Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP no icons or taskbar


  • This topic is locked This topic is locked
20 replies to this topic

#1 Al Schlafli

Al Schlafli

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 04 March 2011 - 06:22 PM

I do virus/malware repair on customers system, and up until this one system, have been pretty successful.

Windows XP Home, SP3, Compaq Presario 6000. (Was on SPO2, ran repair to update - see below)


System will boot fine. Desktop background shows up, after log-on (only one user on system), But no icons, and no taskbar.

I have tried the following:
Install , run Malware Bytes Antimalware, full scan until clean (0) infections
ran repair, to update O/S from SP2 to SP3, from OEM CD - no errors during process (although I do need to activate)
removed hardd drive, attached hard drive to known clean system. Ran MalwareBytes again (finds a couple, removed). Scanned with SuperAntiSpyware, usual adware found, 1 trojan - removed. Scanned with AVG 2011, found couple things, removed. (All scans were latest updates from vendors prior to scans...

return hard drive to original system
run couple of Register fixes from Kellys-Corner

expanded new copies of explorer.exe and userinit.exe from OEM CD

Internet Explorer will not run
Control Panel will not run

explorer will briefly flash taskbar.

I would bail at this point, and tell customer you need a fresh install, but she whined, explaining that is software on this system she no longer has disks/CDs for, blah blah blah

Here are files you request: I am sending this via Windows 7, and have no way to compress the files, I have attached the ark.log.
Attach.txt
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_11-03-05.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 3/2/2011 7:02:48 PM
System Uptime: 3/4/2011 4:19:35 PM (1 hours ago)
.
Motherboard: | | KM266-8233
Processor: AMD Athlon™ XP 2000+ | Socket A | 1665/133mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 56 GiB total, 44.149 GiB free.
D: is CDROM ()
E: is CDROM (CDFS)
F: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
1300
1300_Help
1300Tour
1300Trb
3D Frog Frenzy
3D Pinball Express
Ad-Aware SE Personal
Adaptec Easy CD Creator
Adobe Acrobat 5.0
Adobe ActiveShare 1.2
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe PhotoDeluxe 2.0
Adobe PhotoDeluxe Home Edition 4.0
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0.8
AiO_Scan
AIOMinimal
AiOSoftware
America Online (Choose which version to remove)
AnalogX CookieWall
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOL Spyware Protection
AOL Toolbar
AOL You've Got Pictures Screensaver
AutoUpdate
BitTorrent 4.4.1
Board Games
Card Games for Windows
Coloreal
Compaq Advisor
Copy
Corel Applications
Corel Uninstaller
CreativeProjects
Desktop Doctor
Director
DivX
DivX Player
DivX Web Player
DLA
DocProc
Dramatica Pro 4.0
Easy CD & DVD Creator 6
ECHO
EuroTalk Talk Now Plus!
Eyewitness Encyclopedia of Nature 2.0
Fax
FormFlow 2.23 Filler
Google Desktop
Google Earth
Google Pack Screensaver
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
Google Updater
GraphicView 32
Hauppauge English Help Files and Resources
Hauppauge WinTV-PVR USB 2 Drivers
Hauppauge WinTV Infrared Remote
Hauppauge WinTV Scheduler
Hauppauge WinTV2000
HP Image Zone 3.5
HP PSC & OfficeJet 3.5
HP Software Update
hpmdtab
HPSystemDiagnostics
Inactive HP Printer Drivers (Remove only)
InstantShare
Intel® 845G Chipset Graphics Driver Software
InterVideo FilterSDK for Hauppauge
InterVideo WinDVD
ipalm Camera Driver 1.0
Java 2 Runtime Environment Standard Edition v1.3.1
Java 2 Runtime Environment, SE v1.4.2_11
Jewel Quest
Kazoo Player
Learn2 Player (Uninstall Only)
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Macromedia Flash Player 8
Malwarebytes' Anti-Malware
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft Camcorder
Microsoft IntelliPoint 5.1
Microsoft IntelliType Pro 5.1
Microsoft Office 97 Animated Cursors
Microsoft Office 97 Sounds
Microsoft Office 97, Professional Edition
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft Word 2000
Microsoft Works 6.0
Microsoft XML Parser and SDK
Microsoft® PowerPoint® Animation Player
Mozilla Firefox (1.5)
MSXML 4.0 SP2 (KB927978)
Music Visualizer Library 1.4.00
Net MD Simple Burner
Norton AntiVirus 2002
Norton CleanSweep
Norton Speed Disk 6.0 for Windows NT
Norton SystemWorks 2002
Norton Utilities 2002 for Windows
Online Manuals for WinTV (English)
OpenMG Limited Patch 3.1-02-10-22-01
OpenMG Limited Patch 3.1-02-10-22-02
OpenMG Limited Patch 3.1-02-12-04-01
OpenMG Secure Module 3.1
Overland
Panasonic PV-DC3000 TWAIN Driver
PCLinq2 High-Speed USB Bridge Cable
PhotoGallery
PhotoShow Express
Picasa 2
Plustek Scanner Installation
PrintScreen
Pure Networks Port Magic
Python 2.2 combined Win32 extensions
Python 2.2.1
QFolder
Quicken Lawyer 2003 Wills
QuickProjects
QuickTime
Rand McNally Route Planner
Readme
RealPlayer
RecordNow
RecordNow Update Manager
Remove FILM SCHOOL
RingMaster from Compaq (remove only)
S3Display
S3Gamma2
S3Info2
S3Overlay
SAMSUNG Voice yepp player 2003
Scan
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
SereneScreen Aquarium
SkinsHP1
SkinsHP2
Slots 100
SonicStage 1.5.06
Teach Me Piano Deluxe
Top 20 Solid Gold
Top 30 Games 4 Kids
Top 50 Blazing Games
TrayApp
Ulead DVD MovieFactory 3 SE
Unload
WebFldrs XP
WebReg
Windows Genuine Advantage Notifications (KB905474)
Works Suite OS Pack
.
==== End Of File ===========================




