Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! Unknown Virus


  • This topic is locked This topic is locked
8 replies to this topic

#1 roberta47

roberta47

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 07 February 2011 - 03:33 PM

Hi. I'm using an HP desktop running Win XP home, SP3 with a P4 processor running at 2.4 GHz and 2 GB RAM

I noticed that one of those random letter files (owaheridub.dll) was running at startup. No matter how many times I deleted the file and associated registry entries, it reinstalled. The virus keeps changing my IE connection settings to use a proxy, which makes it impossible to connect to the internet until it is reset.

Following is my DDS scan and attached are the DDS Attack.txt and the Gmer results. Just for good measure, I am including the results of a hijackthis log. Any help you can give me will be greatly appreciated.


DDS (Ver_10-12-12.02) - NTFSx86
Run by Judith at 14:39:49.67 on Mon 02/07/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1302 [GMT -5:00]

AV: Antivir Solution Pro *Enabled/Updated* {2CC57799-C906-4c6b-B4A0-B77E78EBF31B}
AV: Advanced Security Tool 2010 *Disabled/Updated* {70e00e3b-806e-4533-925c-f4c3d79514b9}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Smart Internet Protection 2011 *Enabled/Updated* {EEF77525-EF16-4507-BC64-F75E306B7622}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: Smart Internet Protection 2011 *Enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\MDM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Judith\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.google.com/
uDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyServer = http=127.0.0.1:25391
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: ShopAtHome.com Toolbar: {98279c38-de4b-4bcf-93c9-8ec26069d6f4} - c:\program files\selectrebates\toolbar\ShopAtHomeToolbar.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus Photo R1800] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9LA.EXE /P24 "EPSON Stylus Photo R1800" /M "Stylus Photo R1800" /EF "HKCU"
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [EPSON Stylus Photo R1800 (Copy 1)] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9LA.EXE /P33 "EPSON Stylus Photo R1800 (Copy 1)" /O5 "LPT1:" /M "Stylus Photo R1800"
mRun: [CarboniteSetupLite] "c:\program files\carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
mRun: [Ufegufapifovavox] rundll32.exe "c:\windows\owaheridub.dll",Startup
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-explorer: DisallowRun = 1 (0x1)
uPolicies-disallowrun: 0 = msseces.exe
uPolicies-disallowrun: 1 = MSASCui.exe
uPolicies-disallowrun: 2 = ekrn.exe
uPolicies-disallowrun: 3 = egui.exe
uPolicies-disallowrun: 4 = avgnt.exe
uPolicies-disallowrun: 5 = avcenter.exe
uPolicies-disallowrun: 6 = avscan.exe
uPolicies-disallowrun: 7 = avgfrw.exe
uPolicies-disallowrun: 8 = avgui.exe
uPolicies-disallowrun: 9 = avgtray.exe
uPolicies-disallowrun: 10 = avgscanx.exe
uPolicies-disallowrun: 11 = avgcfgex.exe
uPolicies-disallowrun: 12 = avgemc.exe
uPolicies-disallowrun: 13 = avgchsvx.exe
uPolicies-disallowrun: 14 = avgcmgr.exe
uPolicies-disallowrun: 15 = avgwdsvc.exe
mPolicies-system: EnableLUA = 0 (0x0)
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
Trusted Zone: gmail.com
Trusted Zone: google.com\mail
Trusted Zone: schwab.com\remote
Trusted Zone: schwab.com\remote2
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
IFEO: image file execution options - svchost.exe

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
R1 MpKsl058c7861;MpKsl058c7861;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{34497e5c-2618-4431-a074-3de5067824a2}\MpKsl058c7861.sys [2011-2-7 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
S1 NEOFLTR_530_11563;Juniper Networks TDI Filter Driver (NEOFLTR_530_11563);\??\c:\windows\system32\drivers\neofltr_530_11563.sys --> c:\windows\system32\drivers\NEOFLTR_530_11563.SYS [?]

=============== Created Last 30 ================

2011-02-07 18:31:33 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{34497e5c-2618-4431-a074-3de5067824a2}\MpKsl058c7861.sys
2011-02-03 15:28:11 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{34497e5c-2618-4431-a074-3de5067824a2}\mpengine.dll
2011-02-02 17:30:28 -------- d-----w- c:\docume~1\judith\applic~1\SUPERAntiSpyware.com
2011-02-02 17:30:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-02-02 17:30:13 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-02-01 18:40:30 -------- d-sh--w- c:\docume~1\judith\applic~1\Smart Internet Protection 2011
2011-02-01 18:40:29 -------- d-sh--w- c:\docume~1\alluse~1\applic~1\SIUNLUVOFTP
2011-01-31 15:25:34 -------- d-----w- c:\program files\DocsOpener
2011-01-26 01:18:59 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
2011-01-26 01:18:50 -------- d-----w- c:\program files\Microsoft Security Client

==================== Find3M ====================

2011-02-07 19:18:04 0 ----a-w- c:\windows\Ktiwegohewatebic.bin
2010-12-02 03:35:18 4280320 ----a-w- c:\windows\system32\GPhotos.scr
2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD400BB-75DEA0 rev.05.03E05 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A92459F]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a92a7b0]; MOV EAX, [0x8a92a82c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x8A9D3AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x8A98A5D0]
\Driver\atapi[0x8A981A48] -> IRP_MJ_CREATE -> 0x8A92459F
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskWDC_WD400BB-75DEA0______________________05.03E05#4457572d414d3144364137343632_038_0_0_0_0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A9243E5
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !

============= FINISH: 14:42:07.48 ===============


Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 3:33:15 PM, on 2/7/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\mnmsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\MDM.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Judith\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:25391
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R1800 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /P33 "EPSON Stylus Photo R1800 (Copy 1)" /O5 "LPT1:" /M "Stylus Photo R1800"
O4 - HKLM\..\Run: [CarboniteSetupLite] "C:\Program Files\Carbonite\CarbonitePreinstaller.exe" /preinstalled /showonfirst /reshowat=1800
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Ufegufapifovavox] rundll32.exe "C:\WINDOWS\owaheridub.dll",Startup
O4 - HKLM\..\RunOnce: [!CleanupNetMeetingDispDriver] "C:\WINDOWS\system32\rundll32.exe" msconf.dll,CleanupNetMeetingDispDriver 0
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE /P24 "EPSON Stylus Photo R1800" /M "Stylus Photo R1800" /EF "HKCU"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.gmail.com
O15 - Trusted Zone: remote.schwab.com
O15 - Trusted Zone: remote2.schwab.com
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5731 bytes

Attached Files



BC AdBot (Login to Remove)

 


#2 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:33 PM

Posted 09 February 2011 - 12:54 PM

Hello and welcome to the forums!

