Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Atapi and aaa virus


  • This topic is locked This topic is locked
27 replies to this topic

#1 WillT

WillT

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 07 February 2011 - 01:30 PM

Under the add/remove programs tab in my control panel, I have a program at the top titled aaa. When I click on it, the other info fields are bbb and ccc. Attempts to remove it using the add/remove programs options have failed. I'm also receiving warnings from Symantec antivirus that I am infected with a virus named atapi. I am receiving multiple unresponsive script warnings, with http addresses, as well as an unresponsive space bar key, a request by media player to play a file whose extension is unfamiliar, and very slow start-up (takes 30 minutes after the home screen appears before I can pull up any programs). Here are the logs as requested by the standard instructions:

DDS log


DDS (Ver_10-12-12.02) - NTFSx86
Run by William Tatum at 19:16:54.65 on Sun 02/06/2011
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.41 [GMT -5:00]

AV: *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *Disabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Babylon\Babylon-Pro\Babylon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AIM\aim.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\McAfee Security Scan\2.0.181\SSScheduler.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Documents and Settings\William Tatum\Desktop\Defogger.exe
C:\Documents and Settings\William Tatum\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://search.babylon.com/home?AF=16273
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = localhost;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:60202
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: CescrtHlpr Object: {2eecd738-5844-4a99-b4b6-146bf802613b} - c:\program files\babylontoolbar\babylontoolbar\1.4.15.13\bh\BabylonToolbar.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Babylon IE plugin: {9cfaccb6-2f3f-4177-94ea-0d2b72d384c1} - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll
BHO: Media Pimp BHO: {b7cf5c23-ca56-440b-8e87-8e2d05be2113} - c:\program files\video bash toolbar\VideoDownloader.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Media Pimp: {283b4aa3-1b7a-46e6-b56d-90ef4743fb2c} - c:\program files\video bash toolbar\VideoDownloader.dll
TB: Babylon Toolbar: {98889811-442d-49dd-99d7-dc866be87dbc} - c:\program files\babylontoolbar\babylontoolbar\1.4.15.13\BabylonToolbarTlbr.dll
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [Aim] "c:\program files\aim\aim.exe" /d locale=en-US
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [IntelWireless] c:\program files\intel\wireless\bin\ifrmewrk.exe /tf Intel PROSet/Wireless
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [BabylonToolbar] "c:\program files\babylontoolbar\babylontoolbar\1.4.15.13\BabylonToolbarsrv.exe" /md I
mRun: [Babylon Client] c:\program files\babylon\babylon-pro\Babylon.exe -AutoStart
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\mcafee~1.lnk - c:\program files\mcafee security scan\2.0.181\SSScheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: Translate this web page with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm
IE: Translate with Babylon - c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/Action.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F72841F0-4EF1-4df5-BCE5-B3AC8ACF5478} - res://c:\program files\babylon\babylon-pro\utils\BabylonIEPI.dll/ActionTU.htm
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} - hxxp://office.microsoft.com/officeupdate/content/opuc3.cab
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138470355203
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} - file://d:\memdisc\album_a\view\plugin\HPODPCFC.CAB
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-150-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\logitech\desktop messenger\8876480\program\GAPlugProtocol-8876480.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: IntelWireless - c:\program files\intel\wireless\bin\LgNotify.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
AppInit_DLLs: c:\windows\katrack.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\willia~1\applic~1\mozilla\firefox\profiles\q8et4qcx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=16273
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/news/
FF - prefs.js: keyword.URL - hxxp://utils.babylon.com/abt/index.php?url=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 60202
FF - prefs.js: network.proxy.type - 4
FF - component: c:\documents and settings\william tatum\application data\mozilla\firefox\profiles\q8et4qcx.default\extensions\ffxtlbr@babylon.com\components\FFHst.dll
FF - plugin: c:\program files\emusic download manager\plugin\npemusic.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPInfotl.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Media Pimp: media.pimp@mediapimp.com - %profile%\extensions\media.pimp@mediapimp.com
FF - Ext: Babylon: ffxtlbr@babylon.com - %profile%\extensions\ffxtlbr@babylon.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false
============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-2-4 324232]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-2-4 53896]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110205.002\naveng.sys [2011-2-6 86008]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110205.002\navex15.sys [2011-2-6 1360760]
S3 usb2vcom;USB Data Cable;c:\windows\system32\drivers\usb2vcom.sys [2007-8-27 22760]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]

=============== Created Last 30 ================

2011-02-06 07:38:06 -------- d-----w- c:\docume~1\willia~1\applic~1\BabylonToolbar
2011-02-06 02:22:35 -------- d-----w- c:\docume~1\willia~1\applic~1\SUPERAntiSpyware.com
2011-02-06 02:22:35 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-02-06 02:22:26 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-04 22:00:36 -------- d-----w- c:\docume~1\willia~1\locals~1\applic~1\Babylon
2011-02-04 21:59:39 142336 ----a-w- c:\program files\mozilla firefox\BabyFox.dll
2011-02-04 21:59:08 -------- d-----w- c:\program files\BabylonToolbar
2011-02-04 21:59:05 -------- d-----w- c:\program files\Babylon
2011-02-04 21:58:15 -------- d-----w- c:\docume~1\alluse~1\applic~1\Babylon
2011-02-04 21:58:11 -------- d-----w- c:\docume~1\willia~1\applic~1\Babylon
2011-01-30 17:29:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\fIeCjLm12732
2011-01-30 16:35:19 -------- d-----w- c:\docume~1\willia~1\applic~1\Malwarebytes
2011-01-30 16:33:59 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-30 16:33:57 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-01-30 16:33:52 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-30 16:33:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-29 22:38:22 86016 --sha-r- c:\windows\system32\winscardh.dll
2011-01-26 05:01:34 -------- d-----w- c:\program files\iPod
2011-01-26 05:00:49 -------- d-----w- c:\program files\iTunes
2011-01-26 04:45:20 -------- d-----w- c:\program files\Bonjour
2011-01-20 22:46:54 -------- d-----w- c:\docume~1\willia~1\locals~1\applic~1\eMusic
2011-01-20 22:46:54 -------- d-----w- c:\docume~1\willia~1\applic~1\eMusic
2011-01-20 22:45:50 -------- d-----w- c:\program files\eMusic Download Manager
2011-01-19 02:08:41 -------- d-----w- c:\windows\FLV Player