DDS.TXT
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by me at 17:26:18.20 on Fri 03/04/2011
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.223.101 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\taskmgr.exe
F:\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.adelphia.net/
uWindow Title = Microsoft Internet Explorer provided by Comcast
mSearch Bar = hxxp://rd.yahoo.com/customize/yessentials_cq/defaults/sb/*http://www.yahoo.com/search/ie.html
mWindow Title = Microsoft Internet Explorer provided by Comcast
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [PhotoShow Deluxe Media Manager] c:\progra~1\simple~1\photos~1\data\xtras\mssysmgr.exe
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_8
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [SRFirstRun] rundll32 srclient.dll,CreateFirstRunRp
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\xyz.exe" /runcleanupscript
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: {2ef50289-0ea7-482e-a30b-4947a81e44cf} - c:\program files\trillian\Trillian
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01111F00-3E00-11D2-8470-0060089874ED} - hxxp://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
DPF: {0612502E-29F8-11D6-BC3C-00C0F0167E34} - hxxp://www.crsdata.net/CRSDataObject/CRSNInfo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: igfxcui - igfxsrvc.dll
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R2 litsgt;litsgt;c:\windows\system32\drivers\litsgt.sys [2006-1-11 137344]
R2 Scandrv;Plustek Scanner;c:\windows\system32\drivers\SCANDRV.SYS [2003-1-5 195120]
R2 tansgt;tansgt;c:\windows\system32\drivers\tansgt.sys [2006-1-11 12032]
S0 Cdr4vsd;Cdr4vsd;c:\windows\system32\drivers\CDR4VSD.SYS [2004-2-12 47520]
S2 MKEUSB01;%MKEUSB01.SvcDesc%;c:\windows\system32\drivers\MkeUsb01.sys [2003-2-14 26288]
S3 iComp;Hauppauge WinTV PVR USB2 Encoder;c:\windows\system32\drivers\HCWUSB2.sys [2005-10-6 1442752]
S3 NAVAP;NAVAP;c:\windows\system32\drivers\NAVAP.SYS [2003-6-7 183872]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20030607.003\NAVENG.Sys [2003-6-7 67800]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20030607.003\NavEx15.Sys [2003-6-7 531128]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [2006-10-5 8960]
S3 tj2knd5;Terayon Cable Modem (NDIS);c:\windows\system32\drivers\tj2knd5.sys [2005-4-10 17616]
S3 tj2kunic;Terayon Cable Modem (WDM);c:\windows\system32\drivers\tj2kunic.sys [2005-4-10 69680]
S4 msCMTSrvc;Content Monitoring Tool;c:\windows\system32\mscmtsrvc.exe --> c:\windows\system32\msCMTSrvc.exe [?]
S4 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\NAVAPSVC.EXE [2003-6-7 116344]
S4 NProtectService;Norton Unerase Protection;c:\program files\norton systemworks\norton utilities\NPROTECT.EXE [2003-6-7 135168]
S4 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2001-8-14 54408]
.
=============== Created Last 30 ================
.
2011-03-04 16:18:16 1033728 ----a-w- c:\windows\explorer.exe
2011-03-03 00:55:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-03 00:55:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-03 00:02:23 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
2011-03-03 00:02:23 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
2011-03-03 00:02:19 48256 -c--a-w- c:\windows\system32\dllcache\w32.dll
2011-03-03 00:02:18 86073 -c--a-w- c:\windows\system32\dllcache\voicesub.dll
2011-03-03 00:02:18 426041 -c--a-w- c:\windows\system32\dllcache\voicepad.dll
2011-03-03 00:02:06 76288 -c--a-w- c:\windows\system32\dllcache\uniime.dll
2011-03-03 00:02:03 14336 -c--a-w- c:\windows\system32\dllcache\tsprof.exe
2011-03-03 00:02:01 455168 -c--a-w- c:\windows\system32\dllcache\tintsetp.exe
2011-03-03 00:02:01 44032 -c--a-w- c:\windows\system32\dllcache\tintlphr.exe
2011-03-03 00:02:01 10240 -c--a-w- c:\windows\system32\dllcache\tmigrate.dll
2011-03-03 00:02:00 185344 -c--a-w- c:\windows\system32\dllcache\thawbrkr.dll
2011-03-03 00:00:53 229439 -c--a-w- c:\windows\system32\dllcache\multibox.dll
2011-03-02 23:59:53 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2011-03-02 23:58:58 54528 -c--a-w- c:\windows\system32\dllcache\cap7146.sys
2011-03-02 23:57:59 876653 -c--a-w- c:\windows\system32\dllcache\fp4awel.dll
2011-03-02 23:44:38 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2011-03-02 23:44:38 16384 ----a-w- c:\program files\internet explorer\connection wizard\isignup.exe
2011-03-02 23:44:30 7168 -c--a-w- c:\windows\system32\dllcache\bitsprx4.dll
2011-03-02 23:44:30 7168 ----a-w- c:\windows\system32\bitsprx4.dll
2011-03-02 23:41:27 53248 -c--a-w- c:\windows\system32\dllcache\tsgqec.dll
2011-03-02 23:41:27 53248 ----a-w- c:\windows\system32\tsgqec.dll
2011-03-02 23:41:27 290304 -c--a-w- c:\windows\system32\dllcache\rhttpaa.dll
2011-03-02 23:41:27 290304 ----a-w- c:\windows\system32\rhttpaa.dll
2011-03-02 23:41:27 136192 -c--a-w- c:\windows\system32\dllcache\aaclient.dll
2011-03-02 23:41:27 136192 ----a-w- c:\windows\system32\aaclient.dll
2011-03-02 23:35:18 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2011-03-02 23:29:31 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2011-03-02 23:29:31 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-03-02 23:29:31 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2011-03-02 23:29:31 13312 ----a-w- c:\windows\system32\irclass.dll
2011-03-02 23:29:09 16535 ----a-r- c:\windows\SETD2.tmp
2011-03-02 23:29:06 1088840 ----a-r- c:\windows\SETC6.tmp
2011-03-02 23:29:04 1296669 ----a-r- c:\windows\SETC5.tmp
2011-03-02 21:43:02 -------- d-----w- c:\windows\pss
2011-03-02 18:18:50 -------- d-----w- c:\windows\system32\scripting
2011-03-02 18:18:50 -------- d-----w- c:\windows\system32\en
2011-03-02 18:18:50 -------- d-----w- c:\windows\Network Diagnostic
2011-03-02 18:18:50 -------- d-----w- c:\windows\L2Schemas
2011-02-22 17:36:53 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-02-22 17:36:53 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-21 23:52:47 -------- d-----w- C:\$AVG
2011-02-19 00:57:38 -------- d-----w- c:\docume~1\me\applic~1\Malwarebytes
2011-02-19 00:57:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-19 00:57:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
2011-02-22 19:14:37 4732 ----a-w- c:\windows\compaq.reg
.
============= FINISH: 17:27:28.89 ===============


Thanks very much!

Al Schlafli

Attached Files

  • Attached File  ark.log   7.23KB   7 downloads


BC AdBot (Login to Remove)

 


#2 Casey_boy

Casey_boy

    Bleeping physicist


  • Malware Response Team
  • 7,765 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:10:36 AM

Posted 12 March 2011 - 11:46 AM

Hello and welcome to Bleeping Computer

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

Please take note:

  • If you have since resolved the original problem you were having, we would appreciate you letting us know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • If you are unable to perform the steps we have recommended please try one more time and if unsuccessful alert us of such and we will design an alternate means of obtaining the necessary information.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below another staff member will review your topic an do their best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.
  • Use the 'Add Reply' and add the new log to this thread.

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


Thanks and again sorry for the delay.

Casey

If I have been helping you and I do not reply within 48hours, feel free to send me a PM.


* My Website * Am I Infected? * Malware Removal Help * If you'd like to say thanks *


#3 Al Schlafli

Al Schlafli
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 12 March 2011 - 02:49 PM

1. Problem has not been resolved. I have been patiently waiting a response, as per instructions. I have other computers to use / work on, so I have not done anything further on this system.

2. I don't think I need to create new logs, becuse nothing has changed since I posted the original logs. I have not turned on this system until I heard back.

3. I have an original OEM Windows CD for this system, SP3

4. N/A

5. System will boot, come to the logon screen, select the user (only one), and continue the login process.
It appears to complete the boot process. HOWEVER, there is no taskbar, no start button, and no icons.
At this point, I am able to use CTRL-ALT-DEL and task manager will run.
The following applications DO NOT appear to run from task manager: Internet Explorer, Control Panel, Explorer (Explorer will very briefly flash the taskbar)
If you reread my original post, you find I was able to run AntiMalware, SuperAntiSpyware, and the applications you want, and the logs are posted in my original post.

7. Since my situation has not changed, I feel the logs posted originally ARE current.

Thanks for any input you may have on this matter!