My secret agent name on the forums is SweetTech (you can call me ST for short), it's a pleasure to meet you. :)

I am very sorry for the delay in responding, but as you can see we are at the moment being flooded with logs which, when paired with the never-ending shortage of helpers, resulted in the delayed responding to your thread.

I would be glad to take a look at your log and help you with solving any malware problems.

If you have since resolved the issues you were originally experiencing, or have received help elsewhere, please inform me so that this topic can be closed.

If you have not, please adhere to the guidelines below and then follow instructions as outlined further below:

  • Logs from malware removal programs (OTL is one of them) can take some time to analyze. I need you to be patient while I analyze any logs you post. Please remember, I am a volunteer, and I do have a life outside of these forums.
  • Please make sure to carefully read any instruction that I give you. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
  • These instructions have been specifically tailored to your computer and the issues you are experiencing with your computer. It's important to note that these instructions are not suitable for any other computer, even if the issues are fairly similar.
  • Do not do things I do not ask for, such as running a spyware scan on your computer. The one thing that you should always do, is to make sure sure that your anti-virus definitions are up-to-date!
  • Please do not use the Attachment feature for any log file. Do a Copy/Paste of the entire contents of the log file and submit it inside your post.
  • I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you would do the same. From this point, we're in this together ;)
    Because of this, you must reply within three days
    failure to reply will result in the topic being closed!
  • Please do not PM me directly for help. If you have any questions, post them in this topic.
  • Lastly, I am no magician. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system.
    Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

____________________________________________________

Running TDSSKiller

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.


NEXT:



Running OTL

We need to create an OTL Report
  • Please download OTL from one of the following mirrors:
  • Save it to your desktop.
  • Double click on the Posted Image icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Push the Posted Image button.
  • Two reports will open, copy and paste them in a reply here:
    • OTListIt.txt <-- Will be opened
    • Extra.txt <-- Will be minimized

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#3 roberta47

roberta47
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 09 February 2011 - 07:24 PM

Thank you very much for helping me. I will get on these instructions tonight and get back to you ASAP.

Roberta

#4 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:33 PM

Posted 09 February 2011 - 09:33 PM

Hello Roberta,

I am signing off my computer for the evening, but I will respond back to your thread tomorrow afternoon, after I've looked at the logs that you will be posting for me later.

Kindest Regards,
SweetTech.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#5 roberta47

roberta47
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 11 February 2011 - 08:46 AM

SweetTech, here are the reports you requested:

