Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

GMER keeps crashing


  • This topic is locked This topic is locked
14 replies to this topic

#1 JNolan

JNolan

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 06 December 2010 - 10:08 PM

Hello I'm new to this site and trying to figure out why my computer keeps sending infected emails to random people in my contacts folder.

I have been following the Preparation guide and have run Defogger, DDS, and GMER. GMER appears to run up to a point but then freezes and then the computer is unresponsive and the only way to do anything is to reboot! I have tried to run GMER 3 times with the same results.


DDS (Ver_10-12-05.01) - NTFSx86
Run by Wife at 18:50:06.89 on Mon 12/06/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.115 [GMT -6:00]

AV: COMODO Antivirus *On-access scanning enabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
C:\Documents and Settings\Wife\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Wife\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Wife\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Wife\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.conduit.com?SearchSource=10&ctid=CT2418376
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: N/A: {9cb65206-89c4-402c-ba80-02d8c59f9b1d} - c:\program files\asktbar\srchastt\1.bin\A5SRCHAS.DLL
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
uURLSearchHooks: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\tbPage.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
BHO: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\tbPage.dll
BHO: Ask Search Assistant BHO: {9cb65201-89c4-402c-ba80-02d8c59f9b1d} - c:\program files\asktbar\srchastt\1.bin\A5SRCHAS.DLL
BHO: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
BHO: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers client\YontooIEClient.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
BHO: Ask Toolbar BHO: {fe063db1-4ec0-403e-8dd8-394c54984b2c} - c:\program files\asktbar\bar\1.bin\ASKTBAR.DLL
TB: Ask Toolbar: {fe063db9-4ec0-403e-8dd8-394c54984b2c} - c:\program files\asktbar\bar\1.bin\ASKTBAR.DLL
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Ask Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
TB: {9D425283-D487-4337-BAB6-AB8354A81457} - No File
TB: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\program files\pagerage\tbPage.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\nero\lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020
uRun: [ap.exe] c:\documents and settings\wife\application data\ccenter\ap.exe
uRun: [ares] "c:\program files\ares\Ares.exe" -h
uRun: [Google Update] "c:\documents and settings\wife\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [UIUCU] c:\docume~1\admini~1.own\locals~1\temp\UIUCU.EXE -CLEAN_UP -S
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [NeroFilterCheck] c:\program files\common files\nero\lib\NeroCheck.exe
mRun: [NBKeyScan] "c:\program files\nero\nero8\nero backitup\NBKeyScan.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [COMODO Internet Security] "c:\program files\comodo\comodo internet security\cfp.exe" -h
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
StartupFolder: c:\docume~1\wife\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {BBF74FB9-ABCD-4678-880A-2511DAABB5E1} - {25BC7718-0BFA-40EA-B381-4B2D9732D686} - c:\program files\yahoo!\search protection\ysp.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1275121934937
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
TCP: {D4E235C7-1C11-4406-B7B2-35A96CDC54DB} = 192.168.0.1
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\wife\applic~1\mozilla\firefox\profiles\ovs2pjts.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2418376&SearchSource=13
FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&q=
FF - component: c:\documents and settings\wife\application data\mozilla\firefox\profiles\ovs2pjts.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\wife\application data\mozilla\firefox\profiles\ovs2pjts.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\wife\application data\mozilla\firefox\profiles\ovs2pjts.default\extensions\{9565115d-c7d6-46d3-bd63-b67b481a4368}\components\FFExternalAlert.dll
FF - component: c:\documents and settings\wife\application data\mozilla\firefox\profiles\ovs2pjts.default\extensions\{9565115d-c7d6-46d3-bd63-b67b481a4368}\components\RadioWMPCore.dll
FF - plugin: c:\documents and settings\wife\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\documents and settings\wife\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npyaxmpb.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Extension: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Extension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\docume~1\wife\applic~1\mozilla\firefox\profiles\ovs2pjts.default\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Extension: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - c:\docume~1\wife\applic~1\mozilla\firefox\profiles\ovs2pjts.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Extension: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - c:\docume~1\wife\applic~1\mozilla\firefox\profiles\ovs2pjts.default\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Extension: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - c:\docume~1\wife\applic~1\mozilla\firefox\profiles\ovs2pjts.default\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Extension: Yontoo Layers: plugin@yontoo.com - c:\docume~1\wife\applic~1\mozilla\firefox\profiles\ovs2pjts.default\extensions\plugin@yontoo.com
FF - Extension: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - c:\docume~1\wife\applic~1\mozilla\firefox\profiles\ovs2pjts.default\extensions\{9565115d-c7d6-46d3-bd63-b67b481a4368}
FF - Extension: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [2010-9-10 15592]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [2010-9-10 239240]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [2010-9-10 25240]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R2 cmdAgent;COMODO Internet Security Helper Service;c:\program files\comodo\comodo internet security\cmdagent.exe [2010-9-10 1901056]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\superantispyware\sabkutil.sys --> c:\program files\superantispyware\SABKUTIL.sys [?]