Al Schlafli

#4 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:36 AM

Posted 12 March 2011 - 10:23 PM

Hello Al Schlafli,
  • Welcome to Bleeping Computer.
  • My name is fireman4it and I will be helping you with your Malware problem.

    Please take note of some guidelines for this fix:
  • Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
  • If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
  • Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
  • Finally, please reply using the Posted Image button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.


1.
Please download the TDSS Rootkit Removing Tool (TDSSKiller.exe) and save it to your Desktop. <-Important!!!
Be sure to download TDSSKiller.exe (v2.4.0.0) from Kaspersky's website and not TDSSKiller.zip which appears to be an older version 2.3.2.2 of the tool.
  • Double-click on TDSSKiller.exe to run the tool for known TDSS variants.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • If TDSSKiller does not run, try renaming it.
  • To do this, right-click on TDSSKiller.exe, select Rename and give it a random name with the .com file extension (i.e. 123abc.com). If you do not see the file extension, please refer to How to change the file extension.
  • Click the Start Scan button.
  • Do not use the computer during the scan
  • If the scan completes with nothing found, click Close to exit.
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
  • Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
  • A log file named TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt) will be created and saved to the root directory (usually Local Disk C:).
  • Copy and paste the contents of that file in your next reply.

2.
Install Recovery Console and Run ComboFix

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
  • Close any open windows, including this one.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • If you did not have it installed, you will see the prompt below. Choose YES.
  • Posted Image
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Note:The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you
should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

    Posted Image
  • Click on Yes, to continue scanning for malware.
  • When finished, it will produce a report for you. Please post the contents of the log (C:\ComboFix.txt).
Leave your computer alone while ComboFix is running.
ComboFix will restart your computer if malware is found; allow it to do so.


Note: Please Do NOT mouseclick combofix's window while its running because it may cause it to stall.


Things to include in your next reply::
TDSSKiller log
Combofix.txt
How is your machine running now?

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#5 Al Schlafli

Al Schlafli
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 13 March 2011 - 01:53 PM

Thank you. I will try these solutions Monday, Mar 14, and get back to you!

#6 Al Schlafli

Al Schlafli
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 14 March 2011 - 03:29 PM

Installed TDSSKiller to desktop. Ran. Nothing found.

