microsoft Corporation, OHCI USB Miniport Driver)
0xBA470000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xBA548000 C:\WINDOWS\system32\DRIVERS\kbdhid.sys 16384 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xB7DBA000 C:\WINDOWS\system32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xB02BE000 C:\WINDOWS\system32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xBA58C000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xBA4B8000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xB6EEF000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xB2B5D000 C:\WINDOWS\system32\DRIVERS\hidusb.sys 12288 bytes (Microsoft Corporation, USB Miniport Driver for Input Devices)
0xBA590000 C:\WINDOWS\system32\DRIVERS\irenum.sys 12288 bytes (Microsoft Corporation, Infra-Red Bus Enumerator)
0xBA54C000 C:\WINDOWS\system32\DRIVERS\mouhid.sys 12288 bytes (Microsoft Corporation, HID Mouse Filter Driver)
0xBA5A0000 C:\WINDOWS\system32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xBA584000 C:\WINDOWS\system32\drivers\pfc.sys 12288 bytes (Padus, Inc., Padus® ASPI Shell)
0xB0C5C000 C:\WINDOWS\system32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xBA66C000 C:\Program Files\Avira\AntiVir Desktop\avgio.sys 8192 bytes (Avira GmbH, Avira AntiVir Support for Minifilter)
0xBA660000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xBA5AC000 dmload.sys 8192 bytes (Microsoft Corp., Veritas Software., NT Disk Manager Startup Driver)
0xBA5B0000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xBA65E000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xBA5A8000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xBA662000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xBA64A000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xBA666000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xBA5D6000 C:\WINDOWS\system32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xBA5D8000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xBA5AA000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xBA6AC000 C:\WINDOWS\system32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xBA722000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xBA70F000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xBA670000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
==============================================
>Stealth
==============================================


2. BootkitRemover Log

Bootkit Remover
© 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
372 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


3. MBRCHeck Log

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000043c

Kernel Drivers (total 124):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA670000 pciide.sys
0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AC000 dmload.sys
0xB9F23000 dmio.sys
0xBA330000 PartMgr.sys
0xBA0C8000 VolSnap.sys
0xB9F0B000 atapi.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9EEB000 fltmgr.sys
0xB9ED9000 sr.sys
0xBA0F8000 Lbd.sys
0xBA108000 PxHelp20.sys
0xB9EC2000 KSecDD.sys
0xB9E35000 Ntfs.sys
0xB9E08000 NDIS.sys
0xB9DEE000 Mup.sys
0xBA158000 \SystemRoot\system32\DRIVERS\processr.sys
0xB7061000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB704D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA3B0000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xB7029000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA3B8000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xBA168000 \SystemRoot\system32\DRIVERS\imapi.sys
0xBA584000 \SystemRoot\system32\drivers\pfc.sys
0xBA178000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xBA188000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB7006000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA3C8000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xB6FDE000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xBA198000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA58C000 \SystemRoot\system32\DRIVERS\serenum.sys
0xBA3D8000 \SystemRoot\system32\DRIVERS\fdc.sys
0xBA3E0000 \SystemRoot\system32\DRIVERS\irsir.sys
0xBA590000 \SystemRoot\system32\DRIVERS\irenum.sys
0xB6FCA000 \SystemRoot\system32\DRIVERS\parport.sys
0xB6FB0000 \SystemRoot\system32\DRIVERS\Rtnicxp.sys
0xB6F35000 \SystemRoot\system32\DRIVERS\Cap713x.sys
0xBA1A8000 \SystemRoot\system32\DRIVERS\STREAM.SYS
0xB6F17000 \SystemRoot\system32\DRIVERS\dne2000.sys
0xBA6AC000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA3E8000 \SystemRoot\system32\DRIVERS\rasirda.sys
0xBA3F0000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xBA1B8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA5A0000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB6ED8000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA1C8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA1D8000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB6EC7000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA1E8000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA3F8000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA400000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB6E97000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA1F8000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA408000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA410000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xBA5D6000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB6E39000 \SystemRoot\system32\DRIVERS\update.sys
0xB7DBA000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA208000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5D8000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xBA238000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB0792000 \SystemRoot\system32\drivers\RtkHDAud.sys
0xB076E000 \SystemRoot\system32\drivers\portcls.sys
0xB36E2000 \SystemRoot\system32\drivers\drmk.sys
0xBA65E000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA70F000 \SystemRoot\System32\Drivers\Null.SYS
0xBA660000 \SystemRoot\System32\Drivers\Beep.SYS
0xB33EA000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB33C2000 \SystemRoot\System32\drivers\vga.sys
0xBA662000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA666000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB33E2000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB33BA000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB0C5C000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB073B000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB06E2000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB06BA000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB0694000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB36B2000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB0672000 \SystemRoot\System32\drivers\afd.sys
0xB36A2000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB33CA000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
0xB0650000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xB281C000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xB0625000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB05B5000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB3692000 \SystemRoot\System32\Drivers\Fips.SYS
0xB0592000 \SystemRoot\system32\DRIVERS\avipbb.sys
0xBA420000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xBA66C000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
0xBA458000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
0xB2B5D000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB335F000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB334F000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBA548000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xBA54C000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xB057A000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xBA5B0000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB6EEF000 \SystemRoot\System32\drivers\Dxapi.sys
0xBA470000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xBA722000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xB02CE000 \SystemRoot\system32\DRIVERS\avgntflt.sys
0xB0240000 \SystemRoot\system32\DRIVERS\irda.sys
0xB02BE000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB018B000 \SystemRoot\system32\drivers\wdmaud.sys
0xB2C29000 \SystemRoot\system32\drivers\sysaudio.sys
0xBA64A000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xAFF93000 \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
0xAFE4B000 \SystemRoot\system32\DRIVERS\srv.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 28):
0 System Idle Process
4 System
952 C:\WINDOWS\system32\smss.exe
1944 csrss.exe
2040 C:\WINDOWS\system32\winlogon.exe
372 C:\WINDOWS\system32\services.exe
384 C:\WINDOWS\system32\lsass.exe
760 C:\WINDOWS\system32\svchost.exe
972 svchost.exe
1232 C:\WINDOWS\system32\svchost.exe
1316 svchost.exe
1560 svchost.exe
1832 C:\WINDOWS\system32\spoolsv.exe
1112 C:\Program Files\Bonjour\mDNSResponder.exe
1204 C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
1632 C:\WINDOWS\system32\svchost.exe
1684 C:\Program Files\Java\jre6\bin\jqs.exe
1708 C:\WINDOWS\system32\svchost.exe
1792 C:\WINDOWS\system32\nvsvc32.exe
1936 C:\WINDOWS\system32\svchost.exe
184 C:\WINDOWS\system32\svchost.exe
1676 C:\WINDOWS\explorer.exe
808 C:\WINDOWS\RTHDCPL.EXE
132 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
3588 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
2768 alg.exe
356 C:\WINDOWS\system32\notepad.exe
544 C:\Documents and Settings\Bill\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WL400GSA1672, Rev: 01.00B.0