=============== Created Last 30 ================

2010-11-29 00:16:50 -------- d-----w- c:\program files\common files\DivX Shared
2010-11-29 00:01:38 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-28 23:16:36 -------- d-----w- c:\program files\DivX
2010-11-26 22:08:17 -------- d-----w- c:\docume~1\wife\locals~1\applic~1\PageRage
2010-11-26 22:08:11 -------- d-----w- c:\docume~1\wife\locals~1\applic~1\ConduitEngine
2010-11-26 22:08:09 -------- d-----w- c:\program files\ConduitEngine
2010-11-26 22:08:04 -------- d-----w- c:\program files\PageRage
2010-11-26 22:07:51 -------- d-----w- c:\program files\Yontoo Layers Client
2010-11-26 22:07:50 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Tarma Installer
2010-11-26 18:21:10 -------- d-----w- c:\docume~1\wife\locals~1\applic~1\Temp
2010-11-26 18:20:48 -------- d-----w- c:\docume~1\wife\locals~1\applic~1\Google
2010-11-22 22:14:05 -------- d-----w- c:\docume~1\wife\applic~1\Malwarebytes
2010-11-22 22:13:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-22 22:13:29 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Malwarebytes
2010-11-22 22:13:28 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-22 22:13:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-17 18:15:48 -------- d-----w- c:\windows\Internet Logs
2010-11-17 18:14:21 1474832 ----a-w- c:\windows\system32\drivers\sfi.dat
2010-11-17 18:06:42 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Comodo
2010-11-17 18:06:29 -------- d-----w- c:\program files\COMODO
2010-11-17 18:06:25 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-11-17 18:06:25 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2010-11-17 18:06:25 1060864 ----a-w- c:\windows\system32\mfc71.dll
2010-11-16 19:22:28 -------- d-----w- c:\program files\iPod
2010-11-16 19:22:03 -------- d-----w- c:\program files\iTunes
2010-11-16 19:19:51 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-11-16 19:19:51 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-11-16 19:18:38 -------- d-----w- c:\program files\Bonjour
2010-11-16 18:42:33 26600 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-11-16 18:42:33 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2010-11-16 18:38:58 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\{429CAD59-35B1-4DBC-BB6D-1DB246563521}
2010-11-15 23:59:33 -------- d-----w- c:\docume~1\wife\applic~1\FrostWire
2010-11-15 23:57:59 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Norton
2010-11-15 23:57:58 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\Symantec
2010-11-15 23:57:41 -------- d-----w- c:\docume~1\alluse~1.win\applic~1\NortonInstaller
2010-11-15 23:57:06 -------- d-----w- c:\docume~1\wife\locals~1\applic~1\OpenCandy
2010-11-15 23:56:33 -------- d-----w- c:\docume~1\wife\applic~1\OpenCandy
2010-11-15 23:53:49 -------- d-----w- c:\program files\FrostWire
2010-11-14 23:54:30 -------- d-----w- c:\docume~1\wife\applic~1\Foxit Software
2010-11-14 23:54:21 -------- d-----w- c:\docume~1\wife\applic~1\Foxit
2010-11-14 23:53:40 75208 ----a-w- c:\program files\mozilla firefox\plugins\npFoxitReaderPlugin.dll
2010-11-14 23:53:38 -------- d-----w- c:\program files\Foxit Software
2010-11-10 02:21:14 -------- d-----w- c:\docume~1\wife\locals~1\applic~1\The Weather Channel
2010-11-08 00:10:29 60032 -c--a-w- c:\windows\system32\dllcache\usbaudio.sys
2010-11-08 00:10:29 60032 ----a-w- c:\windows\system32\drivers\USBAUDIO.sys
2010-11-07 03:39:33 -------- d-----w- c:\docume~1\wife\locals~1\applic~1\Yahoo!

==================== Find3M ====================

2010-11-29 00:01:00 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-02 23:09:42 1409 ----a-w- c:\windows\QTFont.for
2010-10-07 18:23:02 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 18:23:02 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-10-07 18:23:02 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 18:23:02 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll
2010-09-11 05:41:40 285480 ----a-w- c:\windows\system32\guard32.dll
2010-09-09 13:38:01 832512 ----a-w- c:\windows\system32\wininet.dll
2010-09-09 13:38:01 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-09-09 13:38:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-09-09 13:38:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-09-08 16:17:46 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-09-08 16:17:46 69632 ----a-w- c:\windows\system32\QuickTime.qts

============= FINISH: 18:54:00.42 ===============

BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:14 PM

Posted 14 December 2010 - 09:18 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Options box to the right of your topic title and selecting Track This Topic.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 JNolan

JNolan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 15 December 2010 - 02:08 AM

Hi I still can't run GMER I have tried running it again but with them same results of my computer freezing. I really need help i don't know if my computer has a virus that will ruin my computer please help me. thank you JNolan

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:14 PM

Posted 15 December 2010 - 07:36 PM

Okay, let's try some alternatives to Gmer

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\


Then MBRCheck


Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.
Posted Image
m0le is a proud member of UNITE

#5 JNolan

JNolan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 15 December 2010 - 10:20 PM

Hi i ran TDSSKiller an there was nothin found nothing to copy and past to you so what do u want me to do next. JNolan

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:14 PM

Posted 16 December 2010 - 09:31 PM

TDSSKiller should provide you with a log. Please rerun and post the log.

Please also run MBRCheck, as was also asked for in my last post :)
Posted Image
m0le is a proud member of UNITE

#7 JNolan

JNolan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 17 December 2010 - 01:09 PM