==================== Find3M ====================

2010-11-29 22:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll

============= FINISH: 19:20:21.59 ===============


Thanks for your help!

Will

Attached Files



BC AdBot (Login to Remove)

 


#2 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:52 PM

Posted 11 February 2011 - 08:34 PM

Hi,

Welcome to Bleeping Computer. My name is m0le and I will be helping you with your log.
  • Please subscribe to this topic, if you haven't already. Click the Watch This Topic button at the top on the right.

  • Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.

  • Please reply to this post so I know you are there.
The forum is busy and we need to have replies as soon as possible. If I haven't had a reply after 3 days I will bump the topic and if you do not reply by the following day after that then I will close the topic.

Once I receive a reply then I will return with your first instructions.

Thanks :thumbup2:
Posted Image
m0le is a proud member of UNITE

#3 WillT

WillT
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 11 February 2011 - 08:48 PM

Howdy,
I am paying attention and watching this topic. Ready to proceed when you are. To add to my description above, I'm now receiving pop-ups asking me if I want to run a file with a . extension.


Will

#4 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:52 PM

Posted 12 February 2011 - 02:02 PM

Please run TDSSKiller first up

  • Download TDSSKiller and save it to your Desktop.

  • Extract its contents to your desktop and make sure TDSSKiller.exe (the contents of the zipped file) is on the Desktop itself, not within a folder on the desktop.

  • Go to Start > Run (Or you can hold down your Windows key and press R) and copy and paste the following into the text field. (make sure you include the quote marks) Then press OK.

    "%userprofile%\Desktop\TDSSKiller.exe" -l report.txt

  • Now click Start Scan.
  • If Malicious objects are found, ensure Cure is selected then click Continue > Reboot now.
  • Click Close
  • Finally press Report and copy and paste the contents into your next reply. If you've rebooted then the log will be found at C:\

Posted Image
m0le is a proud member of UNITE

#5 WillT

WillT
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 12 February 2011 - 03:19 PM

No malicious items were found by this scan. Here's the result:

2011/02/12 15:04:37.0281 0332 TDSS rootkit removing tool 2.4.16.0 Feb 1 2011 10:34:03
2011/02/12 15:05:10.0718 0332 ================================================================================
2011/02/12 15:05:10.0718 0332 SystemInfo:
2011/02/12 15:05:10.0718 0332
2011/02/12 15:05:10.0718 0332 OS Version: 5.1.2600 ServicePack: 3.0
2011/02/12 15:05:10.0718 0332 Product type: Workstation
2011/02/12 15:05:10.0718 0332 ComputerName: ALBEMARLE
2011/02/12 15:05:10.0781 0332 UserName: William Tatum
2011/02/12 15:05:10.0781 0332 Windows directory: C:\WINDOWS
2011/02/12 15:05:10.0781 0332 System windows directory: C:\WINDOWS
2011/02/12 15:05:10.0781 0332 Processor architecture: Intel x86
2011/02/12 15:05:10.0781 0332 Number of processors: 1
2011/02/12 15:05:10.0781 0332 Page size: 0x1000
2011/02/12 15:05:10.0781 0332 Boot type: Normal boot
2011/02/12 15:05:10.0781 0332 ================================================================================
2011/02/12 15:05:11.0750 0332 Initialize success
2011/02/12 15:05:17.0765 3452 ================================================================================
2011/02/12 15:05:17.0765 3452 Scan started
2011/02/12 15:05:17.0765 3452 Mode: Manual;
2011/02/12 15:05:17.0765 3452 ================================================================================
2011/02/12 15:05:20.0359 3452 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/02/12 15:05:20.0453 3452 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/02/12 15:05:20.0500 3452 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/02/12 15:05:20.0562 3452 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/02/12 15:05:20.0640 3452 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/02/12 15:05:20.0718 3452 AegisP (076394a345ee5e9e3911fc0f058f4f38) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/02/12 15:05:20.0796 3452 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/02/12 15:05:20.0859 3452 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/02/12 15:05:21.0031 3452 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/02/12 15:05:21.0125 3452 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/02/12 15:05:21.0218 3452 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/02/12 15:05:21.0296 3452 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/02/12 15:05:21.0437 3452 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/02/12 15:05:21.0515 3452 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/02/12 15:05:21.0578 3452 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/02/12 15:05:21.0640 3452 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/02/12 15:05:21.0734 3452 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
2011/02/12 15:05:21.0906 3452 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/02/12 15:05:21.0984 3452 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/02/12 15:05:22.0046 3452 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/02/12 15:05:22.0187 3452 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/02/12 15:05:22.0250 3452 ASCTRM (d880831279ed91f9a4190a2db9539ea9) C:\WINDOWS\system32\drivers\ASCTRM.sys
2011/02/12 15:05:22.0343 3452 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/02/12 15:05:22.0453 3452 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/02/12 15:05:22.0562 3452 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/02/12 15:05:22.0640 3452 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/02/12 15:05:22.0781 3452 bcm4sbxp (c768c8a463d32c219ce291645a0621a4) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
2011/02/12 15:05:22.0843 3452 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/02/12 15:05:22.0953 3452 bvrp_pci (647c1626114e789c5b8ab8e9c33c04bc) C:\WINDOWS\system32\drivers\bvrp_pci.sys
2011/02/12 15:05:23.0187 3452 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/02/12 15:05:23.0265 3452 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/02/12 15:05:23.0343 3452 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/02/12 15:05:23.0500 3452 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/02/12 15:05:23.0625 3452 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/02/12 15:05:23.0703 3452 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/02/12 15:05:23.0765 3452 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/02/12 15:05:23.0906 3452 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/02/12 15:05:24.0140 3452 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/02/12 15:05:24.0296 3452 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/02/12 15:05:24.0375 3452 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/02/12 15:05:24.0468 3452 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
2011/02/12 15:05:24.0562 3452 CVPNDRVA (465ced77e7c4f9d71b81ba600edafac1) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
2011/02/12 15:05:24.0656 3452 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/02/12 15:05:24.0718 3452 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/02/12 15:05:24.0843 3452 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/02/12 15:05:25.0000 3452 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/02/12 15:05:25.0140 3452 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/02/12 15:05:25.0203 3452 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/02/12 15:05:25.0281 3452 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/02/12 15:05:25.0343 3452 DNE (86d52c32a308f84bbc626bff7c1fb710) C:\WINDOWS\system32\DRIVERS\dne2000.sys
2011/02/12 15:05:25.0468 3452 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/02/12 15:05:25.0515 3452 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/02/12 15:05:25.0625 3452 drvmcdb (e814854e6b246ccf498874839ab64d77) C:\WINDOWS\system32\drivers\drvmcdb.sys
2011/02/12 15:05:25.0781 3452 drvnddm (ee83a4ebae70bc93cf14879d062f548b) C:\WINDOWS\system32\drivers\drvnddm.sys
2011/02/12 15:05:25.0984 3452 DSproct (413f2d5f9d802688242c23b38f767ecb) C:\Program Files\DellSupport\GTAction\triggers\DSproct.sys
2011/02/12 15:05:26.0125 3452 dsunidrv (dfeabb7cfffadea4a912ab95bdc3177a) C:\WINDOWS\system32\DRIVERS\dsunidrv.sys
2011/02/12 15:05:26.0234 3452 E100B (3fca03cbca11269f973b70fa483c88ef) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/02/12 15:05:26.0359 3452 eeCtrl (089296aedb9b72b4916ac959752bdc89) C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys
2011/02/12 15:05:26.0500 3452 EraserUtilDrvI10 (850259334652d392e33ee3412562e583) C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI10.sys