Size Device Name MBR Status
--------------------------------------------
372 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Note that I did not execute these while in Safe Mode, so let me know if I need to do that.

Thanks very much!
Bill

Edited by wrmerkel, 12 November 2010 - 07:51 PM.


#6 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:11 PM

Posted 13 November 2010 - 11:05 AM

Hello,

The only thing I see in your logs is some left over stuff from a previous infection. This shouldn't be affecting your machine however. Lets go ahead and run Combofix and see if it picks up anything.

Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:11 PM

Posted 15 November 2010 - 02:22 PM

Hello.

Are you still there?

If you are please follow the instructions in my previous post.

If you still need help, follow the instructions I have given in my response. If you have since had your problem solved, we would appreciate you letting us know so we can close the topic.

Please reply back telling us so. If you don't reply within 5-7 days the topic will need to be closed.

Thanks for understanding :)

With Regards,
fireman4it

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 wrmerkel

wrmerkel
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 PM

Posted 15 November 2010 - 02:34 PM

Hello - Sorry to not have followed up yet, was away yesterday. I have not run ComboFix yet, but will do so this evening. Machine is still running very slowly, particularly when booting and launching apps. Once the browser gets going, it moves along well, but I can't get a full virus scan to complete w/o BSOD so I'm still suspicious.

More to follow.

Bill

Edited by wrmerkel, 15 November 2010 - 02:34 PM.


#9 wrmerkel

wrmerkel
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 PM

Posted 15 November 2010 - 11:44 PM

Here's the logfile...

ComboFix 10-11-15.05 - Bill 11/15/2010 21:01:48.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1587 [GMT -5:00]
Running from: c:\documents and settings\Bill\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((( Files Created from 2010-10-16 to 2010-11-16 )))))))))))))))))))))))))))))))
.