2011/02/09 19:59:56.0656 3576 TDSS rootkit removing tool 2.4.16.0 Feb 1 2011 10:34:03
2011/02/09 19:59:56.0828 3576 ================================================================================
2011/02/09 19:59:56.0828 3576 SystemInfo:
2011/02/09 19:59:56.0828 3576
2011/02/09 19:59:56.0828 3576 OS Version: 5.1.2600 ServicePack: 3.0
2011/02/09 19:59:56.0828 3576 Product type: Workstation
2011/02/09 19:59:56.0828 3576 ComputerName: FAMILYPC
2011/02/09 19:59:56.0828 3576 UserName: Judith
2011/02/09 19:59:56.0828 3576 Windows directory: C:\WINDOWS
2011/02/09 19:59:56.0828 3576 System windows directory: C:\WINDOWS
2011/02/09 19:59:56.0828 3576 Processor architecture: Intel x86
2011/02/09 19:59:56.0828 3576 Number of processors: 1
2011/02/09 19:59:56.0828 3576 Page size: 0x1000
2011/02/09 19:59:56.0828 3576 Boot type: Normal boot
2011/02/09 19:59:56.0828 3576 ================================================================================
2011/02/09 19:59:57.0437 3576 Initialize success
2011/02/09 20:00:09.0281 2892 ================================================================================
2011/02/09 20:00:09.0281 2892 Scan started
2011/02/09 20:00:09.0281 2892 Mode: Manual;
2011/02/09 20:00:09.0281 2892 ================================================================================
2011/02/09 20:00:10.0484 2892 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/02/09 20:00:10.0687 2892 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/02/09 20:00:10.0968 2892 aeaudio (11c04b17ed2abbb4833694bcd644ac90) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/02/09 20:00:11.0156 2892 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/02/09 20:00:11.0375 2892 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/02/09 20:00:11.0562 2892 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys
2011/02/09 20:00:11.0796 2892 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/02/09 20:00:12.0906 2892 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/02/09 20:00:13.0109 2892 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/02/09 20:00:13.0484 2892 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/02/09 20:00:13.0734 2892 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/02/09 20:00:13.0953 2892 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/02/09 20:00:14.0125 2892 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/02/09 20:00:14.0671 2892 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/02/09 20:00:14.0937 2892 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/02/09 20:00:15.0109 2892 Cdr4_xp (61f337d58de21c56a4671181a6fb860d) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
2011/02/09 20:00:15.0359 2892 Cdralw2k (247357d9169439d04e233b404df5220c) C:\WINDOWS\system32\drivers\Cdralw2k.sys
2011/02/09 20:00:15.0609 2892 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/02/09 20:00:15.0890 2892 cdudf_xp (f52e4300f60b0dae38f3df8490f4aa2e) C:\WINDOWS\system32\drivers\cdudf_xp.sys
2011/02/09 20:00:16.0843 2892 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/02/09 20:00:17.0062 2892 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/02/09 20:00:17.0328 2892 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/02/09 20:00:17.0562 2892 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/02/09 20:00:17.0828 2892 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/02/09 20:00:18.0125 2892 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/02/09 20:00:18.0390 2892 DVDVRRdr_xp (59187cdb91ef46c521d14544f546bd67) C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
2011/02/09 20:00:18.0671 2892 dvd_2K (6a7b79038a4872b41cda08be7319b60f) C:\WINDOWS\system32\drivers\dvd_2K.sys
2011/02/09 20:00:18.0921 2892 E100B (98b46b331404a951cabad8b4877e1276) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/02/09 20:00:19.0218 2892 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/02/09 20:00:19.0625 2892 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/02/09 20:00:19.0906 2892 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/02/09 20:00:20.0171 2892 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/02/09 20:00:20.0343 2892 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/02/09 20:00:20.0734 2892 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/02/09 20:00:21.0062 2892 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/02/09 20:00:21.0468 2892 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/02/09 20:00:21.0750 2892 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/02/09 20:00:22.0171 2892 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
2011/02/09 20:00:22.0437 2892 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
2011/02/09 20:00:22.0765 2892 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/02/09 20:00:23.0437 2892 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/02/09 20:00:23.0671 2892 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/02/09 20:00:23.0875 2892 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/02/09 20:00:24.0093 2892 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/02/09 20:00:24.0312 2892 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/02/09 20:00:24.0500 2892 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/02/09 20:00:24.0718 2892 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/02/09 20:00:24.0953 2892 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/02/09 20:00:25.0265 2892 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/02/09 20:00:25.0453 2892 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/02/09 20:00:25.0703 2892 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/02/09 20:00:26.0062 2892 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/02/09 20:00:26.0359 2892 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/02/09 20:00:26.0593 2892 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/02/09 20:00:26.0843 2892 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/02/09 20:00:27.0250 2892 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/02/09 20:00:27.0453 2892 mmc_2K (02146b1bb2a3ec7cb3351d1481caf7d6) C:\WINDOWS\system32\drivers\mmc_2K.sys
2011/02/09 20:00:27.0640 2892 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/02/09 20:00:27.0859 2892 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/02/09 20:00:28.0109 2892 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/02/09 20:00:28.0312 2892 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/02/09 20:00:28.0515 2892 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/02/09 20:00:28.0703 2892 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/02/09 20:00:28.0890 2892 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/02/09 20:00:29.0156 2892 MpKsl77d3e472 (5f53edfead46fa7adb78eee9ecce8fdf) c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{34497E5C-2618-4431-A074-3DE5067824A2}\MpKsl77d3e472.sys
2011/02/09 20:00:29.0500 2892 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/02/09 20:00:29.0796 2892 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/02/09 20:00:30.0109 2892 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/02/09 20:00:30.0328 2892 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/02/09 20:00:30.0546 2892 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/02/09 20:00:30.0750 2892 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/02/09 20:00:30.0953 2892 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/02/09 20:00:31.0078 2892 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/02/09 20:00:31.0343 2892 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/02/09 20:00:31.0640 2892 ndiscm (b797ee2ef919c95561dee78b72b33e5b) C:\WINDOWS\system32\DRIVERS\NetMotCM.sys
2011/02/09 20:00:31.0828 2892 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/02/09 20:00:31.0968 2892 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/02/09 20:00:32.0109 2892 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/02/09 20:00:32.0375 2892 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/02/09 20:00:32.0703 2892 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/02/09 20:00:32.0921 2892 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/02/09 20:00:33.0234 2892 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/02/09 20:00:33.0515 2892 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/02/09 20:00:33.0734 2892 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/02/09 20:00:33.0937 2892 nv (1685a86ce8dc5a70d307dca625fb50e7) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/02/09 20:00:34.0203 2892 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/02/09 20:00:34.0437 2892 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/02/09 20:00:34.0703 2892 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/02/09 20:00:34.0921 2892 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/02/09 20:00:35.0078 2892 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/02/09 20:00:35.0312 2892 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/02/09 20:00:35.0765 2892 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/02/09 20:00:35.0953 2892 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/02/09 20:00:37.0203 2892 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/02/09 20:00:37.0453 2892 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/02/09 20:00:37.0656 2892 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/02/09 20:00:37.0875 2892 pwd_2k (8d366ebbf19ce52497cd05f84f2d9d83) C:\WINDOWS\system32\drivers\pwd_2k.sys
2011/02/09 20:00:38.0937 2892 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/02/09 20:00:39.0187 2892 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/02/09 20:00:39.0437 2892 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/02/09 20:00:39.0640 2892 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/02/09 20:00:39.0843 2892 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/02/09 20:00:40.0109 2892 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/02/09 20:00:40.0406 2892 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/02/09 20:00:40.0812 2892 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/02/09 20:00:40.0968 2892 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/02/09 20:00:41.0031 2892 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/02/09 20:00:41.0281 2892 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/02/09 20:00:41.0500 2892 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/02/09 20:00:41.0718 2892 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/02/09 20:00:41.0953 2892 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/02/09 20:00:42.0515 2892 smwdm (31fd0707c7dbe715234f2823b27214fe) C:\WINDOWS\system32\drivers\smwdm.sys
2011/02/09 20:00:42.0953 2892 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/02/09 20:00:43.0140 2892 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/02/09 20:00:43.0578 2892 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/02/09 20:00:43.0921 2892 StillCam (a9573045baa16eab9b1085205b82f1ed) C:\WINDOWS\system32\DRIVERS\serscan.sys
2011/02/09 20:00:44.0125 2892 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/02/09 20:00:44.0375 2892 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/02/09 20:00:45.0328 2892 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/02/09 20:00:45.0656 2892 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/02/09 20:00:45.0906 2892 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/02/09 20:00:46.0078 2892 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/02/09 20:00:46.0328 2892 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/02/09 20:00:46.0750 2892 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/02/09 20:00:47.0437 2892 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/02/09 20:00:47.0859 2892 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/02/09 20:00:48.0187 2892 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/02/09 20:00:48.0453 2892 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/02/09 20:00:48.0734 2892 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/02/09 20:00:48.0937 2892 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/02/09 20:00:49.0140 2892 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/02/09 20:00:49.0375 2892 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/02/09 20:00:49.0578 2892 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/02/09 20:00:49.0984 2892 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/02/09 20:00:50.0250 2892 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/02/09 20:00:50.0703 2892 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/02/09 20:00:51.0203 2892 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/02/09 20:00:51.0593 2892 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2011/02/09 20:00:51.0859 2892 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/02/09 20:00:52.0093 2892 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/02/09 20:00:52.0218 2892 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/02/09 20:00:52.0218 2892 ================================================================================
2011/02/09 20:00:52.0218 2892 Scan finished
2011/02/09 20:00:52.0218 2892 ================================================================================
2011/02/09 20:00:52.0250 1612 Detected object count: 1
2011/02/09 20:01:42.0812 1612 \HardDisk0 - will be cured after reboot
2011/02/09 20:01:42.0812 1612 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/02/09 20:01:52.0640 3272 Deinitialize success


and

OTL logfile created on: 2/10/2011 10:52:03 AM - Run 1
OTL by OldTimer - Version 3.2.20.6 Folder = C:\Documents and Settings\Judith\Desktop\tdsskiller
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.00 Gb Available Physical Memory | 74.00% Memory free
3.00 Gb Paging File | 2.00 Gb Available in Paging File | 81.00% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.24 Gb Total Space | 2.53 Gb Free Space | 6.81% Space Free | Partition Type: NTFS