2010/12/17 12:03:45.0546 TDSS rootkit removing tool 2.4.11.0 Dec 8 2010 14:46:40
2010/12/17 12:03:45.0546 ================================================================================
2010/12/17 12:03:45.0546 SystemInfo:
2010/12/17 12:03:45.0546
2010/12/17 12:03:45.0546 OS Version: 5.1.2600 ServicePack: 3.0
2010/12/17 12:03:45.0546 Product type: Workstation
2010/12/17 12:03:45.0546 ComputerName: OWNER-1C1D77A5B
2010/12/17 12:03:45.0562 UserName: Wife
2010/12/17 12:03:45.0562 Windows directory: C:\WINDOWS
2010/12/17 12:03:45.0562 System windows directory: C:\WINDOWS
2010/12/17 12:03:45.0562 Processor architecture: Intel x86
2010/12/17 12:03:45.0562 Number of processors: 1
2010/12/17 12:03:45.0562 Page size: 0x1000
2010/12/17 12:03:45.0562 Boot type: Normal boot
2010/12/17 12:03:45.0562 ================================================================================
2010/12/17 12:03:47.0484 Initialize success
2010/12/17 12:03:52.0562 ================================================================================
2010/12/17 12:03:52.0562 Scan started
2010/12/17 12:03:52.0562 Mode: Manual;
2010/12/17 12:03:52.0562 ================================================================================
2010/12/17 12:03:56.0281 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/12/17 12:03:56.0828 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/12/17 12:03:58.0281 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/12/17 12:03:59.0343 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/12/17 12:04:02.0921 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/12/17 12:04:03.0484 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/12/17 12:04:04.0375 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/12/17 12:04:04.0921 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/12/17 12:04:05.0484 bcm4sbxp (b60f57b4d9cdbc663cc03eb8af7ec34e) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
2010/12/17 12:04:06.0015 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/12/17 12:04:06.0546 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/12/17 12:04:07.0859 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/12/17 12:04:08.0609 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/12/17 12:04:09.0093 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/12/17 12:04:09.0671 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2010/12/17 12:04:10.0921 cmderd (7060bae48c2c122f3041cccf9ade3bf7) C:\WINDOWS\system32\DRIVERS\cmderd.sys
2010/12/17 12:04:11.0437 cmdGuard (bbe9f023dfd2c4d2755da3fa47e4da08) C:\WINDOWS\system32\DRIVERS\cmdguard.sys
2010/12/17 12:04:11.0906 cmdHlp (111e6755acb5f236e2465e24508f6367) C:\WINDOWS\system32\DRIVERS\cmdhlp.sys
2010/12/17 12:04:13.0859 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/12/17 12:04:14.0687 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/12/17 12:04:16.0078 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/12/17 12:04:16.0546 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/12/17 12:04:17.0156 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/12/17 12:04:18.0281 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/12/17 12:04:18.0875 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/12/17 12:04:19.0437 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/12/17 12:04:20.0000 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/12/17 12:04:20.0500 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/12/17 12:04:21.0031 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/12/17 12:04:21.0609 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/12/17 12:04:22.0109 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/12/17 12:04:22.0625 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2010/12/17 12:04:23.0234 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/12/17 12:04:23.0734 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/12/17 12:04:24.0578 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/12/17 12:04:26.0015 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/12/17 12:04:27.0031 ialm (da58a8be6a445835f603720c4bc8837e) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2010/12/17 12:04:28.0625 imagedrv (07b7d5bb957f206ec02176ddd27dc159) C:\WINDOWS\system32\Drivers\imagedrv.sys
2010/12/17 12:04:29.0093 imagesrv (872171d97b08712f5bc889cec3459c61) C:\WINDOWS\system32\DRIVERS\imagesrv.sys
2010/12/17 12:04:29.0578 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/12/17 12:04:30.0437 Inspect (343ac4733c1e8b7ab6454178e4fcd4ad) C:\WINDOWS\system32\DRIVERS\inspect.sys
2010/12/17 12:04:31.0390 IntelC51 (fcab28ffd3a8964581e16455efaf81c8) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
2010/12/17 12:04:33.0265 IntelC52 (a288e7e3a6255255b9066686d860fbc5) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
2010/12/17 12:04:34.0421 IntelC53 (d5e5a1abf6bdba7ca49941a044f04598) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
2010/12/17 12:04:35.0062 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/12/17 12:04:35.0406 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/12/17 12:04:35.0921 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/12/17 12:04:36.0468 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/12/17 12:04:36.0953 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/12/17 12:04:37.0718 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/12/17 12:04:38.0359 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/12/17 12:04:38.0812 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/12/17 12:04:39.0296 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/12/17 12:04:39.0843 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/12/17 12:04:40.0453 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/12/17 12:04:41.0062 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/12/17 12:04:41.0593 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/12/17 12:04:42.0859 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/12/17 12:04:43.0375 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/12/17 12:04:43.0828 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2010/12/17 12:04:44.0281 mohfilt (c6a08c4f34b3048a73bbb2951150f98d) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
2010/12/17 12:04:44.0937 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/12/17 12:04:45.0437 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/12/17 12:04:45.0968 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/12/17 12:04:46.0890 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/12/17 12:04:47.0750 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/12/17 12:04:48.0484 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/12/17 12:04:48.0906 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/12/17 12:04:49.0406 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/12/17 12:04:49.0968 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/12/17 12:04:50.0593 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/12/17 12:04:51.0031 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/12/17 12:04:51.0593 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/12/17 12:04:52.0125 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/12/17 12:04:52.0656 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/12/17 12:04:53.0093 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/12/17 12:04:53.0578 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/12/17 12:04:54.0296 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/12/17 12:04:54.0796 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/12/17 12:04:55.0468 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/12/17 12:04:56.0093 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/12/17 12:04:56.0953 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/12/17 12:04:57.0343 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/12/17 12:04:57.0906 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/12/17 12:04:58.0296 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/12/17 12:04:58.0671 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/12/17 12:04:58.0968 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/12/17 12:04:59.0328 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/12/17 12:04:59.0906 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2010/12/17 12:05:00.0265 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/12/17 12:05:02.0375 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/12/17 12:05:02.0796 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/12/17 12:05:03.0140 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/12/17 12:05:03.0484 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/12/17 12:05:04.0968 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/12/17 12:05:05.0312 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/12/17 12:05:05.0687 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/12/17 12:05:06.0015 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/12/17 12:05:06.0406 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/12/17 12:05:06.0781 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/12/17 12:05:07.0218 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/12/17 12:05:07.0859 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/12/17 12:05:08.0265 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/12/17 12:05:08.0531 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/12/17 12:05:08.0718 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/12/17 12:05:09.0062 SAVRKBootTasks (0aef47e0a6b0cba8c9833d55298b2791) C:\WINDOWS\system32\SAVRKBootTasks.sys
2010/12/17 12:05:09.0500 SCDEmu (e9bbd87afd80dc1212ecd762858b45c7) C:\WINDOWS\system32\drivers\SCDEmu.sys
2010/12/17 12:05:10.0015 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/12/17 12:05:10.0593 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2010/12/17 12:05:11.0390 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/12/17 12:05:11.0765 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/12/17 12:05:12.0140 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/12/17 12:05:12.0875 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
2010/12/17 12:05:13.0718 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/12/17 12:05:14.0109 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/12/17 12:05:14.0593 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/12/17 12:05:15.0015 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/12/17 12:05:15.0375 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/12/17 12:05:16.0718 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/12/17 12:05:17.0218 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/12/17 12:05:17.0859 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/12/17 12:05:18.0281 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/12/17 12:05:18.0640 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/12/17 12:05:19.0281 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/12/17 12:05:20.0078 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/12/17 12:05:20.0625 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/12/17 12:05:20.0984 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/12/17 12:05:21.0296 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/12/17 12:05:21.0687 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/12/17 12:05:22.0046 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2010/12/17 12:05:22.0406 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/12/17 12:05:22.0843 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/12/17 12:05:23.0171 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/12/17 12:05:23.0718 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/12/17 12:05:24.0109 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/12/17 12:05:24.0718 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/12/17 12:05:25.0328 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/12/17 12:05:25.0734 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/12/17 12:05:26.0078 ================================================================================
2010/12/17 12:05:26.0078 Scan finished
2010/12/17 12:05:26.0078 ================================================================================