2010-11-14 05:05 . 2010-11-14 05:05 -------- d-----w- c:\documents and settings\Bill\Application Data\Avira
2010-11-14 04:45 . 2010-08-02 21:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-14 04:45 . 2010-08-02 21:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-14 04:45 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-11-14 04:45 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-11-14 04:44 . 2010-11-14 04:44 -------- d-----w- c:\program files\Avira
2010-11-14 04:44 . 2010-11-14 04:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-11-12 01:40 . 2010-11-12 04:55 -------- d-----w- c:\documents and settings\Administrator
2010-11-03 02:28 . 2010-11-03 02:28 -------- d-----w- c:\program files\TagScanner
2010-10-31 02:32 . 2010-10-31 02:32 -------- d-----w- c:\program files\CCleaner
2010-10-31 01:13 . 2010-10-31 01:13 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-10-28 04:23 . 2010-10-28 10:40 -------- d-----w- c:\documents and settings\Bill\Application Data\Apple Computer
2010-10-28 04:22 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-10-28 04:22 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-10-28 04:16 . 2010-10-28 04:17 -------- d-----w- c:\program files\iPod
2010-10-28 04:14 . 2010-10-28 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-10-28 04:14 . 2010-10-28 04:22 -------- d-----w- c:\program files\iTunes
2010-10-28 04:06 . 2010-10-28 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-10-28 04:05 . 2010-10-28 04:05 -------- d-----w- c:\documents and settings\Bill\Local Settings\Application Data\Apple
2010-10-28 04:05 . 2010-10-28 04:05 -------- d-----w- c:\program files\Apple Software Update
2010-10-28 04:04 . 2010-04-20 00:47 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-10-28 04:04 . 2010-04-20 00:47 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-10-28 04:02 . 2010-10-28 04:02 -------- d-----w- c:\program files\Bonjour
2010-10-28 03:58 . 2010-10-28 04:16 -------- d-----w- c:\program files\Common Files\Apple
2010-10-28 03:58 . 2010-10-28 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-10-28 03:43 . 2010-10-28 04:23 -------- d-----w- c:\documents and settings\Bill\Local Settings\Application Data\Apple Computer
2010-10-24 02:18 . 2010-10-24 02:18 -------- d--h--w- c:\windows\system32\GroupPolicy
2010-10-19 13:10 . 2010-10-19 13:10 -------- d-----w- c:\program files\Process Explorer
2010-10-19 01:48 . 2003-05-26 09:12 57344 ------w- c:\windows\system32\ImageDrive.cpl
2010-10-19 01:48 . 2003-03-29 11:45 89184 ------w- c:\windows\system32\drivers\imagedrv.sys
2010-10-19 01:46 . 2001-06-26 03:15 38912 ----a-w- c:\windows\system32\picn20.dll
2010-10-19 01:45 . 2001-07-06 07:44 544768 ----a-w- c:\windows\system32\imagx5.dll
2010-10-19 01:45 . 2001-07-06 09:41 569344 ----a-w- c:\windows\system32\imagr5.dll
2010-10-19 01:45 . 2001-07-06 13:24 283920 ----a-w- c:\windows\system32\ImagXpr5.dll
2010-10-19 01:45 . 2010-10-19 01:45 -------- d-----w- c:\program files\Common Files\Ahead
2010-10-19 01:45 . 2001-07-09 06:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
2010-10-19 01:45 . 2010-10-19 01:46 -------- d-----w- c:\program files\Ahead
2010-10-18 13:32 . 2010-10-18 13:32 -------- d-----w- c:\documents and settings\Bill\Application Data\ProgSense
2010-10-18 13:31 . 2010-11-05 00:24 -------- d-----w- C:\downloads
2010-10-18 13:31 . 2010-10-18 14:15 -------- d-----w- c:\documents and settings\Bill\Application Data\GrabPro
2010-10-18 13:31 . 2010-10-26 03:41 -------- d-----w- c:\documents and settings\Bill\Application Data\Orbit
2010-10-18 13:31 . 2010-10-18 13:31 -------- d-----w- c:\program files\Orbitdownloader
2010-10-17 11:10 . 2010-11-14 06:18 -------- d-----w- c:\windows\system32\NtmsData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-15 04:02 . 2009-04-27 22:58 15688 ----a-w- c:\windows\system32\lsdelete.exe
2010-10-15 04:02 . 2010-10-15 04:09 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-18 16:23 . 2007-04-03 12:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 09:41 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 09:41 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2001-08-18 09:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-10 05:58 . 2008-04-14 09:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2008-04-14 09:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-10 05:58 . 2008-04-14 09:41 43520 ------w- c:\windows\system32\licmgr10.dll
2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51 . 2008-04-14 09:39 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2008-04-14 05:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2008-04-14 09:42 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2008-04-14 09:42 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2008-04-14 04:45 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-16 04:34 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-26 02:53 . 2010-08-26 02:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-26 02:53 . 2010-08-26 02:53 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-26 02:39 . 2010-08-26 02:39 604416 ----a-w- c:\windows\system32\TUProgSt.exe
2010-08-26 02:39 . 2010-08-26 02:39 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2010-08-23 16:12 . 2008-04-14 09:41 617472 ----a-w- c:\windows\system32\comctl32.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-11-12_03.20.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-14 23:56 . 2010-11-14 23:56 16384 c:\windows\temp\Perflib_Perfdata_654.dat
+ 2010-11-14 04:46 . 2010-06-17 20:27 28520 c:\windows\system32\drivers\ssmdrv.sys
- 2010-10-17 00:19 . 2009-05-11 14:12 28520 c:\windows\system32\drivers\ssmdrv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-28 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-02-09 05:18 13680640 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-02-09 05:18 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-02-09 05:18 1657376 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitBuddy\\BitBuddy.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/14/2010 11:09 PM 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/13/2010 11:46 PM 135336]
R3 Cap713x;Cap713x Video Capture;c:\windows\system32\drivers\Cap713x.sys [6/9/2004 11:14 PM 502784]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1029456]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 9:25 AM 30969208]
S3 ONJIAUUOYUF;ONJIAUUOYUF;c:\docume~1\Bill\LOCALS~1\Temp\ONJIAUUOYUF.exe --> c:\docume~1\Bill\LOCALS~1\Temp\ONJIAUUOYUF.exe [?]
S3 RLRPDN;RLRPDN;c:\docume~1\Bill\LOCALS~1\Temp\RLRPDN.exe --> c:\docume~1\Bill\LOCALS~1\Temp\RLRPDN.exe [?]
S3 uvnc_service;uvnc_service;c:\program files\UltraVNC\winvnc.exe [5/4/2009 9:36 PM 1693128]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SSMDRV