2011/02/12 15:05:26.0781 3452 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/02/12 15:05:26.0890 3452 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/02/12 15:05:26.0953 3452 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/02/12 15:05:27.0046 3452 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/02/12 15:05:27.0125 3452 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/02/12 15:05:27.0187 3452 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/02/12 15:05:27.0296 3452 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/02/12 15:05:27.0546 3452 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/02/12 15:05:27.0625 3452 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/02/12 15:05:27.0687 3452 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/02/12 15:05:27.0750 3452 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/02/12 15:05:27.0828 3452 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/02/12 15:05:27.0937 3452 HSFHWAZL (1c8caa80e91fb71864e9426f9eed048d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2011/02/12 15:05:28.0046 3452 HSF_DPV (698204d9c2832e53633e53a30a53fc3d) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/02/12 15:05:28.0375 3452 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/02/12 15:05:28.0468 3452 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/02/12 15:05:28.0515 3452 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/02/12 15:05:28.0562 3452 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/02/12 15:05:28.0765 3452 ialm (5a8e05f1d5c36abd58cffa111eb325ea) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/02/12 15:05:29.0156 3452 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/02/12 15:05:29.0265 3452 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/02/12 15:05:29.0375 3452 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/02/12 15:05:29.0500 3452 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/02/12 15:05:29.0609 3452 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/02/12 15:05:29.0765 3452 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/02/12 15:05:29.0906 3452 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/02/12 15:05:30.0000 3452 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/02/12 15:05:30.0078 3452 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/02/12 15:05:30.0171 3452 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/02/12 15:05:30.0234 3452 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/02/12 15:05:30.0312 3452 IWCA (872d090ca5c306f62d1982bce6302376) C:\WINDOWS\system32\DRIVERS\iwca.sys
2011/02/12 15:05:30.0406 3452 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/02/12 15:05:30.0500 3452 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/02/12 15:05:30.0656 3452 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/02/12 15:05:30.0703 3452 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/02/12 15:05:30.0921 3452 mdmxsdk (3c318b9cd391371bed62126581ee9961) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/02/12 15:05:30.0984 3452 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/02/12 15:05:31.0062 3452 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/02/12 15:05:31.0125 3452 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/02/12 15:05:31.0203 3452 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/02/12 15:05:31.0437 3452 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/02/12 15:05:31.0531 3452 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/02/12 15:05:31.0625 3452 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/02/12 15:05:31.0718 3452 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/02/12 15:05:31.0796 3452 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/02/12 15:05:31.0859 3452 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/02/12 15:05:31.0968 3452 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/02/12 15:05:32.0046 3452 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/02/12 15:05:32.0093 3452 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/02/12 15:05:32.0250 3452 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/02/12 15:05:32.0468 3452 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/02/12 15:05:32.0531 3452 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/02/12 15:05:32.0750 3452 NAVENG (c8ef74e4d8105b1d02d58ea4734cf616) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110212.004\naveng.sys
2011/02/12 15:05:32.0859 3452 NAVEX15 (94b3164055d821a62944d9fe84036470) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20110212.004\navex15.sys
2011/02/12 15:05:32.0984 3452 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/02/12 15:05:33.0234 3452 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/02/12 15:05:33.0375 3452 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/02/12 15:05:33.0468 3452 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/02/12 15:05:33.0734 3452 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/02/12 15:05:34.0312 3452 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/02/12 15:05:34.0375 3452 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/02/12 15:05:34.0453 3452 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/02/12 15:05:34.0625 3452 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/02/12 15:05:34.0921 3452 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/02/12 15:05:35.0109 3452 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/02/12 15:05:35.0296 3452 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/02/12 15:05:35.0734 3452 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/02/12 15:05:36.0265 3452 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/02/12 15:05:36.0375 3452 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/02/12 15:05:36.0500 3452 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/02/12 15:05:36.0593 3452 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/02/12 15:05:36.0718 3452 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/02/12 15:05:36.0812 3452 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/02/12 15:05:37.0125 3452 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/02/12 15:05:37.0218 3452 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/02/12 15:05:37.0312 3452 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/02/12 15:05:37.0562 3452 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/02/12 15:05:37.0656 3452 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/02/12 15:05:37.0890 3452 PhilCam8116 (a3a4d50051ddbcf390e5918c43c167ef) C:\WINDOWS\system32\DRIVERS\CamDrL21.sys
2011/02/12 15:05:38.0031 3452 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/02/12 15:05:38.0171 3452 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/02/12 15:05:38.0390 3452 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/02/12 15:05:38.0531 3452 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/02/12 15:05:38.0625 3452 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/02/12 15:05:38.0765 3452 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/02/12 15:05:38.0937 3452 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/02/12 15:05:39.0031 3452 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/02/12 15:05:39.0140 3452 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/02/12 15:05:39.0203 3452 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/02/12 15:05:39.0343 3452 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/02/12 15:05:39.0671 3452 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/02/12 15:05:39.0843 3452 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/02/12 15:05:39.0984 3452 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/02/12 15:05:40.0062 3452 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/02/12 15:05:40.0328 3452 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/02/12 15:05:40.0468 3452 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/02/12 15:05:40.0609 3452 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/02/12 15:05:40.0812 3452 rimmptsk (24ed7af20651f9fa1f249482e7c1f165) C:\WINDOWS\system32\DRIVERS\rimmptsk.sys
2011/02/12 15:05:40.0968 3452 rimsptsk (1bdba2d2d402415a78a4ba766dfe0f7b) C:\WINDOWS\system32\DRIVERS\rimsptsk.sys