Installed ComboFix to desktop. Ran
I do not have an active network connection, so could not download / install Microsoft Recovery Console.
Here is the ComboFix Log...
ComboFix 11-03-13.02 - me 03/14/2011 15:14:55.2.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.223.113 [GMT -5:00]
Running from: c:\documents and settings\me\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\me\Desktop\Internet Explorer.lnk
c:\documents and settings\me\My Documents\DPE.DUS
c:\documents and settings\me\Recent\170 CHARLOTTE HOME INSPECTION.pdf
c:\windows\compaq.reg
c:\windows\Google Pack Screensaver Uninstaller.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-02-14 to 2011-03-14 )))))))))))))))))))))))))))))))
.
.
2011-03-04 23:25 . 2011-03-04 23:25 -------- d-----w- c:\documents and settings\me\Application Data\SUPERAntiSpyware.com
2011-03-04 23:25 . 2011-03-04 23:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-04 23:19 . 2011-03-04 23:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-04 16:18 . 2008-04-14 05:42 1033728 ----a-w- c:\windows\explorer.exe
2011-03-03 00:55 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-03 00:55 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-03 00:02 . 2004-08-17 00:49 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
2011-03-03 00:02 . 2004-08-17 00:49 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
2011-03-03 00:02 . 2004-08-17 00:49 48256 -c--a-w- c:\windows\system32\dllcache\w32.dll
2011-03-03 00:02 . 2008-04-14 09:41 86073 -c--a-w- c:\windows\system32\dllcache\voicesub.dll
2011-03-03 00:02 . 2008-04-14 09:41 426041 -c--a-w- c:\windows\system32\dllcache\voicepad.dll
2011-03-03 00:02 . 2008-04-14 09:41 76288 -c--a-w- c:\windows\system32\dllcache\uniime.dll
2011-03-03 00:02 . 2004-08-17 00:49 14336 -c--a-w- c:\windows\system32\dllcache\tsprof.exe
2011-03-03 00:02 . 2008-04-14 09:41 10240 -c--a-w- c:\windows\system32\dllcache\tmigrate.dll
2011-03-03 00:02 . 2008-04-14 02:13 455168 -c--a-w- c:\windows\system32\dllcache\tintsetp.exe
2011-03-03 00:02 . 2008-04-14 02:13 44032 -c--a-w- c:\windows\system32\dllcache\tintlphr.exe
2011-03-03 00:02 . 2004-08-17 00:49 185344 -c--a-w- c:\windows\system32\dllcache\thawbrkr.dll
2011-03-03 00:00 . 2004-08-17 00:48 229439 -c--a-w- c:\windows\system32\dllcache\multibox.dll
2011-03-02 23:59 . 2004-08-17 00:47 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2011-03-02 23:58 . 2004-08-17 00:48 54528 -c--a-w- c:\windows\system32\dllcache\cap7146.sys
2011-03-02 23:57 . 2004-05-13 05:39 876653 -c--a-w- c:\windows\system32\dllcache\fp4awel.dll
2011-03-02 23:44 . 2004-08-17 00:48 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2011-03-02 23:44 . 2004-08-17 00:48 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2011-03-02 23:44 . 2008-04-14 09:41 7168 -c--a-w- c:\windows\system32\dllcache\bitsprx4.dll
2011-03-02 23:44 . 2008-04-14 09:41 7168 ----a-w- c:\windows\system32\bitsprx4.dll
2011-03-02 23:41 . 2008-04-14 09:42 53248 -c--a-w- c:\windows\system32\dllcache\tsgqec.dll
2011-03-02 23:41 . 2008-04-14 09:42 53248 ----a-w- c:\windows\system32\tsgqec.dll
2011-03-02 23:41 . 2008-04-14 09:42 290304 -c--a-w- c:\windows\system32\dllcache\rhttpaa.dll
2011-03-02 23:41 . 2008-04-14 09:42 290304 ----a-w- c:\windows\system32\rhttpaa.dll
2011-03-02 23:41 . 2008-04-14 09:41 136192 -c--a-w- c:\windows\system32\dllcache\aaclient.dll
2011-03-02 23:41 . 2008-04-14 09:41 136192 ----a-w- c:\windows\system32\aaclient.dll
2011-03-02 23:35 . 2008-04-14 03:05 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2011-03-02 23:29 . 2004-08-17 00:49 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2011-03-02 23:29 . 2004-08-17 00:49 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-03-02 23:29 . 2004-08-17 00:48 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2011-03-02 23:29 . 2004-08-17 00:48 13312 ----a-w- c:\windows\system32\irclass.dll
2011-03-02 23:29 . 2008-04-14 11:34 16535 ----a-r- c:\windows\SETD2.tmp
2011-03-02 23:29 . 2008-04-14 11:34 1088840 ----a-r- c:\windows\SETC6.tmp
2011-03-02 23:29 . 2008-04-14 11:40 1296669 ----a-r- c:\windows\SETC5.tmp
2011-03-02 18:18 . 2011-03-02 18:24 -------- d-----w- c:\windows\L2Schemas
2011-03-02 18:18 . 2011-03-02 18:24 -------- d-----w- c:\windows\system32\scripting
2011-03-02 18:18 . 2011-03-02 18:23 -------- d-----w- c:\windows\system32\en
2011-02-22 17:36 . 2011-02-22 17:36 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-21 23:52 . 2011-02-21 23:52 -------- d-----w- C:\$AVG
2011-02-19 00:57 . 2011-02-19 00:57 -------- d-----w- c:\documents and settings\me\Application Data\Malwarebytes
2011-02-19 00:57 . 2011-02-19 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-19 00:57 . 2011-03-03 00:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-07-21 19:14 . 2006-07-21 19:14 60526 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-07-21 19:14 . 2006-07-21 19:14 49256 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-07-21 19:14 . 2006-07-21 19:14 166000 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
.
------- Sigcheck -------
.
[-] 2007-01-04 . 1C45525574EF206346FBAFCAAC7CC4A5 . 3062272 . . [6.00.2900.3059] . . c:\windows\$hf_mig$\KB928090\SP2QFE\mshtml.dll
[-] 2006-10-23 . 88E1C15BB1A9ED3CBA4D6F2F408D5010 . 3061248 . . [6.00.2900.3020] . . c:\windows\$hf_mig$\KB925454\SP2QFE\mshtml.dll
[-] 2006-09-14 . CEFEA1C301139A817931BE132F0359FE . 3058688 . . [6.00.2900.2995] . . c:\windows\$hf_mig$\KB922760\SP2QFE\mshtml.dll
[-] 2006-07-28 . D251679BD9EF0250201FB899EC40FD32 . 3058176 . . [6.00.2900.2963] . . c:\windows\system32\mshtml.dll
[-] 2006-07-28 . D251679BD9EF0250201FB899EC40FD32 . 3058176 . . [6.00.2900.2963] . . c:\windows\$hf_mig$\KB918899\SP2QFE\mshtml.dll
[-] 2006-05-19 . 8687E029BE63C77D4919485068C54D77 . 3055104 . . [6.00.2900.2912] . . c:\windows\$hf_mig$\KB916281\SP2QFE\mshtml.dll
[-] 2006-03-23 . ABCD123F888E4E97C8751378CCCC4F26 . 3055616 . . [6.00.2900.2873] . . c:\windows\$hf_mig$\KB912812\SP2QFE\mshtml.dll
[-] 2005-11-24 . D3F037F5DA702AE9DDD7663EC9D78BA7 . 3018240 . . [6.00.2900.2802] . . c:\windows\$hf_mig$\KB905915\SP2QFE\mshtml.dll
[-] 2005-10-05 . 3394299FBF1CD0B24089FC762611360B . 3017728 . . [6.00.2900.2769] . . c:\windows\$hf_mig$\KB896688\SP2QFE\mshtml.dll
[-] 2005-07-20 . A14A7A206AE22DE4FE563E44CFC7DDF5 . 3016192 . . [6.00.2900.2722] . . c:\windows\$hf_mig$\KB896727\SP2QFE\mshtml.dll
[-] 2005-05-02 . DCC5C79B99F02EEF8C826B074DBFC222 . 3014144 . . [6.00.2900.2668] . . c:\windows\$hf_mig$\KB883939\SP2QFE\mshtml.dll
[7] 2004-01-08 19:21 . 64DD381609F0A123DA7BC058690BC95D . 2764288 . . [6.00.2737.800] . . c:\windows\$NtUninstallKB834707-IE6-20040929.115007$\mshtml.dll
.
[-] 2007-01-04 . 3FFA1573FC274E5AA7467D03941C45EE . 665088 . . [6.00.2900.3059] . . c:\windows\$hf_mig$\KB928090\SP2QFE\wininet.dll
[-] 2006-10-23 . 231EF4179ACABE486376B5CA893F1076 . 664576 . . [6.00.2900.3020] . . c:\windows\$hf_mig$\KB925454\SP2QFE\wininet.dll
[-] 2006-09-14 . D207370287CF769AEBEBF03837784963 . 664576 . . [6.00.2900.2995] . . c:\windows\$hf_mig$\KB922760\SP2QFE\wininet.dll
[-] 2006-06-23 . 64CE26DB72810B30F7855EA51E1DF836 . 664576 . . [6.00.2900.2937] . . c:\windows\system32\wininet.dll
[-] 2006-06-23 . 64CE26DB72810B30F7855EA51E1DF836 . 664576 . . [6.00.2900.2937] . . c:\windows\$hf_mig$\KB918899\SP2QFE\wininet.dll
[-] 2006-05-10 . D94CFFDB53E7AC867438E2DFD50E7CBC . 663552 . . [6.00.2900.2904] . . c:\windows\$hf_mig$\KB916281\SP2QFE\wininet.dll
[-] 2006-03-04 . C0845ECBF4F9164E618EE381B79C9032 . 663552 . . [6.00.2900.2861] . . c:\windows\$hf_mig$\KB912812\SP2QFE\wininet.dll
[-] 2005-10-21 . AF785C4947676A7FC1673FDC5C8D0B5B . 661504 . . [6.00.2900.2781] . . c:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll
[-] 2005-09-02 . 97A6FD7CAFD688CF2C78939EBAF0CD0C . 660480 . . [6.00.2900.2753] . . c:\windows\$hf_mig$\KB896688\SP2QFE\wininet.dll
[-] 2005-07-03 . 6E533D155B259EB2363D3E04B5BE309F . 659456 . . [6.00.2900.2713] . . c:\windows\$hf_mig$\KB896727\SP2QFE\wininet.dll
[-] 2005-05-02 . E1E18136F9DD3DF1AD9C82193A5898A6 . 658944 . . [6.00.2900.2668] . . c:\windows\$hf_mig$\KB883939\SP2QFE\wininet.dll
[-] 2001-08-18 . CF9F1EEF71F42EDE71B6F4AA05D5CA1A . 593920 . . [6.00.2600.0000] . . c:\windows\$NtUninstallQ309521$\wininet.dll
.
[-] 2004-08-04 . E7484514C0464642BE7B4DC2689354C8 . 93184 . . [6.00.2900.2180] . . c:\windows\system32\dllcache\iexplore.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-13 2424560]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=c:\windows\pss\Google Updater.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ipalm Monitor 1.0.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ipalm Monitor 1.0.lnk
backup=c:\windows\pss\ipalm Monitor 1.0.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
2004-07-08 16:07 78960 ----a-w- c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
2004-04-07 16:07 496752 ----a-w- c:\program files\Common Files\AOL\ACS\AOLDial.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CookieWall]
2005-08-04 21:32 97796 ----a-w- c:\program files\AnalogX\CookieWall\cookie.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
2002-07-16 15:03 106549 ----a-w- c:\windows\system32\dla\tfswctrl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
2002-05-15 10:20 114688 ----a-w- c:\windows\system32\hkcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
2003-12-22 12:38 241664 ----a-w- c:\program files\HP\hpcoretech\hpcmpmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2003-08-04 21:28 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpsysdrv]
1998-05-07 23:04 52736 ----a-w- c:\windows\system\hpsysdrv.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
2002-05-15 10:29 155648 ----a-w- c:\windows\system32\igfxtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]
2004-03-19 04:29 212992 ----a-w- c:\program files\Microsoft IntelliPoint\point32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware (reboot)]
2010-12-20 23:08 963976 ----a-w- c:\program files\Malwarebytes' Anti-Malware\xyz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
2005-01-22 00:04 163840 ----a-w- c:\progra~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pure Networks Port Magic]
2004-05-07 20:54 99480 ----a-w- c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2004-06-22 23:08 98304 ----a-w- c:\program files\QuickTime\qttask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
2002-07-05 00:55 212992 ----a-w- c:\windows\SMINST\Recguard.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
2003-07-15 17:36 319488 ----a-w- c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2003-10-21 15:43 868352 ----a-w- c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
2003-05-01 23:44 65536 ----a-w- c:\program files\Common Files\Roxio Shared\System\EngUtil.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SRFirstRun]
2008-04-14 09:42 67584 ----a-w- c:\windows\system32\srclient.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\srmclean]
2001-07-25 04:34 36864 ----a-w- c:\cpqs\scom\srmclean.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
2002-05-09 15:01 155648 ----a-w- c:\program files\VERITAS Software\Update Manager\sgtray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-02-13 15:53 32881 ----a-w- c:\program files\Java\j2re1.4.2_11\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tgcmd]
2005-06-15 18:40 1757184 ----a-w- c:\program files\support.com\bin\tgcmd.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-07-21 21:30 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ToolKit]
2005-03-24 22:22 888832 ----a-w- c:\program files\SeagateToolkit\Toolkit.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
2004-03-19 04:30 184320 ----a-w- c:\program files\Microsoft IntelliType Pro\type32.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
2006-03-30 20:45 313472 ----a-w- c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WCOLOREAL]
2002-02-21 02:40 143360 ----a-w- c:\program files\compaq\Coloreal\COLOREAL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"WMDM PMSP Service"=2 (0x2)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"WANMiniportService"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"UleadBurningHelper"=2 (0x2)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"SPTISRV"=3 (0x3)
"Spooler"=2 (0x2)
"Speed Disk service"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SBService"=2 (0x2)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=2 (0x2)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"PlugPlay"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"NProtectService"=2 (0x2)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"navapsvc"=2 (0x2)
"napagent"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"msCMTSrvc"=2 (0x2)
"mnmsrvc"=3 (0x3)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"hkmsvc"=3 (0x3)
"HidServ"=2 (0x2)
"helpsvc"=2 (0x2)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"EapHost"=3 (0x3)
"Dot3svc"=3 (0x3)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"Compaq_RBA"=2 (0x2)
"ClipSrv"=3 (0x3)
"cisvc"=3 (0x3)
"Browser"=2 (0x2)
"BITS"=3 (0x3)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"AOL ACS"=2 (0x2)
"ALG"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1344:UDP"= 1344:UDP:Windows Media Format SDK (waol.exe)
"1345:UDP"= 1345:UDP:Windows Media Format SDK (waol.exe)
.
R2 litsgt;litsgt;c:\windows\system32\drivers\litsgt.sys [1/11/2006 8:15 PM 137344]
R2 Scandrv;Plustek Scanner;c:\windows\system32\drivers\SCANDRV.SYS [1/5/2003 2:27 AM 195120]
R2 tansgt;tansgt;c:\windows\system32\drivers\tansgt.sys [1/11/2006 8:15 PM 12032]
S0 Cdr4vsd;Cdr4vsd;c:\windows\system32\drivers\CDR4VSD.SYS [2/12/2004 1:32 PM 47520]
S2 MKEUSB01;%MKEUSB01.SvcDesc%;c:\windows\system32\drivers\MkeUsb01.sys [2/14/2003 4:40 AM 26288]
S3 iComp;Hauppauge WinTV PVR USB2 Encoder;c:\windows\system32\drivers\HCWUSB2.sys [10/6/2005 2:49 PM 1442752]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [10/5/2006 3:10 PM 8960]
S3 tj2knd5;Terayon Cable Modem (NDIS);c:\windows\system32\drivers\tj2knd5.sys [4/10/2005 3:15 AM 17616]
S3 tj2kunic;Terayon Cable Modem (WDM);c:\windows\system32\drivers\tj2kunic.sys [4/10/2005 3:15 AM 69680]
S4 msCMTSrvc;Content Monitoring Tool;c:\windows\system32\msCMTSrvc.exe --> c:\windows\system32\msCMTSrvc.exe [?]
S4 NProtectService;Norton Unerase Protection;c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [6/7/2003 4:08 PM 135168]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - KLMD25
*Deregistered* - klmd25
.
Contents of the 'Scheduled Tasks' folder
.
2011-02-19 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NAVW32.exe [2003-06-07 09:28]
.
2011-02-04 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Common Files\Symantec Shared\NMAIN.EXE [2001-07-28 19:03]
.
2003-10-04 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-02 07:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.adelphia.net/
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: {{2ef50289-0ea7-482e-a30b-4947a81e44cf} - c:\program files\Trillian\Trillian
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0612502E-29F8-11D6-BC3C-00C0F0167E34} - hxxp://www.crsdata.net/CRSDataObject/CRSNInfo.cab
FF - ProfilePath -
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Google Pack Screensaver - c:\windows\Google Pack Screensaver Uninstaller.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-14 15:23
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(564)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
Completion time: 2011-03-14 15:31:48
ComboFix-quarantined-files.txt 2011-03-14 20:31
ComboFix2.txt 2011-02-22 18:19
.
Pre-Run: 47,452,299,264 bytes free
Post-Run: 47,418,314,752 bytes free
.
- - End Of File - - 07B7BC2FCB85F7171C140E3A7E2FB936