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: {{8FCCDD73-C9F3-443a-AB53-7A25FD925808} - c:\program files\BitBuddy\BitBuddy.EXE
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\documents and settings\Bill\Application Data\Mozilla\Firefox\Profiles\eo4dist3.default\
FF - prefs.js: browser.startup.homepage - my.yahoo.com
FF - component: c:\documents and settings\Bill\Application Data\Mozilla\Firefox\Profiles\eo4dist3.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - component: c:\program files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabXpcom.dll
FF - plugin: c:\documents and settings\Bill\Application Data\Mozilla\Firefox\Profiles\eo4dist3.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\documents and settings\Bill\Application Data\Mozilla\plugins\NPSWF32.dll
FF - plugin: c:\progra~1\MICROS~2\Office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\MICROS~2\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-15 21:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1048)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(3000)
c:\windows\system32\WININET.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
Completion time: 2010-11-15 21:19:10
ComboFix-quarantined-files.txt 2010-11-16 02:19
ComboFix2.txt 2010-11-12 03:25
ComboFix3.txt 2009-06-13 19:29

Pre-Run: 163,717,824,512 bytes free
Post-Run: 163,714,306,048 bytes free

- - End Of File - - 42E932E2E1425B9511DAC4BCE291A99B

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:11 PM

Posted 16 November 2010 - 10:23 PM

Hello,

Well Combofix didn't find anything either. We will get rid of the leftovers from an infection and try a couple other scanners.

1.
Spybot S&D or Ad-Aware are no longer recommended
  • mvps.org is no longer recommending Spybot S&D or Ad-Aware due to poor testing results. See here - (scroll down and read under Freeware Antispyware Products)
  • Further, most people don't understand Spybot's TeaTimer or how to use it and that feature can cause more problems than it's worth. TeaTimer monitors changes to certain critical keys in Windows registry but does not indicate if the change is normal or a modification made by a malware infection. The user must have an understanding of the registry and how TeaTimer works in order to make informed decisions to allow or deny the detected changes. Additionally, TeaTimer may conflict with other security tools which do a much better job of protecting your computer and even prevent disinfection of malware by those tools.
  • More effective alternatives are Malwarebytes Anti-Malware and SUPERAntiSpyware Free.

2.
We need to run a CFScript.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the codebox below into it:

Domains::

DDS::
uInternet Settings,ProxyOverride = *.local
IE: &Download by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/201
IE: &Grab video by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/204
IE: Do&wnload selected by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/203
IE: Down&load all by Orbit - c:\program files\Orbitdownloader\orbitmxt.dll/202
IE: {{8FCCDD73-C9F3-443a-AB53-7A25FD925808} - c:\program files\BitBuddy\BitBuddy.EXE

Driver::
ONJIAUUOYUF
RLRPDN


Save this as CFScript.txt, in the same location as ComboFix.exe


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


3.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

4.
I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
Note for Vista Users: Eset is compatible but Internet Explorer must be run as Administrator. To do this, right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select "Run as Administrator" from the context menu.)
Posted Image
You can refer to this short video by: neomage
**Note**
To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan.

5.
Please download exeHelper to your desktop. Double-click on exeHelper.com to run the fix. A black window should pop up, press any key to close once the fix is completed. Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)


Things to include in your next reply::
Combofix.txt
Eset log
Tdsskiller log
Exehelper log
A new DDS log
How is your machine running now?

Edited by fireman4it, 16 November 2010 - 10:24 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 wrmerkel

wrmerkel
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 PM

Posted 19 November 2010 - 07:53 AM

Here's the combo fix log. The machine is soooo slow I haven't gotten the others to run yet. Will do so this evening.

Bill


ComboFix 10-11-15.05 - Bill 11/18/2010 21:30:44.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1418 [GMT -5:00]
Running from: c:\documents and settings\Bill\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Bill\Desktop\CFScript.txt
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ONJIAUUOYUF
-------\Legacy_RLRPDN
-------\Service_ONJIAUUOYUF
-------\Service_RLRPDN


((((((((((((((((((((((((( Files Created from 2010-10-19 to 2010-11-19 )))))))))))))))))))))))))))))))
.