2011/02/12 15:05:41.0250 3452 rismxdp (f774ecd11a064f0debb2d4395418153c) C:\WINDOWS\system32\DRIVERS\rixdptsk.sys
2011/02/12 15:05:41.0500 3452 s24trans (81aa6f0d6a2be1c550f814b036215888) C:\WINDOWS\system32\DRIVERS\s24trans.sys
2011/02/12 15:05:41.0781 3452 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/02/12 15:05:41.0828 3452 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/02/12 15:05:42.0031 3452 SAVRT (a00d5aa4748a1002590f08aa00fc660d) C:\Program Files\Symantec AntiVirus\savrt.sys
2011/02/12 15:05:42.0203 3452 SAVRTPEL (1e805005583be1c1568a3fce259c81e3) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
2011/02/12 15:05:42.0468 3452 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/02/12 15:05:42.0625 3452 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/02/12 15:05:42.0781 3452 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/02/12 15:05:42.0890 3452 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/02/12 15:05:42.0984 3452 sffdisk (0fa803c64df0914b41f807ea276bf2a6) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
2011/02/12 15:05:43.0281 3452 sffp_sd (c17c331e435ed8737525c86a7557b3ac) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
2011/02/12 15:05:43.0359 3452 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/02/12 15:05:43.0546 3452 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/02/12 15:05:43.0703 3452 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/02/12 15:05:44.0015 3452 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/02/12 15:05:44.0296 3452 SPBBCDrv (c30fa11923892a4dbd1c747db8492e8f) C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys
2011/02/12 15:05:44.0640 3452 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/02/12 15:05:44.0796 3452 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/02/12 15:05:44.0953 3452 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/02/12 15:05:45.0078 3452 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
2011/02/12 15:05:45.0343 3452 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
2011/02/12 15:05:45.0578 3452 STHDA (0467a93b1e7fda167e01fdec79783154) C:\WINDOWS\system32\drivers\sthda.sys
2011/02/12 15:05:45.0984 3452 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/02/12 15:05:46.0328 3452 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/02/12 15:05:46.0421 3452 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/02/12 15:05:46.0562 3452 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/02/12 15:05:46.0906 3452 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/02/12 15:05:47.0171 3452 SymEvent (3feeb051c94f5005f56423619315273b) C:\Program Files\Symantec\SYMEVENT.SYS
2011/02/12 15:05:47.0484 3452 SYMREDRV (8d668fe83a439e2166b7defff995cddc) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2011/02/12 15:05:47.0921 3452 SYMTDI (b825e10cd61046672fef234820842c42) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2011/02/12 15:05:48.0187 3452 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/02/12 15:05:48.0546 3452 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/02/12 15:05:48.0953 3452 SynTP (643b3e821a00b2b6a35cc099cb9653a1) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/02/12 15:05:49.0312 3452 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/02/12 15:05:49.0765 3452 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/02/12 15:05:50.0218 3452 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/02/12 15:05:50.0781 3452 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/02/12 15:05:51.0546 3452 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/02/12 15:05:51.0921 3452 tfsnboio (30698355067d07da5f9eb81132c9fdd6) C:\WINDOWS\system32\dla\tfsnboio.sys
2011/02/12 15:05:52.0000 3452 tfsncofs (fb9d825bb4a2abdf24600f7505050e2b) C:\WINDOWS\system32\dla\tfsncofs.sys
2011/02/12 15:05:52.0109 3452 tfsndrct (cafd8cca11aa1e8b6d2ea1ba8f70ec33) C:\WINDOWS\system32\dla\tfsndrct.sys
2011/02/12 15:05:52.0203 3452 tfsndres (8db1e78fbf7c426d8ec3d8f1a33d6485) C:\WINDOWS\system32\dla\tfsndres.sys
2011/02/12 15:05:52.0265 3452 tfsnifs (b92f67a71cc8176f331b8aa8d9f555ad) C:\WINDOWS\system32\dla\tfsnifs.sys
2011/02/12 15:05:52.0328 3452 tfsnopio (85985faa9a71e2358fcc2edefc2a3c5c) C:\WINDOWS\system32\dla\tfsnopio.sys
2011/02/12 15:05:52.0546 3452 tfsnpool (bba22094f0f7c210567efdaf11f64495) C:\WINDOWS\system32\dla\tfsnpool.sys
2011/02/12 15:05:52.0609 3452 tfsnudf (81340bef80b9811e98ce64611e67e3ff) C:\WINDOWS\system32\dla\tfsnudf.sys
2011/02/12 15:05:52.0671 3452 tfsnudfa (c035fd116224ccc8325f384776b6a8bb) C:\WINDOWS\system32\dla\tfsnudfa.sys
2011/02/12 15:05:52.0796 3452 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/02/12 15:05:52.0906 3452 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/02/12 15:05:53.0015 3452 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/02/12 15:05:53.0140 3452 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/02/12 15:05:53.0296 3452 usb2vcom (15059184012b3dba4415d45b41363dc8) C:\WINDOWS\system32\DRIVERS\usb2vcom.sys
2011/02/12 15:05:53.0468 3452 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/02/12 15:05:53.0625 3452 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/02/12 15:05:53.0703 3452 usbbus (5353218b3265e3b8190335059f697a11) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
2011/02/12 15:05:53.0812 3452 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/02/12 15:05:53.0875 3452 UsbDiag (7dd3eefc62a1ef44e5f940fa651ed9ed) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
2011/02/12 15:05:53.0937 3452 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/02/12 15:05:53.0984 3452 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/02/12 15:05:54.0031 3452 USBModem (083031a78822eccbd7510bccd3e20d4c) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
2011/02/12 15:05:54.0093 3452 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/02/12 15:05:54.0218 3452 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/02/12 15:05:54.0265 3452 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/02/12 15:05:54.0343 3452 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/02/12 15:05:54.0406 3452 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/02/12 15:05:54.0546 3452 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/02/12 15:05:54.0671 3452 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/02/12 15:05:54.0781 3452 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/12 15:05:54.0859 3452 vsdatant (27b3dd12a19eec50220df15b64913dda) C:\WINDOWS\system32\vsdatant.sys
2011/02/12 15:05:55.0375 3452 w29n51 (f0f902220910c4fbe42a51964bd33599) C:\WINDOWS\system32\DRIVERS\w29n51.sys
2011/02/12 15:05:55.0796 3452 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/02/12 15:05:55.0937 3452 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/02/12 15:05:56.0093 3452 winachsf (74cf3f2e4e40c4a2e18d39d6300a5c24) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/02/12 15:05:56.0421 3452 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/02/12 15:05:56.0546 3452 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/02/12 15:05:56.0671 3452 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/02/12 15:05:56.0843 3452 ================================================================================
2011/02/12 15:05:56.0843 3452 Scan finished
2011/02/12 15:05:56.0843 3452 ================================================================================