Thanks for your help!!

Al Schlafli

#7 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:36 AM

Posted 14 March 2011 - 05:45 PM

Hello,

We seem to have several issues and options to choose from. It seems some of the files are not passing sigcheck. I think One we need to run sfc/scannow and see if we can get those issues fixed. As for the no icons or taskbar we have several other things we can try.

1.
You may have corrupt critical system files. Let's see if we can fix that.
  • 1. SelectPosted Image
    2. Select All Programs
    3. Select Accessories
    4. Right click Command Prompt
  • Type in sfc /scannow in the command window and press enter.
  • Note the space between the c and the /
  • If any files require replacing SFC will replace them. You may be asked to insert your WindowsXp disk for this process to continue. This can be done with a borrowed Disk if you don't have one.
  • Be patient because the scan may take some time.
  • Allow the scan to run and when completed, reboot the system.

2.
We need to check your hard disk for errors.

To check the volume for errors:
  • Click start and then My Computer.
  • Right click the drive C and select Properties.
  • Under Tools tab press Check Now...
  • Put a check mark in both items and press start.
  • If you get a message click Yes to schedule the disk check and click OK and then restart your computer to start the disk check. Please be patient and let the system run. In some cases it might take a couple of hours and you don't have to sit there the whole time.
*NOTE: This scan could take along time to complete, but let it finish.

3.
Please read through this guide first

1. Please download Dial-A-Fix
2. Extract the zip file to your desktop.
3. Double click Dial-a-Fix.exe to start the program.
4. Press the green double checkmark box (Looks like this: Posted Image)
5. UNcheck "Empty Temp Folders", as well as "Adjust Time/Date" in the prep section. The prep section should then look like this:Posted Image
6. When the window looks like this, press the GO button in the bottom of the window.
Posted Image
7. Exit/Close Dial-A-Fix

If the above don't work for fixing your desktop icons and or taskbar you can then try the following.

1. Go to http://www.kellys-korner-xp.com/xp_tweaks.htm And try # 117 And #195 If you haven't already.

2.
http://support.microsoft.com/default.aspx?scid=kb;en-us;330170&Product=winxp

3.
You may try a System Restore. I know this might reinfect the machine, but we can clean after.
http://support.microsoft.com/default.aspx?scid=kb;en-us;304449&sd=tech

Regardless if these work or not I need you to run the following scans.