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000000bd

Kernel Drivers (total 134):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF8A38000 \WINDOWS\system32\KDCOM.DLL
0xF8948000 \WINDOWS\system32\BOOTVID.dll
0xF84F7000 imagesrv.sys
0xF84C9000 ACPI.sys
0xF8A3A000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF84B8000 pci.sys
0xF8538000 isapnp.sys
0xF8B00000 PCIIde.sys
0xF87B8000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF8A3C000 intelide.sys
0xF8548000 MountMgr.sys
0xF8499000 ftdisk.sys
0xF8A3E000 dmload.sys
0xF8473000 dmio.sys
0xF87C0000 PartMgr.sys
0xF8558000 VolSnap.sys
0xF845B000 atapi.sys
0xF8A40000 imagedrv.sys
0xF8443000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF87C8000 cercsr6.sys
0xF8568000 disk.sys
0xF8578000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF8423000 fltmgr.sys
0xF8411000 sr.sys
0xF8588000 PxHelp20.sys
0xF83FA000 KSecDD.sys
0xF836D000 Ntfs.sys
0xF8358000 inspect.sys
0xF832B000 \WINDOWS\System32\DRIVERS\NDIS.SYS
0xF87D0000 \WINDOWS\System32\DRIVERS\TDI.SYS
0xF8311000 Mup.sys
0xF85A8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7FDC000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF7FC8000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF8890000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF7FA4000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF8898000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF85B8000 \SystemRoot\system32\DRIVERS\IntelC53.sys
0xF7F81000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7E39000 \SystemRoot\system32\DRIVERS\IntelC51.sys
0xF7DA1000 \SystemRoot\system32\DRIVERS\IntelC52.sys
0xF88A0000 \SystemRoot\system32\DRIVERS\mohfilt.sys
0xF88A8000 \SystemRoot\System32\Drivers\Modem.SYS
0xF85C8000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xF88B0000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF85D8000 \SystemRoot\system32\DRIVERS\serial.sys
0xF82B0000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF7D8D000 \SystemRoot\system32\DRIVERS\parport.sys
0xF85E8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF85F8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF88B8000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF8608000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7D4D000 \SystemRoot\system32\drivers\smwdm.sys
0xF7D29000 \SystemRoot\system32\drivers\portcls.sys
0xF8618000 \SystemRoot\system32\drivers\drmk.sys
0xF7C76000 \SystemRoot\system32\drivers\senfilt.sys
0xF8BA2000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF8628000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF829C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF7C5F000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF8638000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF8113000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7C4E000 \SystemRoot\system32\DRIVERS\psched.sys
0xF8103000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF88C0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF88C8000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7BDC000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF80E3000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF88D0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF88D8000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF8A7A000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF7B7E000 \SystemRoot\system32\DRIVERS\update.sys
0xF8A08000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF8798000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF8093000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF8AEA000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF82D0000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF5824000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF8A30000 \SystemRoot\System32\DRIVERS\cmderd.sys
0xED2D0000 \SystemRoot\System32\DRIVERS\cmdguard.sys
0xF8870000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xEC2BA000 \??\C:\WINDOWS\system32\SAVRKBootTasks.sys
0xF8AA4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8C3C000 \SystemRoot\System32\Drivers\Null.SYS
0xF8AA6000 \SystemRoot\System32\Drivers\Beep.SYS
0xEB807000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xED403000 \SystemRoot\System32\drivers\vga.sys
0xF8AA8000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8AAA000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xED63D000 \SystemRoot\System32\Drivers\Msfs.SYS
0xED635000 \SystemRoot\System32\Drivers\Npfs.SYS
0xEC631000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEB817000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEB918000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xED62D000 \SystemRoot\System32\DRIVERS\cmdhlp.sys
0xEB8F0000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEB8CE000 \SystemRoot\System32\drivers\afd.sys
0xEBB3F000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEBB2F000 \SystemRoot\System32\Drivers\SCDEmu.SYS
0xEB8AC000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xED625000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xEB881000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEB9E5000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xEBB1F000 \SystemRoot\System32\Drivers\Fips.SYS
0xEB85B000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xED715000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF5E21000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xED705000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF5E15000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF5E11000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF5873000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEB843000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8A90000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF59AD000 \SystemRoot\System32\drivers\Dxapi.sys
0xEC2E2000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF59C8000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF03F000 \SystemRoot\System32\ialmdev5.DLL
0xBF05E000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xBA7E0000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xBA6BB000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF8A7E000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xBA652000 \SystemRoot\System32\Drivers\HTTP.sys
0xBA5AA000 \SystemRoot\system32\DRIVERS\srv.sys
0xBA38D000 \SystemRoot\system32\drivers\wdmaud.sys
0xBA432000 \SystemRoot\system32\drivers\sysaudio.sys
0xB9BE3000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 37):
0 System Idle Process
4 System
720 C:\WINDOWS\system32\smss.exe
784 csrss.exe
808 C:\WINDOWS\system32\winlogon.exe
852 C:\WINDOWS\system32\services.exe
864 C:\WINDOWS\system32\lsass.exe
1024 C:\WINDOWS\system32\svchost.exe
1100 svchost.exe
1192 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
1232 C:\WINDOWS\system32\svchost.exe
1408 svchost.exe
1552 svchost.exe
1648 C:\WINDOWS\system32\spoolsv.exe
1744 svchost.exe
1776 C:\Program Files\Bonjour\mDNSResponder.exe
1844 C:\WINDOWS\system32\svchost.exe
1880 C:\Program Files\Java\jre6\bin\jqs.exe
1960 C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
444 C:\WINDOWS\system32\svchost.exe
1044 wmpnetwk.exe
1704 alg.exe
772 C:\WINDOWS\explorer.exe
2224 C:\WINDOWS\system32\igfxtray.exe
2340 C:\WINDOWS\system32\hkcmd.exe
2464 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
2644 C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
2668 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2680 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
2732 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
2768 C:\Program Files\Windows Media Player\wmpnscfg.exe
2836 C:\WINDOWS\system32\ctfmon.exe
3444 C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
3776 C:\Program Files\iPod\bin\iPodService.exe
3488 C:\Program Files\Mozilla Firefox\firefox.exe
3228 C:\Program Files\Mozilla Firefox\plugin-container.exe
2636 C:\Documents and Settings\Wife\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD400LB-60DNA1, Rev: 81.07A81