#6 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:52 PM

Posted 12 February 2011 - 05:34 PM

Please run Combofix and see if atapi is as infected as it looks

Please download ComboFix from one of these locations:* IMPORTANT !!! Save ComboFix.exe to your Desktop making sure you rename it comfix.exe
  • Disable your AntiVirus and AntiSpyware applications including Firewalls, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Comfix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Posted Image
m0le is a proud member of UNITE

#7 WillT

WillT
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 12 February 2011 - 11:07 PM

Here is the log:

ComboFix 11-02-12.01 - William Tatum 02/12/2011 21:59:17.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.181 [GMT -5:00]
Running from: c:\documents and settings\William Tatum\Desktop\ComFix.exe
AV: *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2011-01-13 to 2011-02-13 )))))))))))))))))))))))))))))))
.

2011-02-06 07:38 . 2011-02-06 07:38 -------- d-----w- c:\documents and settings\William Tatum\Application Data\BabylonToolbar
2011-02-06 02:22 . 2011-02-06 02:22 -------- d-----w- c:\documents and settings\William Tatum\Application Data\SUPERAntiSpyware.com
2011-02-06 02:22 . 2011-02-06 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-02-06 02:22 . 2011-02-06 02:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-04 21:59 . 2011-02-04 21:59 -------- d-----w- c:\program files\Babylon
2011-01-30 17:29 . 2011-01-30 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\fIeCjLm12732
2011-01-30 16:35 . 2011-01-30 16:35 -------- d-----w- c:\documents and settings\William Tatum\Application Data\Malwarebytes
2011-01-30 16:33 . 2010-11-30 16:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-30 16:33 . 2011-01-30 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-30 16:33 . 2011-01-30 17:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-30 16:33 . 2010-11-30 16:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-29 22:38 . 2011-01-29 22:38 86016 --sha-r- c:\windows\system32\winscardh.dll
2011-01-26 05:01 . 2011-01-26 05:01 -------- d-----w- c:\program files\iPod
2011-01-26 05:00 . 2011-01-26 05:03 -------- d-----w- c:\program files\iTunes
2011-01-26 04:45 . 2011-01-26 04:45 -------- d-----w- c:\program files\Bonjour
2011-01-21 14:44 . 2011-01-21 14:44 439296 ------w- c:\windows\system32\dllcache\shimgvw.dll
2011-01-20 22:46 . 2011-01-20 22:46 -------- d-----w- c:\documents and settings\William Tatum\Local Settings\Application Data\eMusic
2011-01-20 22:46 . 2011-01-20 22:46 -------- d-----w- c:\documents and settings\William Tatum\Application Data\eMusic
2011-01-20 22:45 . 2011-01-20 22:46 -------- d-----w- c:\program files\eMusic Download Manager
2011-01-19 02:08 . 2011-01-19 02:08 -------- d-----w- c:\windows\FLV Player
2011-01-19 02:08 . 2011-01-19 02:08 -------- d-----w- c:\program files\FLV Player

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2004-08-10 18:51 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-10 18:50 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-10 18:51 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-10 18:51 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:08 . 2004-08-10 18:51 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08 . 2004-08-10 18:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08 . 2004-08-10 18:51 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08 . 2004-08-10 18:50 17408 ------w- c:\windows\system32\corpol.dll
2010-12-20 17:26 . 2004-08-10 18:51 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-10 18:51 389120 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2004-08-10 18:51 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-08-10 18:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 2004-08-10 18:51 2192768 ------w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-04 04:59 2069376 ------w- c:\windows\system32\ntkrnlpa.exe
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2004-08-10 19:02 81920 ----a-w- c:\windows\system32\isign32.dll
2009-09-03 22:37 . 2009-09-03 22:37 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll
2009-09-03 22:58 . 2009-09-03 22:58 107760 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7CF5C23-CA56-440B-8E87-8E2D05BE2113}]
2010-07-15 23:40 3069952 ----a-w- c:\program files\Video Bash Toolbar\VideoDownloader.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{283B4AA3-1B7A-46E6-B56D-90EF4743FB2C}"= "c:\program files\Video Bash Toolbar\VideoDownloader.dll" [2010-07-15 3069952]

[HKEY_CLASSES_ROOT\clsid\{283b4aa3-1b7a-46e6-b56d-90ef4743fb2c}]
[HKEY_CLASSES_ROOT\VideoDownloader.VideoDownloaderBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{1EA80D6E-79D4-483F-AF7C-52851C945761}]
[HKEY_CLASSES_ROOT\VideoDownloader.VideoDownloaderBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Aim"="c:\program files\AIM\aim.exe" [2010-09-16 4425048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-24 85696]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"BabylonToolbar"="c:\program files\BabylonToolbar\BabylonToolbar\1.4.15.13\BabylonToolbarsrv.exe" [2010-08-09 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\katrack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138159224\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138159224\\ee\\aim6.exe"=
"c:\\WINDOWS\\keyacc32.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 7:27 PM 124608]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
S3 usb2vcom;USB Data Cable;c:\windows\system32\drivers\usb2vcom.sys [8/27/2007 7:59 PM 22760]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrvI10
*Deregistered* - klmd25
.
Contents of the 'Scheduled Tasks' folder

2011-02-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2011-02-13 c:\windows\Tasks\User_Feed_Synchronization-{11541EB8-B78E-4804-9C10-64370FF9CF91}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.babylon.com/home?AF=16273
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = localhost;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:60202
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Translate this web page with Babylon
IE: Translate with Babylon
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} - file://d:\memdisc\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
FF - ProfilePath - c:\documents and settings\William Tatum\Application Data\Mozilla\Firefox\Profiles\q8et4qcx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=16273
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/news/
FF - prefs.js: keyword.URL - hxxp://utils.babylon.com/abt/index.php?url=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 60202
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Media Pimp: media.pimp@mediapimp.com - %profile%\extensions\media.pimp@mediapimp.com
FF - Ext: Babylon: ffxtlbr@babylon.com - %profile%\extensions\ffxtlbr@babylon.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-12 22:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1484)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(5124)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-02-12 22:21:49
ComboFix-quarantined-files.txt 2011-02-13 03:21
ComboFix2.txt 2011-02-09 05:09
ComboFix3.txt 2010-01-27 02:49

Pre-Run: 9,930,244,096 bytes free
Post-Run: 9,909,059,584 bytes free

- - End Of File - - 9621158894DDC7F756D736452911A241


Thanks for your help!