Computer Name: FAMILYPC | User Name: Judith | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2011/02/10 10:51:18 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Judith\Desktop\tdsskiller\OTL.exe
PRC - [2011/01/13 10:41:38 | 002,424,560 | ---- | M] (SUPERAntiSpyware.com) -- C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
PRC - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
PRC - [2010/09/23 03:47:16 | 000,349,616 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Adobe\Reader 9.0\Reader\AcroRd32.exe
PRC - [2010/09/01 19:36:49 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2009/05/19 10:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
PRC - [2008/04/13 19:12:28 | 000,060,416 | ---- | M] (Microsoft Corporation) -- C:\Program Files\Outlook Express\msimn.exe
PRC - [2008/04/13 19:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008/04/13 19:12:12 | 000,256,512 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\msagent\agentsvr.exe
PRC - [2004/09/08 02:00:00 | 000,098,304 | ---- | M] (SEIKO EPSON CORPORATION) -- C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATI9LA.EXE
PRC - [1999/03/18 00:38:00 | 008,798,260 | R--- | M] (Microsoft Corporation) -- C:\Program Files\Microsoft Office\Office\WINWORD.EXE
PRC - [1998/09/03 23:09:08 | 000,119,400 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\MDM.EXE


========== Modules (SafeList) ==========

MOD - [2011/02/10 10:51:18 | 000,602,624 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Judith\Desktop\tdsskiller\OTL.exe
MOD - [2010/08/23 11:12:02 | 001,054,208 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.6028_x-ww_61e65202\comctl32.dll
MOD - [2008/04/13 19:12:08 | 000,233,472 | ---- | M] () -- C:\WINDOWS\owaheridub.dll
MOD - [2008/04/13 19:11:51 | 000,279,552 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\ddraw.dll
MOD - [2008/04/13 19:11:51 | 000,008,704 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\dciman32.dll


========== Win32 Services (SafeList) ==========

SRV - [2010/11/11 12:26:40 | 000,011,736 | ---- | M] (Microsoft Corporation) [Auto | Running] -- c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe -- (MsMpSvc)
SRV - [2009/05/19 10:36:18 | 000,240,512 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe -- (SeaPort)


========== Driver Services (SafeList) ==========

DRV - [2011/02/10 09:42:50 | 000,028,752 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B51F9AC5-14F8-42C5-8D84-C205897A10D9}\MpKslfa2c9c32.sys -- (MpKslfa2c9c32)
DRV - [2010/05/10 13:41:30 | 000,067,656 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS -- (SASKUTIL)
DRV - [2010/02/17 13:25:48 | 000,012,872 | ---- | M] (SUPERAdBlocker.com and SUPERAntiSpyware.com) [Kernel | System | Running] -- C:\Program Files\SUPERAntiSpyware\sasdifsv.sys -- (SASDIFSV)
DRV - [2007/03/10 10:49:56 | 000,000,000 | ---- | M] () [Kernel | Disabled | Stopped] -- C:\WINDOWS\System32\Ultra.dll -- (ultra)
DRV - [2005/07/11 06:53:02 | 000,291,456 | ---- | M] (Sonic Solutions) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\Cdudf_xp.sys -- (cdudf_xp)
DRV - [2005/07/11 06:52:30 | 000,024,320 | ---- | M] (Sonic Solutions) [Kernel | On_Demand | Running] -- C:\WINDOWS\System32\drivers\dvd_2k.sys -- (dvd_2K)
DRV - [2005/07/11 06:46:12 | 000,024,960 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdralw2k.sys -- (Cdralw2k)
DRV - [2005/07/11 06:43:20 | 000,044,288 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\cdr4_xp.sys -- (Cdr4_xp)
DRV - [2005/07/11 06:43:16 | 000,141,184 | ---- | M] (Windows ® 2000 DDK provider) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\DVDVRRdr_xp.sys -- (DVDVRRdr_xp)
DRV - [2005/07/11 06:38:34 | 000,023,808 | ---- | M] (Sonic Solutions) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\System32\drivers\mmc_2k.sys -- (mmc_2K)
DRV - [2005/07/11 06:26:42 | 000,117,760 | ---- | M] (Sonic Solutions) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\Pwd_2k.sys -- (pwd_2k)
DRV - [2004/10/07 20:16:04 | 000,035,840 | ---- | M] (Oak Technology Inc.) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\AFS2K.SYS -- (AFS2K)
DRV - [2004/02/09 12:06:22 | 000,015,360 | ---- | M] (Motorola Inc.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\NetMotCM.sys -- (ndiscm)
DRV - [2003/11/17 15:59:20 | 000,212,224 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSFHWBS2.sys -- (HSFHWBS2)
DRV - [2003/11/17 15:58:02 | 000,680,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_CNXT.sys -- (winachsf)
DRV - [2003/11/17 15:56:26 | 001,042,432 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\HSF_DP.sys -- (HSF_DP)
DRV - [2003/07/28 15:19:00 | 001,341,339 | ---- | M] (NVIDIA Corporation) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\nv4_mini.sys -- (nv)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/

IE - HKU\S-1-5-20\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com/avcenter/fix_homepage/
IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
IE - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKU\S-1-5-21-436374069-606747145-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-436374069-606747145-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:25391

FF - HKLM\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2010/09/01 19:38:02 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{1A2EC648-EA57-4E89-85DF-29B46EEBBDE5}: C:\Documents and Settings\Santo\Local Settings\Application Data\{1A2EC648-EA57-4E89-85DF-29B46EEBBDE5} [2011/01/28 00:15:04 | 000,000,000 | ---D | M]
FF - HKLM\software\mozilla\Firefox\Extensions\\{626B8985-2157-44C5-BC37-9418724FB237}: C:\Documents and Settings\Judith\Local Settings\Application Data\{626B8985-2157-44C5-BC37-9418724FB237} [2011/01/05 09:14:15 | 000,000,000 | ---D | M]

[2010/12/25 11:10:50 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2007/10/22 19:48:39 | 000,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2010/04/25 12:19:19 | 000,000,000 | ---D | M] (Java Console) -- C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
[2010/04/12 16:29:19 | 000,411,368 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npdeployJava1.dll