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:14 PM

Posted 17 December 2010 - 02:53 PM

Please run Combofix next

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#9 JNolan

JNolan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 17 December 2010 - 08:27 PM

ComboFix 10-12-16.05 - Wife 12/17/2010 18:42:46.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.317 [GMT -6:00]
Running from: c:\documents and settings\Wife\My Documents\Downloads\ComboFix.exe
AV: COMODO Antivirus *Disabled/Updated* {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *Enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Search Toolbar
c:\program files\Search Toolbar\SearchToolbar.dll

.
((((((((((((((((((((((((( Files Created from 2010-11-18 to 2010-12-18 )))))))))))))))))))))))))))))))
.

2010-12-16 04:54 . 2010-11-02 15:17 40960 -c----w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-16 04:45 . 2010-10-11 14:59 45568 -c----w- c:\windows\system32\dllcache\wab.exe
2010-12-13 00:33 . 2010-12-13 00:33 161296 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2010-12-13 00:25 . 2010-12-03 19:35 912344 ----a-w- c:\program files\Mozilla Firefox\firefox.exe
2010-12-12 21:39 . 2010-12-12 21:39 -------- d-----w- c:\documents and settings\Wife\Local Settings\Application Data\PCHealth
2010-12-11 04:02 . 2010-12-11 04:02 -------- d-----w- c:\documents and settings\Wife\Local Settings\Application Data\Microsoft Help
2010-12-11 03:47 . 2010-05-26 16:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-12-10 23:01 . 2010-12-10 23:01 -------- d-----w- c:\program files\Sophos
2010-12-10 22:42 . 2010-12-10 22:42 -------- d-----w- c:\documents and settings\Administrator.OWNER-1C1D77A5B\Application Data\Nero
2010-12-08 20:26 . 2010-12-08 20:26 -------- d-----w- C:\VritualRoot
2010-11-29 13:42 . 2010-11-29 13:42 -------- d-----w- c:\documents and settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\PageRage
2010-11-29 00:16 . 2010-11-29 00:17 -------- d-----w- c:\program files\Common Files\DivX Shared
2010-11-29 00:02 . 2010-11-29 00:02 -------- d-----w- c:\program files\Common Files\Java
2010-11-29 00:01 . 2010-11-29 00:01 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-28 23:16 . 2010-11-29 00:20 -------- d-----w- c:\program files\DivX
2010-11-26 22:08 . 2010-11-26 22:08 -------- d-----w- c:\documents and settings\Wife\Local Settings\Application Data\PageRage
2010-11-26 22:08 . 2010-11-26 22:08 -------- d-----w- c:\documents and settings\Wife\Local Settings\Application Data\ConduitEngine
2010-11-26 22:08 . 2010-11-26 22:08 -------- d-----w- c:\program files\ConduitEngine
2010-11-26 22:08 . 2010-11-26 22:08 -------- d-----w- c:\program files\PageRage
2010-11-26 22:07 . 2010-11-26 22:07 -------- d-----w- c:\program files\Yontoo Layers Client
2010-11-26 22:07 . 2010-11-26 22:07 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Tarma Installer
2010-11-26 18:21 . 2010-12-15 03:28 -------- d-----w- c:\documents and settings\Wife\Local Settings\Application Data\Temp
2010-11-26 18:20 . 2010-11-26 18:22 -------- d-----w- c:\documents and settings\Wife\Local Settings\Application Data\Google
2010-11-22 22:14 . 2010-11-22 22:14 -------- d-----w- c:\documents and settings\Wife\Application Data\Malwarebytes
2010-11-22 22:13 . 2010-04-29 21:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-11-22 22:13 . 2010-11-22 22:13 -------- d-----w- c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2010-11-22 22:13 . 2010-04-29 21:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-11-22 22:13 . 2010-11-22 22:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-11-18 18:12 . 2010-11-18 18:12 81920 -c----w- c:\windows\system32\dllcache\isign32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-29 00:01 . 2010-06-30 19:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-18 18:12 . 2010-05-29 06:52 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-17 18:06 . 2010-11-17 18:06 348160 ----a-w- c:\windows\system32\msvcr71.dll
2010-11-17 18:06 . 2010-11-17 18:06 1700352 ----a-w- c:\windows\system32\gdiplus.dll
2010-11-17 18:06 . 2010-11-17 18:06 1060864 ----a-w- c:\windows\system32\mfc71.dll
2010-11-06 00:34 . 2006-03-04 03:33 832512 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:34 . 2010-02-26 05:43 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-11-06 00:34 . 2004-08-04 10:00 1830912 ------w- c:\windows\system32\inetcpl.cpl
2010-11-06 00:34 . 2004-08-04 10:00 17408 ----a-w- c:\windows\system32\corpol.dll
2010-11-05 04:22 . 2010-11-05 04:22 53248 ----a-r- c:\documents and settings\Wife\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink_Web_Site._B5759EDEA3D244BBB2AAF1B15E1EC021.exe
2010-11-05 04:22 . 2010-11-05 04:22 53248 ----a-r- c:\documents and settings\Wife\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink_Support.u_B5759EDEA3D244BBB2AAF1B15E1EC021.exe