#8 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:52 PM

Posted 13 February 2011 - 09:19 AM

Seems to have been an infection because I'm finding traces of an attack but so far nothing concrete.

Please rerun Combofix as shown below

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

DDS::
uInternet Settings,ProxyOverride = localhost;*.local
uInternet Settings,ProxyServer = http=127.0.0.1:60202


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


Now run the ESET online scanner

  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Leave the top box checked and then check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image
NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
Posted Image
m0le is a proud member of UNITE

#9 WillT

WillT
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 14 February 2011 - 01:36 PM

Here is the combofix log. Other log will follow. Every time I bring up Firefox now, I get the warning message telling me that Windows Media Player is attempting to play an unfamiliar extension, and also that Firefox is not set as my default browser. The program labeled aaa is still in my programs add/delete list.

ComboFix 11-02-13.04 - William Tatum 02/14/2011 13:11:26.5.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.280 [GMT -5:00]
Running from: c:\documents and settings\William Tatum\Desktop\ComFix.exe
Command switches used :: c:\documents and settings\William Tatum\Desktop\CFScript.txt
AV: *Disabled/Outdated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2011-01-14 to 2011-02-14 )))))))))))))))))))))))))))))))
.

2011-02-06 07:38 . 2011-02-06 07:38 -------- d-----w- c:\documents and settings\William Tatum\Application Data\BabylonToolbar
2011-02-06 02:22 . 2011-02-06 02:22 -------- d-----w- c:\documents and settings\William Tatum\Application Data\SUPERAntiSpyware.com
2011-02-06 02:22 . 2011-02-06 02:22 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-02-06 02:22 . 2011-02-06 02:23 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-04 21:59 . 2011-02-04 21:59 -------- d-----w- c:\program files\Babylon
2011-01-30 17:29 . 2011-01-30 18:04 -------- d-----w- c:\documents and settings\All Users\Application Data\fIeCjLm12732
2011-01-30 16:35 . 2011-01-30 16:35 -------- d-----w- c:\documents and settings\William Tatum\Application Data\Malwarebytes
2011-01-30 16:33 . 2010-11-30 16:22 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-30 16:33 . 2011-01-30 16:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-01-30 16:33 . 2011-01-30 17:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-01-30 16:33 . 2010-11-30 16:22 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-01-29 22:38 . 2011-01-29 22:38 86016 --sha-r- c:\windows\system32\winscardh.dll
2011-01-26 05:01 . 2011-01-26 05:01 -------- d-----w- c:\program files\iPod
2011-01-26 05:00 . 2011-01-26 05:03 -------- d-----w- c:\program files\iTunes
2011-01-26 04:45 . 2011-01-26 04:45 -------- d-----w- c:\program files\Bonjour
2011-01-21 14:44 . 2011-01-21 14:44 439296 ------w- c:\windows\system32\dllcache\shimgvw.dll
2011-01-20 22:46 . 2011-01-20 22:46 -------- d-----w- c:\documents and settings\William Tatum\Local Settings\Application Data\eMusic
2011-01-20 22:46 . 2011-01-20 22:46 -------- d-----w- c:\documents and settings\William Tatum\Application Data\eMusic
2011-01-20 22:45 . 2011-01-20 22:46 -------- d-----w- c:\program files\eMusic Download Manager
2011-01-19 02:08 . 2011-01-19 02:08 -------- d-----w- c:\windows\FLV Player
2011-01-19 02:08 . 2011-01-19 02:08 -------- d-----w- c:\program files\FLV Player

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2004-08-10 18:51 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2004-08-10 18:50 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2004-08-10 18:51 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2004-08-10 18:51 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:08 . 2004-08-10 18:51 832512 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:08 . 2004-08-10 18:51 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-12-20 23:08 . 2004-08-10 18:51 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 23:08 . 2004-08-10 18:50 17408 ------w- c:\windows\system32\corpol.dll
2010-12-20 17:26 . 2004-08-10 18:51 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2004-08-10 18:51 389120 ----a-w- c:\windows\system32\html.iec
2010-12-09 15:15 . 2004-08-10 18:51 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2004-08-10 18:50 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:38 . 2004-08-10 18:51 2192768 ------w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2004-08-04 04:59 2069376 ------w- c:\windows\system32\ntkrnlpa.exe
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2010-11-18 18:12 . 2004-08-10 19:02 81920 ----a-w- c:\windows\system32\isign32.dll
2009-09-03 22:37 . 2009-09-03 22:37 10437264 ----a-w- c:\program files\mozilla firefox\plugins\PDFNetC.dll
2009-09-03 22:58 . 2009-09-03 22:58 107760 ----a-w- c:\program files\mozilla firefox\plugins\ScorchPDFWrapper.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7CF5C23-CA56-440B-8E87-8E2D05BE2113}]
2010-07-15 23:40 3069952 ----a-w- c:\program files\Video Bash Toolbar\VideoDownloader.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{283B4AA3-1B7A-46E6-B56D-90EF4743FB2C}"= "c:\program files\Video Bash Toolbar\VideoDownloader.dll" [2010-07-15 3069952]