O1 HOSTS File: ([2011/02/07 13:51:06 | 000,000,734 | RHS- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - File not found
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - File not found
O3 - HKU\S-1-5-21-436374069-606747145-725345543-1004\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
O3 - HKU\S-1-5-21-436374069-606747145-725345543-1004\..\Toolbar\WebBrowser: (ShopAtHome.com Toolbar) - {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - File not found
O3 - HKU\S-1-5-21-436374069-606747145-725345543-1004\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - File not found
O4 - HKLM..\Run: [CarboniteSetupLite] C:\Program Files\Carbonite\CarbonitePreinstaller.exe (Carbonite, Inc.)
O4 - HKLM..\Run: [EPSON Stylus Photo R1800 (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE (SEIKO EPSON CORPORATION)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKLM..\Run: [Ufegufapifovavox] C:\WINDOWS\owaheridub.dll ()
O4 - HKU\S-1-5-21-436374069-606747145-725345543-1004..\Run: [EPSON Stylus Photo R1800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9LA.EXE (SEIKO EPSON CORPORATION)
O4 - HKU\S-1-5-21-436374069-606747145-725345543-1004..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (SUPERAntiSpyware.com)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLUA = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: DisallowRun = 1
O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 0 = msseces.exe
O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 1 = MSASCui.exe
O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 2 = ekrn.exe
O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 3 = egui.exe
O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 4 = avgnt.exe
O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 5 = avcenter.exe
O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 6 = avscan.exe
O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 7 = avgfrw.exe
O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 8 = avgui.exe
O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 9 = avgtray.exe
O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 10 = avgscanx.exe
O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 11 = avgcfgex.exe
O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 12 = avgemc.exe
O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 13 = avgchsvx.exe
O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 14 = avgcmgr.exe
O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 15 = avgwdsvc.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - C:\WINDOWS\System32\GPhotos.scr (Google Inc.)
O9 - Extra Button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll (Microsoft Corporation)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000002 [] - C:\Program Files\Neoteris\Secure Application Manager\samnsp.dll (Neoteris)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000005 [] - C:\Program Files\Neoteris\Secure Application Manager\samnsp.dll (Neoteris)
O15 - HKU\S-1-5-21-436374069-606747145-725345543-1004\..Trusted Domains: gmail.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-436374069-606747145-725345543-1004\..Trusted Domains: google.com ([mail] https in Trusted sites)
O15 - HKU\S-1-5-21-436374069-606747145-725345543-1004\..Trusted Domains: schwab.com ([remote] * in Trusted sites)
O15 - HKU\S-1-5-21-436374069-606747145-725345543-1004\..Trusted Domains: schwab.com ([remote2] * in Trusted sites)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} http://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab (Windows Genuine Advantage Validation Tool)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 167.206.254.2 167.206.254.1
O18 - Protocol\Handler\wlmailhtml {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKU\S-1-5-21-436374069-606747145-725345543-1004 Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\!SASWinLogon: DllName - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL (SUPERAntiSpyware.com)
O20 - Winlogon\Notify\NavLogon: DllName - Reg Error: Value error. - Reg Error: Value error. File not found
O24 - Desktop WallPaper: C:\Documents and Settings\Judith\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Judith\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2005/12/01 12:47:55 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*

========== Files/Folders - Created Within 30 Days ==========

[2011/02/10 09:31:56 | 000,000,000 | ---D | C] -- C:\WINDOWS\LastGood
[2011/02/09 19:59:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Judith\Desktop\tdsskiller
[2011/02/08 11:57:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Identities
[2011/02/08 11:57:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Identities
[2011/02/07 17:41:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Judith\My Documents\My Music
[2011/02/07 15:07:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Judith\Desktop\Roberta
[2011/02/07 13:51:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Judith\Desktop\backups
[2011/02/04 20:39:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Judith\My Documents\My Received Files
[2011/02/03 11:00:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Real
[2011/02/02 19:29:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Real
[2011/02/02 14:42:36 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2011/02/02 12:41:46 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2011/02/02 12:30:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Judith\Application Data\SUPERAntiSpyware.com
[2011/02/02 12:30:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
[2011/02/02 12:30:18 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\SUPERAntiSpyware
[2011/02/02 12:30:13 | 000,000,000 | ---D | C] -- C:\Program Files\SUPERAntiSpyware
[2011/02/02 12:28:40 | 010,257,160 | ---- | C] (SUPERAntiSpyware.com) -- C:\Documents and Settings\Judith\Desktop\SUPERAntiSpyware.exe
[2011/02/01 21:36:30 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2011/02/01 13:40:30 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Judith\Application Data\Smart Internet Protection 2011
[2011/02/01 13:40:29 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\SIUNLUVOFTP
[2011/02/01 10:21:16 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Adobe
[2011/01/31 10:25:34 | 000,000,000 | ---D | C] -- C:\Program Files\DocsOpener
[2011/01/31 10:25:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Judith\Start Menu\Programs\Docs Opener
[2011/01/29 11:10:14 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2011/01/29 11:10:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2011/01/28 19:50:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2011/01/28 19:50:31 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2011/01/25 20:18:50 | 000,000,000 | ---D | C] -- C:\Program Files\Microsoft Security Client
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\Documents and Settings\Judith\Application Data\*.tmp files -> C:\Documents and Settings\Judith\Application Data\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2011/02/10 10:54:00 | 000,000,422 | -H-- | M] () -- C:\WINDOWS\tasks\User_Feed_Synchronization-{8D4E104A-6F18-4B2B-8990-7D7264EE2579}.job
[2011/02/10 10:34:24 | 000,000,162 | -H-- | M] () -- C:\Documents and Settings\Judith\My Documents\~$tter-Le Telerie Toscane.doc
[2011/02/10 09:34:12 | 000,000,424 | -H-- | M] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/02/10 09:29:34 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Ajejumec.dat
[2011/02/10 09:29:34 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Ktiwegohewatebic.bin
[2011/02/10 09:29:21 | 000,002,422 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2011/02/10 09:29:19 | 000,000,280 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-436374069-606747145-725345543-1004.job
[2011/02/10 09:29:12 | 000,000,288 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-436374069-606747145-725345543-1004.job
[2011/02/10 09:29:02 | 000,000,280 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-18.job
[2011/02/10 09:29:01 | 000,000,278 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-436374069-606747145-725345543-1006.job
[2011/02/10 09:28:38 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2011/02/09 20:03:38 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-436374069-606747145-725345543-1006.job
[2011/02/09 20:02:13 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2011/02/09 19:57:47 | 001,246,371 | ---- | M] () -- C:\Documents and Settings\Judith\Desktop\tdsskiller.zip
[2011/02/09 19:51:22 | 000,013,286 | ---- | M] () -- C:\Documents and Settings\Judith\Desktop\calabacita casserole.odt
[2011/02/07 14:35:54 | 000,000,000 | ---- | M] () -- C:\Documents and Settings\Judith\defogger_reenable
[2011/02/07 14:05:45 | 000,001,082 | ---- | M] () -- C:\Documents and Settings\Judith\My Documents\suspicious2.reg
[2011/02/07 14:04:58 | 000,000,211 | -HS- | M] () -- C:\boot.ini
[2011/02/07 13:51:06 | 000,000,734 | RHS- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2011/02/07 13:36:57 | 000,002,054 | ---- | M] () -- C:\Documents and Settings\Judith\My Documents\suspicious.reg
[2011/02/07 12:25:06 | 000,000,288 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-18.job
[2011/02/06 12:13:19 | 000,021,504 | ---- | M] () -- C:\Documents and Settings\Judith\My Documents\Recycle.sig
[2011/02/04 20:40:21 | 000,000,244 | -H-- | M] () -- C:\sqmnoopt00.sqm
[2011/02/04 20:40:21 | 000,000,232 | -H-- | M] () -- C:\sqmdata00.sqm
[2011/02/03 13:11:03 | 000,001,857 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\MSN Installer.lnk
[2011/02/02 12:30:18 | 000,001,678 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/02/02 12:29:32 | 010,257,160 | ---- | M] (SUPERAntiSpyware.com) -- C:\Documents and Settings\Judith\Desktop\SUPERAntiSpyware.exe
[2011/02/02 12:25:15 | 000,001,797 | ---- | M] () -- C:\Documents and Settings\Judith\Desktop\Smart Internet Protection 2011.lnk
[2011/02/02 12:25:14 | 000,002,228 | RHS- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.old
[2011/02/01 22:08:14 | 000,002,198 | ---- | M] () -- C:\WINDOWS\epplauncher.mif
[2011/01/31 21:32:15 | 000,000,567 | ---- | M] () -- C:\Documents and Settings\Judith\Desktop\Email from Google.url
[2011/01/31 10:36:38 | 000,102,397 | ---- | M] () -- C:\Documents and Settings\Judith\My Documents\SYOSSET RESERVATION MAIL-IN FORM.pages
[2011/01/31 10:25:35 | 000,000,706 | ---- | M] () -- C:\Documents and Settings\Judith\Desktop\Docs Opener.lnk
[2011/01/31 10:12:24 | 000,000,122 | ---- | M] () -- C:\WINDOWS\mdm.ini
[2011/01/28 00:09:40 | 000,000,116 | ---- | M] () -- C:\WINDOWS\NeroDigital.ini
[2011/01/21 14:59:40 | 000,000,610 | ---- | M] () -- C:\WINDOWS\cdplayer.ini
[2011/01/12 07:34:34 | 000,001,374 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
[1 C:\Documents and Settings\Judith\Application Data\*.tmp files -> C:\Documents and Settings\Judith\Application Data\*.tmp -> ]
[1 C:\*.tmp files -> C:\*.tmp -> ]