2010-11-05 04:22 . 2010-11-05 04:22 45056 ----a-r- c:\documents and settings\Wife\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink.chm_B5759EDEA3D244BBB2AAF1B15E1EC021.exe
2010-11-05 04:22 . 2010-11-05 04:22 40960 ----a-r- c:\documents and settings\Wife\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink.exe11_B5759EDEA3D244BBB2AAF1B15E1EC021.exe
2010-11-05 04:22 . 2010-11-05 04:22 40960 ----a-r- c:\documents and settings\Wife\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\EchoLink.exe1_B5759EDEA3D244BBB2AAF1B15E1EC021.exe
2010-11-05 04:22 . 2010-11-05 04:22 40960 ----a-r- c:\documents and settings\Wife\Application Data\Microsoft\Installer\{DC33421C-0E1C-470A-BE37-7B7C82677812}\ARPPRODUCTICON.exe
2010-11-03 12:25 . 2004-08-04 10:00 389120 ----a-w- c:\windows\system32\html.iec
2010-11-02 23:09 . 2010-11-02 23:09 1409 ----a-w- c:\windows\QTFont.for
2010-11-02 15:17 . 2004-08-04 10:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 10:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 10:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2010-10-07 18:23 . 2010-10-07 18:23 91424 ----a-w- c:\windows\system32\dnssd.dll
2010-10-07 18:23 . 2010-10-07 18:23 75040 ----a-w- c:\windows\system32\jdns_sd.dll
2010-10-07 18:23 . 2010-10-07 18:23 197920 ----a-w- c:\windows\system32\dnssdX.dll
2010-10-07 18:23 . 2010-10-07 18:23 107808 ----a-w- c:\windows\system32\dns-sd.exe
2010-09-28 21:44 . 2010-11-16 19:19 41984 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-09-28 21:44 . 2010-11-16 19:19 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{9565115d-c7d6-46d3-bd63-b67b481a4368}"= "c:\program files\PageRage\tbPage.dll" [2010-11-24 3908192]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2010-11-24 00:55 3908192 ----a-w- c:\program files\ConduitEngine\ConduitEngine.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9565115d-c7d6-46d3-bd63-b67b481a4368}]
2010-11-24 00:55 3908192 ----a-w- c:\program files\PageRage\tbPage.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2010-05-26 20:23 1385864 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FD72061E-9FDE-484D-A58A-0BAB4151CAD8}]
2010-10-14 17:56 194912 ------w- c:\program files\Yontoo Layers Client\YontooIEClient.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]
"{9565115d-c7d6-46d3-bd63-b67b481a4368}"= "c:\program files\PageRage\tbPage.dll" [2010-11-24 3908192]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\ConduitEngine.dll" [2010-11-24 3908192]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CLASSES_ROOT\clsid\{9565115d-c7d6-46d3-bd63-b67b481a4368}]

[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2010-05-26 1385864]

[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" [2007-12-14 1688872]
"Google Update"="c:\documents and settings\Wife\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-11-26 136176]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2004-02-10 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2004-02-10 118784]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2008-03-14 233472]
"NeroFilterCheck"="c:\program files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 153136]
"NBKeyScan"="c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" [2007-12-03 2213160]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-09-08 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-11-11 421160]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2010-09-11 2500552]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]

c:\documents and settings\Wife\Start Menu\Programs\Startup\
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

c:\documents and settings\Administrator.OWNER-1C1D77A5B\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2009-2-26 97680]
Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-3-18 4742184]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:@xpsp2res.dll,-22009

R1 cmderd;COMODO Internet Security Eradication Driver;c:\windows\system32\drivers\cmderd.sys [9/10/2010 11:40 PM 15592]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdGuard.sys [9/10/2010 11:40 PM 239240]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [9/10/2010 11:40 PM 25240]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 12:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 12:41 PM 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [12/10/2010 9:47 PM 18816]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\14.tmp --> c:\windows\system32\14.tmp [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder

2010-12-13 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 17:50]

2010-12-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1336601894-839522115-1004Core.job
- c:\documents and settings\Wife\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-26 18:20]

2010-12-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1202660629-1336601894-839522115-1004UA.job
- c:\documents and settings\Wife\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-11-26 18:20]