2010-11-16 05:22 . 2010-11-16 05:22 -------- d-----w- c:\program files\MixMeister BPM Analyzer
2010-11-14 05:05 . 2010-11-14 05:05 -------- d-----w- c:\documents and settings\Bill\Application Data\Avira
2010-11-14 04:45 . 2010-08-02 21:10 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-11-14 04:45 . 2010-08-02 21:10 126856 ----a-w- c:\windows\system32\drivers\avipbb.sys
2010-11-14 04:45 . 2010-06-17 20:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2010-11-14 04:45 . 2010-06-17 20:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2010-11-14 04:44 . 2010-11-14 04:44 -------- d-----w- c:\program files\Avira
2010-11-14 04:44 . 2010-11-14 04:44 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2010-11-12 01:40 . 2010-11-12 04:55 -------- d-----w- c:\documents and settings\Administrator
2010-11-03 02:28 . 2010-11-03 02:28 -------- d-----w- c:\program files\TagScanner
2010-10-31 02:32 . 2010-10-31 02:32 -------- d-----w- c:\program files\CCleaner
2010-10-31 01:13 . 2010-10-31 01:13 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-10-28 04:23 . 2010-10-28 10:40 -------- d-----w- c:\documents and settings\Bill\Application Data\Apple Computer
2010-10-28 04:22 . 2009-05-18 17:17 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-10-28 04:22 . 2008-04-17 16:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-10-28 04:16 . 2010-10-28 04:17 -------- d-----w- c:\program files\iPod
2010-10-28 04:14 . 2010-10-28 04:22 -------- d-----w- c:\documents and settings\All Users\Application Data\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-10-28 04:14 . 2010-10-28 04:22 -------- d-----w- c:\program files\iTunes
2010-10-28 04:06 . 2010-10-28 04:14 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-10-28 04:05 . 2010-10-28 04:05 -------- d-----w- c:\documents and settings\Bill\Local Settings\Application Data\Apple
2010-10-28 04:05 . 2010-10-28 04:05 -------- d-----w- c:\program files\Apple Software Update
2010-10-28 04:04 . 2010-04-20 00:47 3062048 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-10-28 04:04 . 2010-04-20 00:47 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-10-28 04:02 . 2010-10-28 04:02 -------- d-----w- c:\program files\Bonjour
2010-10-28 03:58 . 2010-10-28 04:16 -------- d-----w- c:\program files\Common Files\Apple
2010-10-28 03:58 . 2010-10-28 03:58 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-10-28 03:43 . 2010-10-28 04:23 -------- d-----w- c:\documents and settings\Bill\Local Settings\Application Data\Apple Computer
2010-10-24 02:18 . 2010-10-24 02:18 -------- d--h--w- c:\windows\system32\GroupPolicy

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-10-15 04:02 . 2009-04-27 22:58 15688 ----a-w- c:\windows\system32\lsdelete.exe
2010-10-15 04:02 . 2010-10-15 04:09 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-09-18 16:23 . 2007-04-03 12:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2008-04-14 09:41 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2008-04-14 09:41 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-18 06:53 . 2001-08-18 09:00 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-10 05:58 . 2008-04-14 09:42 916480 ----a-w- c:\windows\system32\wininet.dll
2010-09-10 05:58 . 2008-04-14 09:42 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-09-10 05:58 . 2008-04-14 09:41 43520 ------w- c:\windows\system32\licmgr10.dll
2010-09-08 15:17 . 2010-09-08 15:17 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 15:17 . 2010-09-08 15:17 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-09-01 11:51 . 2008-04-14 09:39 285824 ----a-w- c:\windows\system32\atmfd.dll
2010-08-31 13:42 . 2008-04-14 05:00 1852800 ----a-w- c:\windows\system32\win32k.sys
2010-08-27 08:02 . 2008-04-14 09:42 119808 ----a-w- c:\windows\system32\t2embed.dll
2010-08-27 05:57 . 2008-04-14 09:42 99840 ----a-w- c:\windows\system32\srvsvc.dll
2010-08-26 13:39 . 2008-04-14 04:45 357248 ----a-w- c:\windows\system32\drivers\srv.sys
2010-08-26 12:52 . 2009-04-16 04:34 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-08-26 02:53 . 2010-08-26 02:53 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-08-26 02:53 . 2010-08-26 02:53 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-08-26 02:39 . 2010-08-26 02:39 604416 ----a-w- c:\windows\system32\TUProgSt.exe
2010-08-26 02:39 . 2010-08-26 02:39 361216 ----a-w- c:\windows\system32\TuneUpDefragService.exe
2010-08-23 16:12 . 2008-04-14 09:41 617472 ----a-w- c:\windows\system32\comctl32.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-11-12_03.20.23 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-11-19 02:50 . 2010-11-19 02:50 16384 c:\windows\temp\Perflib_Perfdata_61c.dat
+ 2010-11-14 04:46 . 2010-06-17 20:27 28520 c:\windows\system32\drivers\ssmdrv.sys
- 2010-10-17 00:19 . 2009-05-11 14:12 28520 c:\windows\system32\drivers\ssmdrv.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-28 2424560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16861184]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-02-09 13680640]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-08-02 281768]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VPN Client.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\VPN Client.lnk
backup=c:\windows\pss\VPN Client.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 09:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-02-09 05:18 13680640 ----a-w- c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-02-09 05:18 86016 ----a-w- c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2009-02-09 05:18 1657376 ----a-w- c:\windows\system32\nwiz.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"ctfmon.exe"=c:\windows\system32\ctfmon.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\BitBuddy\\BitBuddy.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\UltraVNC\\vncviewer.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\Orbitdownloader\\orbitdm.exe"=
"c:\\Program Files\\Orbitdownloader\\orbitnet.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5900:TCP"= 5900:TCP:vnc5900
"5800:TCP"= 5800:TCP:vnc5800