1.
Download Bootkit Remover to your desktop

1. Extract the file to your desktop.
2. Double click Remover.exe to run it (Right click and run as Administrator for Vista).
3. It will show a Black screen with some data on it.
4. Right click on the screen and choose Select All.
5. Press Control+C (to copy the data).
6. Open a notepad, Click on Edit tab > paste.
7. Exit the Remover.exe window.
8. Please post the contents of the notepad when you reply.

2.
Please download MBRCheck to your desktop.

1. Double click MBRCheck.exe to run it (Right click and run as Administrator for Vista).
2. It will open a black window, please do not fix anything (if it gives you an option).
3. Exit that window and it will produce a log (MBRCheck_date_time).
4. Please post that log when you reply.

3.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

Things to include in your next reply::
How is the machine running now? Icons and taskbar back?
Bootkit remover log
MBRCheck log
Gmer log
A new DDS log

Edited by fireman4it, 14 March 2011 - 06:07 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#8 Al Schlafli

Al Schlafli
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 15 March 2011 - 04:01 PM

Ran SFC /SCANNOW
ran fine, rebooted, still no icons / taskbar

CHKDSK
ran - no errors
Note that we removed the drive from the system at one point, and attached the drive to another (known to be clean) computer.
From that computer we ran CHKDSK on this hard drive
We also ran some extensive drive DIAGNOSTICS, which passed
We also ran AntiMalware, and SuperAnti spyware on the drive - a few things were found
And lastly, also tried a SYSTEM RESTORE - not by running restore, but by replacing the 5 system registry files with 5 files that were approximately one month older.
STILL SAME SYMPTOM. no icons/taskbar

Ran DIAL-A-FIX same symptoms after reboot

Tried the tweaks from Kelly's Korner - same symptoms no icons/taskbar

Tried system restore - see just above...

Proceeding to scans as suggested, just wanted to update you... Hope to post more today.

Again, thanks for the efforts so far...

Al Schlafli

#9 Al Schlafli

Al Schlafli
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 15 March 2011 - 05:32 PM

Contents of Bootkit Remover:
Bootkit Remover
© 2009 eSage Lab
www.esagelab.com

Program version: 1.2.0.0
OS Version: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00007e00
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
55 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...


Contents of MBR Check:
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003d

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

Size Device Name MBR Status
--------------------------------------------
55 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
Press ENTER to exit...


Contents of GMER Log:
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-03-15 17:38:48
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_SV0602H rev.RH100-09
Running: v8hyozgd.exe; Driver: C:\DOCUME~1\me\LOCALS~1\Temp\pgldypow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\litsgt.sys section is writeable [0xF28A6300, 0x1F510, 0xE8000020]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \FatCdrom tfsnifs.sys (Direct Access Component/VERITAS Software, Inc.)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----