2010-12-18 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2010-04-06 21:30]

2010-12-11 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2010-04-06 21:30]

2010-12-18 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2010-05-26 20:23]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {D4E235C7-1C11-4406-B7B2-35A96CDC54DB} = 192.168.0.1
FF - ProfilePath - c:\documents and settings\Wife\Application Data\Mozilla\Firefox\Profiles\ovs2pjts.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2418376&SearchSource=3&q={searchTerms}
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://search.conduit.com/?ctid=CT2418376&SearchSource=13
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Zynga Toolbar: {7b13ec3e-999a-4b70-b9cb-2617b8323822} - %profile%\extensions\{7b13ec3e-999a-4b70-b9cb-2617b8323822}
FF - Ext: Yontoo Layers: plugin@yontoo.com - %profile%\extensions\plugin@yontoo.com
FF - Ext: PageRage Toolbar: {9565115d-c7d6-46d3-bd63-b67b481a4368} - %profile%\extensions\{9565115d-c7d6-46d3-bd63-b67b481a4368}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: yahoo.homepage.dontask - true
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ares - c:\program files\Ares\Ares.exe
HKLM-Run-UIUCU - c:\docume~1\ADMINI~1.OWN\LOCALS~1\Temp\UIUCU.EXE
AddRemove-{7585478E9D9B42108671C12F8714CEFE} - c:\program files\DivX\DivXConverterUninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-17 18:54
Windows 5.1.2600 Service Pack 3 NTFS

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\14.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(808)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll

- - - - - - - > 'lsass.exe'(864)
c:\windows\system32\guard32.dll
.
Completion time: 2010-12-17 18:58:34
ComboFix-quarantined-files.txt 2010-12-18 00:58

Pre-Run: 9,992,740,864 bytes free
Post-Run: 13,238,390,784 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 903B10921383CCFEF18DB1CFBD5253DD

#10 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:14 PM

Posted 17 December 2010 - 08:36 PM

Please run MBAM and SAS to see off any adware left over

Please download Posted Image Malwarebytes Anti-Malware and save it to your desktop.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application or, if you are using Vista, right-click and select Run As Administrator on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    If MBAM won't update then download and update MBAM on a clean computer then save the rules.ref folder to a memory stick. This file is found here: 'C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware' then transfer it across to the infected computer.
  • On the Scanner tab:
    • Make sure the "Perform Full Scan" option is selected.
    • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.


And

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen.
  • Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan.
  • Click "Next" to start the scan. Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.

Posted Image
m0le is a proud member of UNITE

#11 JNolan

JNolan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 18 December 2010 - 03:03 PM

MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x000000bd

Kernel Drivers (total 134):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF8A38000 \WINDOWS\system32\KDCOM.DLL
0xF8948000 \WINDOWS\system32\BOOTVID.dll
0xF84F7000 imagesrv.sys
0xF84C9000 ACPI.sys
0xF8A3A000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF84B8000 pci.sys
0xF8538000 isapnp.sys
0xF8B00000 PCIIde.sys
0xF87B8000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF8A3C000 intelide.sys
0xF8548000 MountMgr.sys
0xF8499000 ftdisk.sys
0xF8A3E000 dmload.sys
0xF8473000 dmio.sys
0xF87C0000 PartMgr.sys
0xF8558000 VolSnap.sys
0xF845B000 atapi.sys
0xF8A40000 imagedrv.sys
0xF8443000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF87C8000 cercsr6.sys
0xF8568000 disk.sys
0xF8578000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF8423000 fltmgr.sys
0xF8411000 sr.sys
0xF8588000 PxHelp20.sys
0xF83FA000 KSecDD.sys
0xF836D000 Ntfs.sys
0xF8358000 inspect.sys
0xF832B000 \WINDOWS\System32\DRIVERS\NDIS.SYS
0xF87D0000 \WINDOWS\System32\DRIVERS\TDI.SYS
0xF8311000 Mup.sys
0xF85A8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7FDC000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF7FC8000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF8890000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF7FA4000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF8898000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF85B8000 \SystemRoot\system32\DRIVERS\IntelC53.sys
0xF7F81000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7E39000 \SystemRoot\system32\DRIVERS\IntelC51.sys
0xF7DA1000 \SystemRoot\system32\DRIVERS\IntelC52.sys
0xF88A0000 \SystemRoot\system32\DRIVERS\mohfilt.sys
0xF88A8000 \SystemRoot\System32\Drivers\Modem.SYS
0xF85C8000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xF88B0000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF85D8000 \SystemRoot\system32\DRIVERS\serial.sys
0xF82B0000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF7D8D000 \SystemRoot\system32\DRIVERS\parport.sys
0xF85E8000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF85F8000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF88B8000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
0xF8608000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7D4D000 \SystemRoot\system32\drivers\smwdm.sys
0xF7D29000 \SystemRoot\system32\drivers\portcls.sys
0xF8618000 \SystemRoot\system32\drivers\drmk.sys
0xF7C76000 \SystemRoot\system32\drivers\senfilt.sys
0xF8BA2000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF8628000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF829C000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF7C5F000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF8638000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF8113000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7C4E000 \SystemRoot\system32\DRIVERS\psched.sys
0xF8103000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF88C0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF88C8000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7BDC000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF80E3000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF88D0000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF88D8000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF8A7A000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF7B7E000 \SystemRoot\system32\DRIVERS\update.sys
0xF8A08000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF8798000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF8093000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF8AEA000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF82D0000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF5824000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF8A30000 \SystemRoot\System32\DRIVERS\cmderd.sys
0xED2D0000 \SystemRoot\System32\DRIVERS\cmdguard.sys
0xF8870000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xEC2BA000 \??\C:\WINDOWS\system32\SAVRKBootTasks.sys
0xF8AA4000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8C3C000 \SystemRoot\System32\Drivers\Null.SYS
0xF8AA6000 \SystemRoot\System32\Drivers\Beep.SYS
0xEB807000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xED403000 \SystemRoot\System32\drivers\vga.sys
0xF8AA8000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8AAA000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xED63D000 \SystemRoot\System32\Drivers\Msfs.SYS
0xED635000 \SystemRoot\System32\Drivers\Npfs.SYS
0xEC631000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEB817000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEB918000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xED62D000 \SystemRoot\System32\DRIVERS\cmdhlp.sys
0xEB8F0000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEB8CE000 \SystemRoot\System32\drivers\afd.sys
0xEBB3F000 \SystemRoot\system32\DRIVERS\netbios.sys
0xEBB2F000 \SystemRoot\System32\Drivers\SCDEmu.SYS
0xEB8AC000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xED625000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xEB881000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEB9E5000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xEBB1F000 \SystemRoot\System32\Drivers\Fips.SYS
0xEB85B000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xED715000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF5E21000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xED705000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF5E15000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xF5E11000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xF5873000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEB843000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8A90000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF59AD000 \SystemRoot\System32\drivers\Dxapi.sys
0xEC2E2000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF59C8000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF03F000 \SystemRoot\System32\ialmdev5.DLL
0xBF05E000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xBA7E0000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xBA6BB000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF8A7E000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xBA652000 \SystemRoot\System32\Drivers\HTTP.sys
0xBA5AA000 \SystemRoot\system32\DRIVERS\srv.sys
0xBA38D000 \SystemRoot\system32\drivers\wdmaud.sys
0xBA432000 \SystemRoot\system32\drivers\sysaudio.sys
0xB9BE3000 \SystemRoot\System32\Drivers\Fastfat.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 37):
0 System Idle Process
4 System
720 C:\WINDOWS\system32\smss.exe
784 csrss.exe
808 C:\WINDOWS\system32\winlogon.exe
852 C:\WINDOWS\system32\services.exe
864 C:\WINDOWS\system32\lsass.exe
1024 C:\WINDOWS\system32\svchost.exe
1100 svchost.exe
1192 C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
1232 C:\WINDOWS\system32\svchost.exe
1408 svchost.exe
1552 svchost.exe
1648 C:\WINDOWS\system32\spoolsv.exe
1744 svchost.exe
1776 C:\Program Files\Bonjour\mDNSResponder.exe
1844 C:\WINDOWS\system32\svchost.exe
1880 C:\Program Files\Java\jre6\bin\jqs.exe
1960 C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
444 C:\WINDOWS\system32\svchost.exe
1044 wmpnetwk.exe
1704 alg.exe
772 C:\WINDOWS\explorer.exe
2224 C:\WINDOWS\system32\igfxtray.exe
2340 C:\WINDOWS\system32\hkcmd.exe
2464 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
2644 C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
2668 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2680 C:\Program Files\DivX\DivX Update\DivXUpdate.exe
2732 C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
2768 C:\Program Files\Windows Media Player\wmpnscfg.exe
2836 C:\WINDOWS\system32\ctfmon.exe
3444 C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
3776 C:\Program Files\iPod\bin\iPodService.exe
3488 C:\Program Files\Mozilla Firefox\firefox.exe
3228 C:\Program Files\Mozilla Firefox\plugin-container.exe
2636 C:\Documents and Settings\Wife\My Documents\Downloads\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD400LB-60DNA1, Rev: 81.07A81

Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!

#12 JNolan

JNolan
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:14 AM

Posted 18 December 2010 - 03:08 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/18/2010 at 07:16 AM

Application Version : 4.41.1000

Core Rules Database Version : 5993
Trace Rules Database Version: 3805

Scan type : Complete Scan
Total Scan Time : 03:17:06

Memory items scanned : 445
Memory threats detected : 0
Registry items scanned : 7514
Registry threats detected : 0
File items scanned : 57726
File threats detected : 10

Adware.Tracking Cookie
C:\Documents and Settings\Wife\Cookies\wife@cts.metricsdirect[2].txt
C:\Documents and Settings\Wife\Cookies\wife@cts.zroitracker[1].txt
a.ads2.msads.net [ C:\Documents and Settings\Wife\Application Data\Macromedia\Flash Player\#SharedObjects\537K3UTP ]
ads2.msads.net [ C:\Documents and Settings\Wife\Application Data\Macromedia\Flash Player\#SharedObjects\537K3UTP ]
b.ads2.msads.net [ C:\Documents and Settings\Wife\Application Data\Macromedia\Flash Player\#SharedObjects\537K3UTP ]
convoad.technoratimedia.net [ C:\Documents and Settings\Wife\Application Data\Macromedia\Flash Player\#SharedObjects\537K3UTP ]
www.naiadsystems.com [ C:\Documents and Settings\Wife\Application Data\Macromedia\Flash Player\#SharedObjects\537K3UTP ]

Trojan.Agent/Gen-Nullo[Short]
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E1DF149A-F9FD-4391-8479-D61C42D41737}\RP166\A0087860.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E1DF149A-F9FD-4391-8479-D61C42D41737}\RP166\A0087861.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E1DF149A-F9FD-4391-8479-D61C42D41737}\RP166\A0087862.EXE

#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:14 PM

Posted 18 December 2010 - 10:40 PM

Sorry JNolan, it was MBAM that I asked you to run not MBRCheck - see instructions again :whistle:
Posted Image
m0le is a proud member of UNITE

#14 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:14 PM

Posted 22 December 2010 - 09:44 PM

You still there, JNolan?
Posted Image
m0le is a proud member of UNITE

#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:05:14 PM

Posted 24 December 2010 - 08:57 PM

This topic has been closed.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.
Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users