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [10/14/2010 11:09 PM 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [11/13/2010 11:46 PM 135336]
R3 Cap713x;Cap713x Video Capture;c:\windows\system32\drivers\Cap713x.sys [6/9/2004 11:14 PM 502784]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 8:37 PM 4640000]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1029456]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 9:25 AM 30969208]
S3 uvnc_service;uvnc_service;c:\program files\UltraVNC\winvnc.exe [5/4/2009 9:36 PM 1693128]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
HPService REG_MULTI_SZ HPSLPSVC
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://my.yahoo.com/
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: {{8FCCDD73-C9F3-443a-AB53-7A25FD925808} - c:\program files\BitBuddy\BitBuddy.EXE
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\documents and settings\Bill\Application Data\Mozilla\Firefox\Profiles\eo4dist3.default\
FF - prefs.js: browser.startup.homepage - my.yahoo.com
FF - component: c:\documents and settings\Bill\Application Data\Mozilla\Firefox\Profiles\eo4dist3.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc_fireftp.dll
FF - component: c:\program files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabXpcom.dll
FF - plugin: c:\documents and settings\Bill\Application Data\Mozilla\Firefox\Profiles\eo4dist3.default\extensions\ietab@ip.cn\plugins\npCoralIETab.dll
FF - plugin: c:\documents and settings\Bill\Application Data\Mozilla\plugins\NPSWF32.dll
FF - plugin: c:\progra~1\MICROS~2\Office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\MICROS~2\Office14\NPSPWRAP.DLL
FF - plugin: c:\program files\DivX\DivX Plus Web Player\npdivx32.dll
FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqz9s", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--fiqs8s", true); // Simplified
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--j6w193g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4a87g", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7c0a67fbc", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbqly7cvafr", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kpry57d", true); // Traditional
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--kprw13d", true); // Simplified
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-11-18 21:57
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1048)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(756)
c:\windows\system32\WININET.dll
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~2\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Avira\AntiVir Desktop\avguard.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Common Files\InterVideo\DeviceService\DevSvc.exe
c:\program files\Avira\AntiVir Desktop\avshadow.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\RTHDCPL.EXE
.
**************************************************************************
.
Completion time: 2010-11-18 22:25:48 - machine was rebooted
ComboFix-quarantined-files.txt 2010-11-19 03:25
ComboFix2.txt 2010-11-16 02:19
ComboFix3.txt 2010-11-12 03:25
ComboFix4.txt 2009-06-13 19:29

Pre-Run: 163,842,486,272 bytes free
Post-Run: 163,764,199,424 bytes free

- - End Of File - - 08FE8DA0B052008861C22CBE81416938

#12 wrmerkel

wrmerkel
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 PM

Posted 19 November 2010 - 03:33 PM

Here's the TDSS log...