========== Files Created - No Company Name ==========

[2011/02/10 10:34:24 | 000,000,162 | -H-- | C] () -- C:\Documents and Settings\Judith\My Documents\~$tter-Le Telerie Toscane.doc
[2011/02/09 19:57:08 | 001,246,371 | ---- | C] () -- C:\Documents and Settings\Judith\Desktop\tdsskiller.zip
[2011/02/09 19:51:50 | 000,013,286 | ---- | C] () -- C:\Documents and Settings\Judith\Desktop\calabacita casserole.odt
[2011/02/07 14:35:54 | 000,000,000 | ---- | C] () -- C:\Documents and Settings\Judith\defogger_reenable
[2011/02/07 14:05:44 | 000,001,082 | ---- | C] () -- C:\Documents and Settings\Judith\My Documents\suspicious2.reg
[2011/02/07 13:36:57 | 000,002,054 | ---- | C] () -- C:\Documents and Settings\Judith\My Documents\suspicious.reg
[2011/02/06 12:13:18 | 000,021,504 | ---- | C] () -- C:\Documents and Settings\Judith\My Documents\Recycle.sig
[2011/02/04 20:12:21 | 000,000,288 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-18.job
[2011/02/04 20:12:21 | 000,000,280 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-18.job
[2011/02/03 13:11:03 | 000,001,857 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\MSN Installer.lnk
[2011/02/02 12:30:18 | 000,001,678 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\SUPERAntiSpyware Free Edition.lnk
[2011/02/01 13:40:35 | 000,001,797 | ---- | C] () -- C:\Documents and Settings\Judith\Desktop\Smart Internet Protection 2011.lnk
[2011/01/31 10:36:33 | 000,102,397 | ---- | C] () -- C:\Documents and Settings\Judith\My Documents\SYOSSET RESERVATION MAIL-IN FORM.pages
[2011/01/31 10:25:34 | 000,000,706 | ---- | C] () -- C:\Documents and Settings\Judith\Desktop\Docs Opener.lnk
[2011/01/25 20:25:33 | 000,000,424 | -H-- | C] () -- C:\WINDOWS\tasks\MP Scheduled Scan.job
[2011/01/25 20:20:45 | 000,002,198 | ---- | C] () -- C:\WINDOWS\epplauncher.mif
[2010/12/19 13:57:59 | 021,233,718 | ---- | C] () -- C:\Documents and Settings\Judith\Application Data\ZBWallpaper_13.bmp
[2010/12/19 13:57:03 | 021,233,718 | ---- | C] () -- C:\Documents and Settings\Judith\Application Data\ZBWallpaper_12.bmp
[2010/12/19 13:56:03 | 021,233,718 | ---- | C] () -- C:\Documents and Settings\Judith\Application Data\ZBWallpaper_11.bmp
[2010/12/19 13:54:01 | 021,233,718 | ---- | C] () -- C:\Documents and Settings\Judith\Application Data\ZBWallpaper_10.bmp
[2010/12/19 13:50:14 | 021,233,718 | ---- | C] () -- C:\Documents and Settings\Judith\Application Data\ZBWallpaper_9.bmp
[2010/12/19 13:49:41 | 021,233,718 | ---- | C] () -- C:\Documents and Settings\Judith\Application Data\ZBWallpaper_8.bmp
[2010/12/19 13:45:47 | 021,233,718 | ---- | C] () -- C:\Documents and Settings\Judith\Application Data\ZBWallpaper_7.bmp
[2010/12/19 13:45:01 | 021,233,718 | ---- | C] () -- C:\Documents and Settings\Judith\Application Data\ZBWallpaper_6.bmp
[2010/10/24 08:09:49 | 014,051,862 | ---- | C] () -- C:\Documents and Settings\Judith\Application Data\ZBWallpaper_5.bmp
[2010/10/13 19:16:02 | 000,000,610 | ---- | C] () -- C:\WINDOWS\cdplayer.ini
[2010/08/28 19:14:44 | 000,000,089 | ---- | C] () -- C:\Documents and Settings\Judith\Application Data\1tmp.bat
[2010/05/02 10:32:22 | 013,087,274 | ---- | C] () -- C:\Documents and Settings\Judith\Application Data\ZBWallpaper_4.bmp
[2010/05/02 10:28:19 | 021,233,718 | ---- | C] () -- C:\Documents and Settings\Judith\Application Data\ZBWallpaper_3.bmp
[2010/05/02 10:27:48 | 021,233,718 | ---- | C] () -- C:\Documents and Settings\Judith\Application Data\ZBWallpaper_2.bmp
[2009/12/07 20:51:14 | 016,066,974 | ---- | C] () -- C:\Documents and Settings\Judith\Application Data\ZBWallpaper_1.bmp
[2009/12/07 20:46:47 | 016,066,974 | ---- | C] () -- C:\Documents and Settings\Judith\Application Data\ZBWallpaper.bmp
[2009/09/18 12:06:20 | 000,002,501 | ---- | C] () -- C:\WINDOWS\ACROREAD.INI
[2009/09/18 12:02:09 | 000,000,751 | ---- | C] () -- C:\WINDOWS\Bti.ini
[2009/09/18 12:02:07 | 000,116,640 | ---- | C] () -- C:\WINDOWS\System32\Ptsaci40.dll
[2008/02/22 10:20:06 | 000,001,563 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\hpzinstall.log
[2007/03/10 10:49:56 | 000,000,000 | ---- | C] () -- C:\WINDOWS\System32\Ultra.dll
[2006/09/21 07:17:37 | 000,000,006 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\DragToDiscUserNameE.txt