[HKEY_CLASSES_ROOT\clsid\{283b4aa3-1b7a-46e6-b56d-90ef4743fb2c}]
[HKEY_CLASSES_ROOT\VideoDownloader.VideoDownloaderBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{1EA80D6E-79D4-483F-AF7C-52851C945761}]
[HKEY_CLASSES_ROOT\VideoDownloader.VideoDownloaderBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"Aim"="c:\program files\AIM\aim.exe" [2010-09-16 4425048]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-06-24 729178]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 385024]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-12-06 127035]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 48752]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2005-06-24 85696]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-03-17 47392]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-12-13 421160]
"BabylonToolbar"="c:\program files\BabylonToolbar\BabylonToolbar\1.4.15.13\BabylonToolbarsrv.exe" [2010-08-09 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
McAfee Security Scan Plus.lnk - c:\program files\McAfee Security Scan\2.0.181\SSScheduler.exe [2010-1-15 255536]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
2004-09-07 22:08 110592 ----a-w- c:\program files\Intel\Wireless\Bin\LgNotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\katrack.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138159224\\ee\\aolsoftware.exe"=
"c:\\Program Files\\Common Files\\AOL\\1138159224\\ee\\aim6.exe"=
"c:\\WINDOWS\\keyacc32.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\AIM\\aim.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 1:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 1:41 PM 67656]
R2 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [6/23/2005 7:27 PM 124608]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 7:49 AM 227232]
S3 usb2vcom;USB Data Cable;c:\windows\system32\drivers\usb2vcom.sys [8/27/2007 7:59 PM 22760]

--- Other Services/Drivers In Memory ---

*Deregistered* - EraserUtilDrvI10
.
Contents of the 'Scheduled Tasks' folder

2011-02-12 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]

2011-02-14 c:\windows\Tasks\User_Feed_Synchronization-{11541EB8-B78E-4804-9C10-64370FF9CF91}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 16:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://search.babylon.com/home?AF=16273
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Translate this web page with Babylon
IE: Translate with Babylon
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: {C68F9105-04FD-4B48-B6CC-2A076F711C35} - file://d:\memdisc\ALBUM_A\VIEW\PLUGIN\HPODPCFC.CAB
FF - ProfilePath - c:\documents and settings\William Tatum\Application Data\Mozilla\Firefox\Profiles\q8et4qcx.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=16273
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.bbc.co.uk/news/
FF - prefs.js: keyword.URL - hxxp://utils.babylon.com/abt/index.php?url=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 60202
FF - prefs.js: network.proxy.type - 4
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Media Pimp: media.pimp@mediapimp.com - %profile%\extensions\media.pimp@mediapimp.com
FF - Ext: Babylon: ffxtlbr@babylon.com - %profile%\extensions\ffxtlbr@babylon.com
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-14 13:24
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1548)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\Intel\Wireless\Bin\LgNotify.dll

- - - - - - - > 'explorer.exe'(4052)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-02-14 13:30:56
ComboFix-quarantined-files.txt 2011-02-14 18:30
ComboFix2.txt 2011-02-13 03:21
ComboFix3.txt 2011-02-09 05:09
ComboFix4.txt 2010-01-27 02:49

Pre-Run: 9,946,394,624 bytes free
Post-Run: 9,932,374,016 bytes free

- - End Of File - - 1C0B9CF679858060AF9F2857A8B4D381

#10 WillT

WillT
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 14 February 2011 - 04:50 PM

Here is the Eset scan log

C:\Documents and Settings\All Users\Application Data\AOL Downloads\SUD4131\setup.exe probably a variant of Win32/Agent.HZHBURL trojan cleaned by deleting - quarantined
C:\Documents and Settings\William Tatum\Application Data\Sun\Java\Deployment\cache\6.0\9\10a6a7c9-7c24c050 a variant of Java/Exploit.CVE-2010-0844.A trojan deleted - quarantined
C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\atapi.sys.vir Win32/Olmarik.SJ trojan cleaned - quarantined
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP11\A0003000.exe probably a variant of Win32/Agent.HZHBURL trojan cleaned by deleting - quarantined

#11 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:52 PM

Posted 14 February 2011 - 05:51 PM

You had already run Combofix before you came here.

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.


Please run Combofix again

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the box below into it:

Firefox::
FF - ProfilePath - c:\documents and settings\William Tatum\Application Data\Mozilla\Firefox\Profiles\q8et4qcx.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 60202


Save this as CFScript.txt, in the same location as Comfix.exe (called ComboFix.exe in the below graphic)


Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

If the program requests for you to update Combofix then click Yes.

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


The aaa program needs to be found

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    :filefind
    aaa
    :folderfind
    aaa
    
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Posted Image
m0le is a proud member of UNITE

#12 WillT

WillT
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 14 February 2011 - 10:07 PM

I did run combofix after posting my initial query here, since my computer was locking up and not accessing the internet. I've never acted on the scans.

Is Babylon some sort of viral browser?

System Look did not find any folders with the aaa name.

Logs attached.

Attached Files



#13 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:52 PM

Posted 15 February 2011 - 04:47 PM

Babylon is a toolbar translator. It's legitimate but were you aware of it being there?

Can you run SystemLook again but with the following script

:regfind
aaa

Posted Image
m0le is a proud member of UNITE

#14 WillT

WillT
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:02:52 PM

Posted 15 February 2011 - 09:26 PM

I was not aware of Babylon being installed on my machine and it has only appeared recently.

Attached is the log of the systemlook search for today.

Thank you for your continuing help!

Attached Files



#15 m0le

m0le

    Can U Dig It?


  • Malware Response Team
  • 34,527 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London, UK
  • Local time:07:52 PM

Posted 16 February 2011 - 07:11 PM

We can remove the aaa folder on SystemLook but I want to see a bit more of the system. Please use the OTL scanner

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

Posted Image
m0le is a proud member of UNITE




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users