2010/11/19 15:30:28.0437 TDSS rootkit removing tool 2.4.8.0 Nov 17 2010 07:23:12
2010/11/19 15:30:28.0437 ================================================================================
2010/11/19 15:30:28.0437 SystemInfo:
2010/11/19 15:30:28.0437
2010/11/19 15:30:28.0437 OS Version: 5.1.2600 ServicePack: 3.0
2010/11/19 15:30:28.0437 Product type: Workstation
2010/11/19 15:30:28.0437 ComputerName: TINYGOO
2010/11/19 15:30:28.0437 UserName: Bill
2010/11/19 15:30:28.0437 Windows directory: C:\WINDOWS
2010/11/19 15:30:28.0437 System windows directory: C:\WINDOWS
2010/11/19 15:30:28.0437 Processor architecture: Intel x86
2010/11/19 15:30:28.0437 Number of processors: 2
2010/11/19 15:30:28.0437 Page size: 0x1000
2010/11/19 15:30:28.0437 Boot type: Normal boot
2010/11/19 15:30:28.0437 ================================================================================
2010/11/19 15:30:29.0000 Initialize success
2010/11/19 15:30:38.0140 ================================================================================
2010/11/19 15:30:38.0140 Scan started
2010/11/19 15:30:38.0140 Mode: Manual;
2010/11/19 15:30:38.0140 ================================================================================
2010/11/19 15:30:40.0421 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/11/19 15:30:40.0828 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/11/19 15:30:41.0640 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/11/19 15:30:42.0234 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/11/19 15:30:45.0406 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/11/19 15:30:45.0937 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/11/19 15:30:47.0078 ati2mtag (8759322ffc1a50569c1e5528ee8026b7) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
2010/11/19 15:30:47.0921 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/11/19 15:30:48.0312 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/11/19 15:30:48.0468 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
2010/11/19 15:30:48.0859 avgntflt (1eb7d72a82f94f7e9496d363fce00b68) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
2010/11/19 15:30:49.0265 avipbb (f8c56231ed5ecf7d1b46b0330880ccef) C:\WINDOWS\system32\DRIVERS\avipbb.sys
2010/11/19 15:30:49.0671 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/11/19 15:30:50.0343 Cap713x (50d14df39f17418f11d32e287380f5f7) C:\WINDOWS\system32\DRIVERS\Cap713x.sys
2010/11/19 15:30:51.0140 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/11/19 15:30:51.0515 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2010/11/19 15:30:52.0296 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/11/19 15:30:52.0703 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/11/19 15:30:53.0093 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/11/19 15:30:54.0531 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
2010/11/19 15:30:55.0093 CVPNDRVA (57310c245810b26e378de9e6b22db598) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
2010/11/19 15:30:56.0406 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/11/19 15:30:57.0281 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/11/19 15:30:58.0203 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
2010/11/19 15:30:58.0562 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/11/19 15:30:59.0046 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/11/19 15:30:59.0515 DNE (86d52c32a308f84bbc626bff7c1fb710) C:\WINDOWS\system32\DRIVERS\dne2000.sys
2010/11/19 15:31:00.0234 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/11/19 15:31:00.0671 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/11/19 15:31:01.0328 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/11/19 15:31:01.0718 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/11/19 15:31:02.0125 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/11/19 15:31:02.0593 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/11/19 15:31:02.0937 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/11/19 15:31:03.0359 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/11/19 15:31:03.0734 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/11/19 15:31:04.0390 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/11/19 15:31:04.0859 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2010/11/19 15:31:05.0234 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/11/19 15:31:05.0953 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2010/11/19 15:31:06.0546 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2010/11/19 15:31:06.0937 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2010/11/19 15:31:07.0468 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/11/19 15:31:08.0781 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/11/19 15:31:09.0203 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/11/19 15:31:12.0687 IntcAzAudAddService (b2957d6c1226f029230dac2c46d34286) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2010/11/19 15:31:13.0484 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/11/19 15:31:13.0906 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/11/19 15:31:14.0281 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/11/19 15:31:14.0718 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/11/19 15:31:15.0187 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/11/19 15:31:15.0640 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
2010/11/19 15:31:16.0234 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/11/19 15:31:16.0609 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
2010/11/19 15:31:17.0125 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/11/19 15:31:17.0500 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/11/19 15:31:17.0875 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/11/19 15:31:18.0359 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/11/19 15:31:18.0953 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/11/19 15:31:19.0343 Lbd (419590ebe7855215bb157ea0cf0d0531) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2010/11/19 15:31:20.0390 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/11/19 15:31:20.0765 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/11/19 15:31:21.0218 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/11/19 15:31:21.0593 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/11/19 15:31:22.0093 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/11/19 15:31:22.0921 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/11/19 15:31:23.0625 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/11/19 15:31:24.0109 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/11/19 15:31:24.0468 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/11/19 15:31:24.0890 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/11/19 15:31:25.0234 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/11/19 15:31:25.0578 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/11/19 15:31:25.0984 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2010/11/19 15:31:26.0375 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/11/19 15:31:26.0781 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2010/11/19 15:31:27.0437 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/11/19 15:31:27.0906 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2010/11/19 15:31:28.0265 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/11/19 15:31:28.0640 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/11/19 15:31:29.0093 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/11/19 15:31:29.0500 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/11/19 15:31:29.0921 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/11/19 15:31:30.0375 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/11/19 15:31:31.0171 netwg311 (95694fc00ba1a488f2987c3db926e19f) C:\WINDOWS\system32\DRIVERS\netwg311.sys
2010/11/19 15:31:31.0750 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/11/19 15:31:32.0687 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/11/19 15:31:33.0296 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/11/19 15:31:37.0468 nv (07e25fe08344021091f000d84611a2ab) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/11/19 15:31:41.0703 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/11/19 15:31:42.0093 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/11/19 15:31:42.0531 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/11/19 15:31:43.0140 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/11/19 15:31:43.0500 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/11/19 15:31:43.0968 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/11/19 15:31:44.0625 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/11/19 15:31:45.0093 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/11/19 15:31:47.0578 pfc (957b82ec80ad7ead64e5e47df6b0dc40) C:\WINDOWS\system32\drivers\pfc.sys
2010/11/19 15:31:48.0156 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/11/19 15:31:48.0625 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2010/11/19 15:31:49.0031 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/11/19 15:31:49.0437 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/11/19 15:31:49.0828 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/11/19 15:31:51.0921 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/11/19 15:31:52.0312 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2010/11/19 15:31:52.0718 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/11/19 15:31:53.0250 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/11/19 15:31:53.0625 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/11/19 15:31:54.0125 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/11/19 15:31:54.0468 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/11/19 15:31:54.0968 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/11/19 15:31:55.0546 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/11/19 15:31:56.0062 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/11/19 15:31:56.0531 RTL8023xp (e10f6c9bd09d8dae26e29d52c65e6e0f) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
2010/11/19 15:31:56.0671 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/11/19 15:31:56.0750 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/11/19 15:31:57.0203 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/11/19 15:31:57.0562 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/11/19 15:31:58.0046 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/11/19 15:31:58.0578 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/11/19 15:31:59.0390 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2010/11/19 15:32:00.0109 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/11/19 15:32:00.0531 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/11/19 15:32:01.0093 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/11/19 15:32:01.0562 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
2010/11/19 15:32:01.0937 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2010/11/19 15:32:02.0296 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2010/11/19 15:32:02.0656 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/11/19 15:32:03.0156 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/11/19 15:32:05.0375 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/11/19 15:32:05.0953 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/11/19 15:32:06.0546 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/11/19 15:32:06.0968 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/11/19 15:32:07.0375 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/11/19 15:32:08.0187 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/11/19 15:32:09.0390 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/11/19 15:32:10.0078 USBAAPL (4b8a9c16b6d9258ed99c512aecb8c555) C:\WINDOWS\system32\Drivers\usbaapl.sys
2010/11/19 15:32:10.0484 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/11/19 15:32:10.0906 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/11/19 15:32:11.0359 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/11/19 15:32:11.0765 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
2010/11/19 15:32:12.0140 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/11/19 15:32:12.0515 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/11/19 15:32:12.0890 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/11/19 15:32:13.0343 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/11/19 15:32:14.0328 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/11/19 15:32:14.0968 vsdatant (27b3dd12a19eec50220df15b64913dda) C:\WINDOWS\system32\vsdatant.sys
2010/11/19 15:32:15.0656 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/11/19 15:32:16.0468 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/11/19 15:32:16.0921 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2010/11/19 15:32:17.0265 ================================================================================
2010/11/19 15:32:17.0265 Scan finished
2010/11/19 15:32:17.0265 ================================================================================