[2006/08/11 14:13:07 | 000,001,362 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2006/06/24 12:48:17 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2006/06/24 12:42:30 | 000,000,044 | ---- | C] () -- C:\WINDOWS\EPSP1800.ini
[2006/05/11 15:39:43 | 000,000,049 | ---- | C] () -- C:\WINDOWS\WININIT.INI
[2006/02/14 06:37:19 | 000,000,116 | ---- | C] () -- C:\WINDOWS\NeroDigital.ini
[2006/01/03 21:36:29 | 000,000,081 | ---- | C] () -- C:\WINDOWS\PARSONS.INI
[2005/12/29 15:12:47 | 000,000,000 | ---- | C] () -- C:\WINDOWS\OpPrintServer.INI
[2005/12/01 15:13:32 | 000,000,000 | ---- | C] () -- C:\WINDOWS\vpc32.INI
[2005/12/01 13:59:54 | 000,000,082 | ---- | C] () -- C:\WINDOWS\MPLAYER.INI
[2005/12/01 13:59:01 | 001,680,896 | ---- | C] () -- C:\WINDOWS\System32\LTCLR13n.dll
[2005/12/01 13:59:00 | 000,338,944 | ---- | C] () -- C:\WINDOWS\System32\lffpx7.dll
[2005/12/01 13:59:00 | 000,122,880 | ---- | C] () -- C:\WINDOWS\System32\LFKODAK.DLL
[2005/12/01 13:45:50 | 000,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005/12/01 13:45:50 | 000,000,122 | ---- | C] () -- C:\WINDOWS\mdm.ini
[2005/12/01 13:45:45 | 000,000,000 | ---- | C] () -- C:\WINDOWS\NSREX.INI
[2005/12/01 12:53:21 | 000,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll
[2005/12/01 07:36:38 | 000,004,161 | ---- | C] () -- C:\WINDOWS\ODBCINST.INI
[2004/08/04 07:00:00 | 000,755,200 | ---- | C] () -- C:\WINDOWS\System32\ir50_32.dll
[2004/08/04 07:00:00 | 000,338,432 | ---- | C] () -- C:\WINDOWS\System32\ir41_qcx.dll
[2004/08/04 07:00:00 | 000,233,472 | ---- | C] () -- C:\WINDOWS\owaheridub.dll
[2004/08/04 07:00:00 | 000,200,192 | ---- | C] () -- C:\WINDOWS\System32\ir50_qc.dll
[2004/08/04 07:00:00 | 000,183,808 | ---- | C] () -- C:\WINDOWS\System32\ir50_qcx.dll
[2004/08/04 07:00:00 | 000,120,320 | ---- | C] () -- C:\WINDOWS\System32\ir41_qc.dll
[1999/01/22 13:46:00 | 000,065,536 | ---- | C] () -- C:\WINDOWS\System32\MSRTEDIT.DLL
[1998/10/19 06:09:20 | 000,003,782 | ---- | C] () -- C:\WINDOWS\System32\HPFlnk12.ini
[1998/10/19 05:49:44 | 000,007,680 | ---- | C] () -- C:\WINDOWS\System32\HPFhrl12.dll
[1998/10/19 05:49:42 | 000,340,480 | ---- | C] () -- C:\WINDOWS\System32\HPFsrl12.dll
[1998/10/19 05:49:38 | 000,289,280 | ---- | C] () -- C:\WINDOWS\System32\HPFmrl12.dll
[1998/10/19 05:49:32 | 001,211,904 | ---- | C] () -- C:\WINDOWS\System32\HPFtrl12.dll
[1998/10/19 05:45:12 | 000,027,648 | ---- | C] () -- C:\WINDOWS\System32\HPFstb12.dll
[1998/10/19 05:45:04 | 000,193,536 | ---- | C] () -- C:\WINDOWS\System32\HPFcps12.dll
[1998/10/19 05:44:34 | 000,076,800 | ---- | C] () -- C:\WINDOWS\System32\HPF24r12.dll
[1998/10/19 05:43:22 | 000,044,544 | ---- | C] () -- C:\WINDOWS\System32\HPFtst12.dll
[1998/10/19 05:41:38 | 000,067,584 | ---- | C] () -- C:\WINDOWS\System32\HPFpcl12.dll
[1998/10/19 05:39:16 | 000,173,056 | ---- | C] () -- C:\WINDOWS\System32\HPFntu12.dll
[1998/10/19 05:33:54 | 000,406,016 | ---- | C] () -- C:\WINDOWS\System32\HPFui12.dll
[1998/10/19 05:27:22 | 000,266,240 | ---- | C] () -- C:\WINDOWS\System32\HPFwin12.dll
[1998/10/19 05:23:40 | 000,037,376 | ---- | C] () -- C:\WINDOWS\System32\HPFmon12.dll
[1998/10/19 05:23:02 | 000,033,280 | ---- | C] () -- C:\WINDOWS\System32\HPFcbl12.dll
[1998/10/19 05:21:00 | 000,023,552 | ---- | C] () -- C:\WINDOWS\System32\HPFnet12.dll
[1998/10/19 05:20:48 | 000,033,384 | ---- | C] () -- C:\WINDOWS\System32\HPFiop12.dll
[1998/10/19 05:20:34 | 000,069,284 | ---- | C] () -- C:\WINDOWS\System32\HPFpml12.dll
[1998/10/19 05:20:30 | 000,138,428 | ---- | C] () -- C:\WINDOWS\System32\HPFmlc12.dll
[1998/10/19 05:20:22 | 000,057,240 | ---- | C] () -- C:\WINDOWS\System32\HPFmem12.dll
[1998/10/19 05:20:18 | 000,048,292 | ---- | C] () -- C:\WINDOWS\System32\HPFlpm12.dll
[1998/10/19 05:20:06 | 000,072,368 | ---- | C] () -- C:\WINDOWS\System32\HPFcom12.dll
[1998/10/19 05:18:22 | 000,029,184 | ---- | C] () -- C:\WINDOWS\System32\HPFrsu12.dll
[1998/10/19 05:17:46 | 000,117,760 | ---- | C] () -- C:\WINDOWS\System32\HPFrsa12.dll
[1998/10/19 05:13:18 | 000,849,920 | ---- | C] () -- C:\WINDOWS\System32\HPFimg12.dll
[1998/10/19 05:09:58 | 000,124,928 | ---- | C] () -- C:\WINDOWS\System32\HPFcnt12.dll
[1998/08/16 05:00:00 | 000,004,096 | ---- | C] () -- C:\WINDOWS\System32\sysres.dll

========== Alternate Data Streams ==========

@Alternate Data Stream - 104 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:DFC5A2B2

< End of report >


Thanks, again for your help.