And lastly, DDS.txt (and Attach is zipped and attached
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by me at 17:44:48.03 on Tue 03/15/2011
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.223.94 [GMT -5:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k eapsvcs
C:\WINDOWS\System32\svchost.exe -k dot3svc
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\netdde.exe
svchost.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\taskmgr.exe
F:\zz\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.adelphia.net/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton antivirus\NavShExt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
TB: AOL Toolbar: {4982d40a-c53b-4615-b15b-b5b5e98d167c} - c:\program files\aol toolbar\toolbar.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML
IE: {2ef50289-0ea7-482e-a30b-4947a81e44cf} - c:\program files\trillian\Trillian
IE: {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/
IE: {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/
IE: {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - c:\windows\system32\msjava.dll
IE: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - c:\program files\aol toolbar\toolbar.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {01111F00-3E00-11D2-8470-0060089874ED} - hxxp://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
DPF: {0612502E-29F8-11D6-BC3C-00C0F0167E34} - hxxp://www.crsdata.net/CRSDataObject/CRSNInfo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.4.2/jinstall-1_4-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxsrvc.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli
.
================= FIREFOX ===================
.
FF - ProfilePath -
.
============= SERVICES / DRIVERS ===============
.
R2 litsgt;litsgt;c:\windows\system32\drivers\litsgt.sys [2006-1-11 137344]
R2 Scandrv;Plustek Scanner;c:\windows\system32\drivers\SCANDRV.SYS [2003-1-5 195120]
R2 tansgt;tansgt;c:\windows\system32\drivers\tansgt.sys [2006-1-11 12032]
S0 Cdr4vsd;Cdr4vsd;c:\windows\system32\drivers\CDR4VSD.SYS [2004-2-12 47520]
S2 MKEUSB01;%MKEUSB01.SvcDesc%;c:\windows\system32\drivers\MkeUsb01.sys [2003-2-14 26288]
S3 iComp;Hauppauge WinTV PVR USB2 Encoder;c:\windows\system32\drivers\HCWUSB2.sys [2005-10-6 1442752]
S3 NAVAP;NAVAP;c:\windows\system32\drivers\NAVAP.SYS [2003-6-7 183872]
S3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20030607.003\NAVENG.Sys [2003-6-7 67800]
S3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20030607.003\NavEx15.Sys [2003-6-7 531128]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [2006-10-5 8960]
S3 tj2knd5;Terayon Cable Modem (NDIS);c:\windows\system32\drivers\tj2knd5.sys [2005-4-10 17616]
S3 tj2kunic;Terayon Cable Modem (WDM);c:\windows\system32\drivers\tj2kunic.sys [2005-4-10 69680]
S4 msCMTSrvc;Content Monitoring Tool;c:\windows\system32\mscmtsrvc.exe --> c:\windows\system32\msCMTSrvc.exe [?]
S4 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\NAVAPSVC.EXE [2003-6-7 116344]
S4 NProtectService;Norton Unerase Protection;c:\program files\norton systemworks\norton utilities\NPROTECT.EXE [2003-6-7 135168]
S4 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2001-8-14 54408]
.
=============== Created Last 30 ================
.
2011-03-15 20:52:10 -------- d-----w- c:\windows\system32\CatRoot2
2011-03-15 20:44:20 116224 -c--a-w- c:\windows\system32\dllcache\xrxwiadr.dll
2011-03-15 20:44:19 23040 -c--a-w- c:\windows\system32\dllcache\xrxwbtmp.dll
2011-03-15 20:44:19 18944 -c--a-w- c:\windows\system32\dllcache\xrxscnui.dll
2011-03-15 20:44:18 27648 -c--a-w- c:\windows\system32\dllcache\xrxftplt.exe
2011-03-15 20:44:17 4608 -c--a-w- c:\windows\system32\dllcache\xrxflnch.exe
2011-03-15 20:44:12 99865 -c--a-w- c:\windows\system32\dllcache\xlog.exe
2011-03-15 20:44:11 16970 -c--a-w- c:\windows\system32\dllcache\xem336n5.sys
2011-03-15 20:44:05 8192 -c--a-w- c:\windows\system32\dllcache\wshirda.dll
2011-03-15 20:42:55 94720 -c--a-w- c:\windows\system32\dllcache\umaxud32.dll
2011-03-15 20:41:59 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2011-03-15 20:40:59 75392 -c--a-w- c:\windows\system32\dllcache\s3savmxm.sys
2011-03-15 20:39:59 8832 -c--a-w- c:\windows\system32\dllcache\powerfil.sys
2011-03-15 20:38:57 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2011-03-15 20:37:51 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2011-03-15 20:37:48 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2011-03-15 20:37:39 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2011-03-15 20:37:25 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2011-03-15 20:37:24 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2011-03-15 20:37:17 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2011-03-15 20:37:11 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2011-03-15 20:37:04 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2011-03-15 20:37:01 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2011-03-15 20:37:00 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2011-03-15 20:35:58 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2011-03-15 20:34:30 73279 -c--a-w- c:\windows\system32\dllcache\hsf_spkp.sys
2011-03-15 20:33:58 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
2011-03-15 20:32:59 28062 -c--a-w- c:\windows\system32\dllcache\dp83820.sys
2011-03-15 20:31:59 6656 -c--a-w- c:\windows\system32\dllcache\cmdide.sys
2011-03-15 20:30:53 31529 -c--a-w- c:\windows\system32\dllcache\brzwlan.sys
2011-03-15 20:29:59 56960 -c--a-w- c:\windows\system32\dllcache\aic78xx.sys
2011-03-15 20:28:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-03-15 20:28:46 2145280 -c--a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-03-14 20:11:19 98816 ----a-w- c:\windows\sed.exe
2011-03-14 20:11:19 89088 ----a-w- c:\windows\MBR.exe
2011-03-14 20:11:19 256512 ----a-w- c:\windows\PEV.exe
2011-03-14 20:11:19 161792 ----a-w- c:\windows\SWREG.exe
2011-03-04 23:25:12 -------- d-----w- c:\docume~1\me\applic~1\SUPERAntiSpyware.com
2011-03-04 23:25:05 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-04 23:19:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-03-04 16:18:16 1033728 -c--a-w- c:\windows\system32\dllcache\explorer.exe
2011-03-04 16:18:16 1033728 ----a-w- c:\windows\explorer.exe
2011-03-03 00:55:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-03 00:55:03 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-03 00:02:23 41600 -c--a-w- c:\windows\system32\dllcache\weitekp9.dll
2011-03-03 00:02:23 31232 -c--a-w- c:\windows\system32\dllcache\weitekp9.sys
2011-03-03 00:02:19 48256 -c--a-w- c:\windows\system32\dllcache\w32.dll
2011-03-03 00:02:18 86073 -c--a-w- c:\windows\system32\dllcache\voicesub.dll
2011-03-03 00:02:18 426041 -c--a-w- c:\windows\system32\dllcache\voicepad.dll
2011-03-03 00:02:06 76288 -c--a-w- c:\windows\system32\dllcache\uniime.dll
2011-03-03 00:02:03 14336 -c--a-w- c:\windows\system32\dllcache\tsprof.exe
2011-03-03 00:02:01 455168 -c--a-w- c:\windows\system32\dllcache\tintsetp.exe
2011-03-03 00:02:01 44032 -c--a-w- c:\windows\system32\dllcache\tintlphr.exe
2011-03-03 00:02:01 10240 -c--a-w- c:\windows\system32\dllcache\tmigrate.dll
2011-03-03 00:02:00 185344 -c--a-w- c:\windows\system32\dllcache\thawbrkr.dll
2011-03-03 00:00:53 229439 -c--a-w- c:\windows\system32\dllcache\multibox.dll
2011-03-02 23:59:53 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2011-03-02 23:58:58 54528 -c--a-w- c:\windows\system32\dllcache\cap7146.sys
2011-03-02 23:57:59 876653 -c--a-w- c:\windows\system32\dllcache\fp4awel.dll
2011-03-02 23:44:38 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2011-03-02 23:44:38 16384 ----a-w- c:\program files\internet explorer\connection wizard\isignup.exe
2011-03-02 23:44:30 7168 -c--a-w- c:\windows\system32\dllcache\bitsprx4.dll
2011-03-02 23:44:30 7168 ----a-w- c:\windows\system32\bitsprx4.dll
2011-03-02 23:41:27 53248 -c--a-w- c:\windows\system32\dllcache\tsgqec.dll
2011-03-02 23:41:27 53248 ----a-w- c:\windows\system32\tsgqec.dll
2011-03-02 23:41:27 290304 -c--a-w- c:\windows\system32\dllcache\rhttpaa.dll
2011-03-02 23:41:27 290304 ----a-w- c:\windows\system32\rhttpaa.dll
2011-03-02 23:41:27 136192 -c--a-w- c:\windows\system32\dllcache\aaclient.dll
2011-03-02 23:41:27 136192 ----a-w- c:\windows\system32\aaclient.dll
2011-03-02 23:35:18 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
2011-03-02 23:35:18 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2011-03-02 23:29:31 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2011-03-02 23:29:31 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-03-02 23:29:31 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2011-03-02 23:29:31 13312 ----a-w- c:\windows\system32\irclass.dll
2011-03-02 23:29:09 16535 ----a-r- c:\windows\SETD2.tmp
2011-03-02 23:29:06 1088840 ----a-r- c:\windows\SETC6.tmp
2011-03-02 23:29:04 1296669 ----a-r- c:\windows\SETC5.tmp
2011-03-02 21:43:02 -------- d-----w- c:\windows\pss
2011-03-02 18:18:50 -------- d-----w- c:\windows\system32\scripting
2011-03-02 18:18:50 -------- d-----w- c:\windows\system32\en
2011-03-02 18:18:50 -------- d-----w- c:\windows\Network Diagnostic
2011-03-02 18:18:50 -------- d-----w- c:\windows\L2Schemas
2011-02-22 17:36:53 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-02-22 17:36:53 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-21 23:52:47 -------- d-----w- C:\$AVG
2011-02-19 00:57:38 -------- d-----w- c:\docume~1\me\applic~1\Malwarebytes
2011-02-19 00:57:27 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-02-19 00:57:23 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
==================== Find3M ====================
.
.
============= FINISH: 17:46:25.31 ===============

And How is my machine running now???
Just the same.... Boots to logon screen. I click on name, and system completes boot. Desktop background is there. NO ICONS. NO TASKBAR. Trying to run Exlorer from Task Manager (CTRL-ALT-DEL) results in brief flash of taskbar. Internet Explorer launches / quits. Control Panel launches / quits. No network connection.

(end of report)

Al Schlafli

#10 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:36 AM

Posted 15 March 2011 - 06:45 PM

Hello,
I see Norton is on the machine. Lets uninstall it till we get done trying to get icons back and the machine clean. Sometimes Norton Has been known to affect the network connection.