#13 wrmerkel

wrmerkel
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 PM

Posted 19 November 2010 - 09:51 PM

ESET Scan got thru 99% complete then ended in a BSOD, no output. Running exehelper next...

#14 wrmerkel

wrmerkel
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:11 PM

Posted 19 November 2010 - 09:57 PM

Exehelper log...

exeHelper by Raktor
Build 20100414
Run at 21:55:47 on 11/19/10
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

Machine very slow, particularly on boot up and when launching new applications. Will easily take several minutes to launch a browser. Browser seems to run pretty well once it launches, though.

Any chance we're seeing a hardware issue instead of a virus or malware?

THanks,
Bill

#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,505 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:07:11 PM

Posted 20 November 2010 - 07:02 PM

Hello, wrmerkel.
Congratulations! You now appear clean! :cool:


Uninstall Combofix
  • Make sure that Combofix.exe that you downloaded is on your Desktop but Do not run it!
    o *If it is not on your Desktop, the below will not work.
  • Click on Posted Image then Run....
  • Now copy & paste the green bolded text in the run-box and click OK.

    ComboFix /Uninstall

    Posted Image

    <Notice the space between the "x" and "/".> <--- It needs to be there
    Windows Vista users: Press the Windows Key + R to bring the Run... Command and then from there you can add in the Combofix /Uninstall

  • Please advise if this step is missed for any reason as it performs some important actions:
    "This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.
    It also makes a clean Restore Point and flashes all the old restore points in order to prevent possible reinfection from an old one through system restore".


Are things running okay? Do you have any more questions?

System Still Slow?
You may wish to try StartupLite. Simply download this tool to your desktop and run it. It will explain any optional auto-start programs on your system, and offer the option to stop these programs from starting at startup. This will result in fewer programs running when you boot your system, and should improve preformance.
If that does not work, you can try the steps mentioned in Slow Computer/browser? Check Here First; It May Not Be Malware.

We Need to Clean Up Our Mess
  • Download OTC by OldTimer and save it to your desktop.
  • Double click Posted Image icon to start the program. If you are using Vista, please right-click and choose run as administrator
  • Then Click the big Posted Image button.
  • You will get a prompt saying "Being Cleanup Process". Please select Yes.
  • Restart your computer when prompted.



Recommendations
Below are some recommendations to lower your chances of (re)infection.
  • Install and maintain an outbound firewall
  • Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.
  • Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file
  • Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.
  • Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    If you are using Windows XP or earlier
    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

    If you are using Windows Vista
    • Click the "Start Menu" (or Windows Orb)
    • Click "All Programs"
    • Click "Windows Update"
    • On the left, choose "Change Settings"
    • Ensure that the checkbox "Use Microsoft Update" at the bottom of the window is checked.
    • Press OK and accept the UAC prompt.
      Note: You shouldn't need to check this checkbox every single time you update, only the first time.
    • Click "Check for Updates" in the upper left corner.
    • Follow the instructions to install the latest updates.
    • Reboot and repeat the "Check for Updates" until there are no more critical updates to install
  • Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.
  • Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users