#6 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:33 PM

Posted 11 February 2011 - 10:42 AM

Hello roberta47,

Do you recognize these files?

C:\Documents and Settings\Judith\My Documents\suspicious2.reg
C:\Documents and Settings\Judith\My Documents\suspicious.reg
C:\Documents and Settings\Judith\My Documents\Recycle.sig


TDSSKiller has found something:

2011/02/09 20:00:52.0250 1612 Detected object count: 1
2011/02/09 20:01:42.0812 1612 \HardDisk0 - will be cured after reboot
2011/02/09 20:01:42.0812 1612 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/02/09 20:01:52.0640 3272 Deinitialize success


Posted Image One or more of the identified infections is a backdoor trojan and password stealer.

This type of infection allows hackers to access and remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.
If you do any banking or other financial transactions on the PC or if it contains any other sensitive information, then from a clean computer, change all passwords where applicable.
It would also be wise to contact those same financial institutions to appraise them of your situation.


I highly suggest you take a look at the two links provided below:
1. How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?
2. When should I re-format? How should I reinstall?


We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.



NEXT:



OTL Fix

We need to run an OTL Fix
  • Please reopen Posted Image on your desktop.
  • Copy and Paste the following code into the Posted Image textbox.

    :Services
    :OTL
    MOD - [2008/04/13 19:12:08 | 000,233,472 | ---- | M] () -- C:\WINDOWS\owaheridub.dll
    IE - HKU\S-1-5-21-436374069-606747145-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyServer" = http=127.0.0.1:25391
    O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - File not found
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - File not found
    O3 - HKU\S-1-5-21-436374069-606747145-725345543-1004\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found.
    O3 - HKU\S-1-5-21-436374069-606747145-725345543-1004\..\Toolbar\WebBrowser: (ShopAtHome.com Toolbar) - {98279C38-DE4B-4BCF-93C9-8EC26069D6F4} - File not found
    O3 - HKU\S-1-5-21-436374069-606747145-725345543-1004\..\Toolbar\WebBrowser: (Windows Live Toolbar) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - File not found
    O4 - HKLM..\Run: [Ufegufapifovavox] C:\WINDOWS\owaheridub.dll ()
    O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 0 = msseces.exe
    O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 1 = MSASCui.exe
    O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 2 = ekrn.exe
    O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 3 = egui.exe
    O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 4 = avgnt.exe
    O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 5 = avcenter.exe
    O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 6 = avscan.exe
    O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 7 = avgfrw.exe
    O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 8 = avgui.exe
    O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 9 = avgtray.exe
    O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 10 = avgscanx.exe
    O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 11 = avgcfgex.exe
    O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 12 = avgemc.exe
    O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 13 = avgchsvx.exe
    O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 14 = avgcmgr.exe
    O7 - HKU\S-1-5-21-436374069-606747145-725345543-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\DisallowRun: 15 = avgwdsvc.exe
    [2011/02/01 13:40:30 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\Judith\Application Data\Smart Internet Protection 2011
    [2011/02/01 13:40:29 | 000,000,000 | -HSD | C] -- C:\Documents and Settings\All Users\Application Data\SIUNLUVOFTP
    [5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
    [1 C:\Documents and Settings\Judith\Application Data\*.tmp files -> C:\Documents and Settings\Judith\Application Data\*.tmp -> ]
    [1 C:\*.tmp files -> C:\*.tmp -> ]
    [2011/02/10 09:29:34 | 000,000,120 | ---- | M] () -- C:\WINDOWS\Ajejumec.dat
    [2011/02/10 09:29:34 | 000,000,000 | ---- | M] () -- C:\WINDOWS\Ktiwegohewatebic.bin
    [2011/02/02 12:25:14 | 000,002,228 | RHS- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.old
    [5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
    [10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
    [1 C:\WINDOWS\System32\drivers\*.tmp files -> C:\WINDOWS\System32\drivers\*.tmp -> ]
    [1 C:\Documents and Settings\Judith\Application Data\*.tmp files -> C:\Documents and Settings\Judith\Application Data\*.tmp -> ]
    [1 C:\*.tmp files -> C:\*.tmp -> ]
    [2011/02/01 13:40:35 | 000,001,797 | ---- | C] () -- C:\Documents and Settings\Judith\Desktop\Smart Internet Protection 2011.lnk
    [2010/08/28 19:14:44 | 000,000,089 | ---- | C] () -- C:\Documents and Settings\Judith\Application Data\1tmp.bat
    [2004/08/04 07:00:00 | 000,233,472 | ---- | C] () -- C:\WINDOWS\owaheridub.dll
    
    :Reg
    
    :Files
    ipconfig /flushdns /c
    :Commands
    [purity]
    [resethosts]
    [CreateRestorePoint]
    [emptytemp]
    [EMPTYFLASH]
    
  • Push Posted Image
  • OTL may ask to reboot the machine. Please do so if asked.
  • Click Posted Image.
  • A report will open. Copy and Paste that report in your next reply.
  • If the machine reboots, the log will be located at C:\_OTL\MovedFiles\mmddyyyy_hhmmss.log, where mmddyyyy_hhmmss is the date of the tool run.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#7 roberta47

roberta47
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:09:33 PM

Posted 11 February 2011 - 12:14 PM

I recognize
C:\Documents and Settings\Judith\My Documents\suspicious2.reg
C:\Documents and Settings\Judith\My Documents\suspicious.reg
but not the third one. The ones I recognize are exported registry keys that I created before I tried some registry changes.

I'm going to continue with your instructions and will get back to you with the report you requested.

#8 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:33 PM

Posted 11 February 2011 - 12:19 PM

but not the third one. The ones I recognize are exported registry keys that I created before I tried some registry changes.

Okay, thanks.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.


#9 SweetTech

SweetTech

    Agent ST


  • Members
  • 13,421 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Antarctica
  • Local time:09:33 PM

Posted 14 February 2011 - 12:46 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Have I helped you? If you'd like to assist in the fight against malware, click here Posted Image


The instructions seen in this post have been specifically tailored to this user and the issues they are experiencing with their computer. If you think you have a similar problem, please first read this topic, and then begin your own, new thread. I do not offer private support via Private Message.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users