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"xmlprov"=3 (0x3)
"WZCSVC"=2 (0x2)
"wuauserv"=2 (0x2)
"wscsvc"=2 (0x2)
"WmiApSrv"=3 (0x3)
"WmdmPmSN"=3 (0x3)
"WMDM PMSP Service"=2 (0x2)
"winmgmt"=2 (0x2)
"WebClient"=2 (0x2)
"WANMiniportService"=2 (0x2)
"W32Time"=2 (0x2)
"VSS"=3 (0x3)
"UPS"=3 (0x3)
"upnphost"=3 (0x3)
"UleadBurningHelper"=2 (0x2)
"TrkWks"=2 (0x2)
"Themes"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SysmonLog"=3 (0x3)
"SwPrv"=3 (0x3)
"stisvc"=2 (0x2)
"SSDPSRV"=3 (0x3)
"srservice"=2 (0x2)
"SPTISRV"=3 (0x3)
"Spooler"=2 (0x2)
"Speed Disk service"=2 (0x2)
"ShellHWDetection"=2 (0x2)
"SharedAccess"=2 (0x2)
"SENS"=2 (0x2)
"seclogon"=2 (0x2)
"Schedule"=2 (0x2)
"SCardSvr"=3 (0x3)
"SBService"=2 (0x2)
"SamSs"=2 (0x2)
"RSVP"=3 (0x3)
"RDSessMgr"=3 (0x3)
"RasMan"=3 (0x3)
"RasAuto"=2 (0x2)
"ProtectedStorage"=2 (0x2)
"PolicyAgent"=2 (0x2)
"Pml Driver HPZ12"=3 (0x3)
"PlugPlay"=2 (0x2)
"NtmsSvc"=3 (0x3)
"NtLmSsp"=3 (0x3)
"NProtectService"=2 (0x2)
"Nla"=3 (0x3)
"Netman"=3 (0x3)
"Netlogon"=3 (0x3)
"navapsvc"=2 (0x2)
"napagent"=3 (0x3)
"MSIServer"=3 (0x3)
"MSDTC"=3 (0x3)
"msCMTSrvc"=2 (0x2)
"mnmsrvc"=3 (0x3)
"LmHosts"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"lanmanserver"=2 (0x2)
"ImapiService"=3 (0x3)
"HTTPFilter"=3 (0x3)
"hkmsvc"=3 (0x3)
"HidServ"=2 (0x2)
"helpsvc"=2 (0x2)
"Fax"=2 (0x2)
"FastUserSwitchingCompatibility"=3 (0x3)
"EventSystem"=3 (0x3)
"Eventlog"=2 (0x2)
"ERSvc"=2 (0x2)
"EapHost"=3 (0x3)
"Dot3svc"=3 (0x3)
"Dnscache"=2 (0x2)
"dmserver"=3 (0x3)
"dmadmin"=3 (0x3)
"Dhcp"=2 (0x2)
"CryptSvc"=2 (0x2)
"COMSysApp"=3 (0x3)
"Compaq_RBA"=2 (0x2)
"ClipSrv"=3 (0x3)
"cisvc"=3 (0x3)
"Browser"=2 (0x2)
"BITS"=3 (0x3)
"AudioSrv"=2 (0x2)
"aspnet_state"=3 (0x3)
"AppMgmt"=3 (0x3)
"AOL ACS"=2 (0x2)
"ALG"=3 (0x3)


I also see you have alot of services not running. Please Let all the services and everything run.This may very well be the problem.



Uninstall Norton


The following removal utility can be used to uninstall the program if the uninstall via Add/remove does not work:

  • Download the Norton Removal Tool to your desktop.
  • On the Windows desktop, double-click the Norton Removal Tool icon.
  • Follow the on-screen instructions.
    Note:Your computer may be restarted more than once, and you may be asked to repeat some steps after the computer restarts
Norton should now be removed from your PC.


For illustrated instructions please refer to here:
http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039





1.
Your log indicates you have an infected Master Boot Record (MBR). To learn more about this infection please refer to:
  • What is Whistler Bootkit
  • Bootkit: Example of infected master boot record
  • MBR Rootkit, A New Breed of Malware

    Rerun MBRCheck.exe again by double-clicking on it. Vista/Windows 7 users right-click and select Run As Administrator.
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Enter 'Y' and then press Enter.
  • When asked: 'Enter your choice:', select option [2] (Restore the MBR of a physical disk with a standard boot code) and press the Enter key.
  • Now the program will ask: 'Enter the physical disk number to fix (0-99, -1 to cancel)'
  • Enter [0] (for PhysicalDrive0) and press the Enter key.
  • The program will show Available MBR codes followed by a list of operating systems as shown below.

    Available MBR codes:
    [ 0] Default (Windows XP)
    [ 1] Windows XP
    [ 2] Windows Server 2003
    [ 3] Windows Vista
    [ 4] Windows 2008
    [ 5] Windows 7
    [-1] Cancel
    Please select the MBR code to write to this drive:

  • Please select your version of Windows from the list and enter the corresponding number (For example, type 0 or 1 for XP, type 3 for Vista, type 5 for Windows 7, etc) and then press Enter. Be careful...if the wrong OS is used, it will render the computer unbootable.
  • When prompted for confirmation: 'Do you want to fix the MBR code?'. Type the full word Yes (not Y or the fix will not work) and press Enter.
  • Left-click on the title bar (where program name and path is written).
  • From the menu chose Edit -> Select All.
  • Press the Enter key on your keyboard to copy selected text.
  • Open Notepad, paste that text into it and save to your desktop as MBRCheck.txt.
  • When complete, you should see Done! Press ENTER to exit.... Press Enter on the keyboard.
  • Reboot your computer to complete the fix and copy/paste MBRCheck.txt in your next reply.
  • If your computer does not restart on its own, please restart it manually.

    Important Note: While fixing the Master Boot Record (MBR) is generally safe, there is a small risk of damaging the operating system so that it will not boot up or the partitions may become corrupted. I recommend you have your Windows CD available which will allow recovering the boot code via the Windows Recovery Console (XP) or Recovery Environment (Vista, Windows 7) in case of any problems, or install the XP Recovery Console before proceeding with the above fix. Then if any problems occur, the links below explain how to use and repair the MBR:[list]
  • How to use the Recovery Console in XP
  • How to fix MBR in Windows XP and Vista
  • How to Burn a Vista Repair Disc if You Don’t Have One


2.
Re-Run MBRCheck.exe
  • Wait until you see the following line: Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  • Please push the 'Y' key and then press Enter
  • When program ask you Enter your choice: enter
    [1] Dump the MBR of a physical disk to file.
    and press the Enter key
  • Next it will say Enter the physical disk number to dump <0-99, -1 to exit>
  • Type 0 and press Enter
  • The program will ask for the file name to dump to, type dump.dat and Press Enter. You should see Dumped successfully.
  • Next, type -1 and press Enter. Next press Enter again, and the program will exit.
  • Save it to your desktop then attach the resultant output in your next reply.

3.
Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

4.
Please download Rootkit Unhooker from one of the following links and save it to your desktop.
Link 1 (.exe file)
Link 2 (zipped file)
Link 3 (.rar file)In order to use this tool if you downloaded from either of the second two links, you will need to extract the RKUnhookerLE.exe file using a program capable of extracing ZIP and RAR compressed files. If you don't have an extraction program, you can downlaod, install and use the free 7-zip utility.

  • Double-click on RKUnhookerLE.exe to start the program.
    Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Report tab, then click Scan.
  • Check Drivers, Stealth, and uncheck the rest.
  • Click OK.
  • Wait until it's finished and then go to File > Save Report.
  • Save the report to your [b]Desktop.
  • Copy and paste the contents of the report into your next reply.
-- Note: You may get this warning...just ignore it, click OK and continue: "[b]Rootkit Unhooker has detected a parasite inside itself! It is recommended to remove parasite, okay?
".

Things to include in your next reply::
dump.dat
MbrCheck log
Gmer log
RkuUnhooker log
Still no icons or taskbar?

Edited by fireman4it, 15 March 2011 - 07:04 PM.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#11 Al Schlafli

Al Schlafli
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 16 March 2011 - 12:20 PM

Yes, I had most services and start ups disabled via MSCONFIG. I have enabled everything in MSCONFIG now. Sorry.
STATUS: SAME (Hereafter, to save some typing, if I say STATUS: SAME, that will mean that when the system boots up, I still have no task bar and no icons. I still cannot run Contol Panel, Explorer Flashes, and Internet Explorer doesn't run. No error messages are displayed on the screen. I can use the CTRL-ALT-DEL to run task manager, and execute tasks from there.)

Ran Norton Removal Tool. Tool said I nneded to use "Add/Remove programs" to remove Norton Antivirus 2002 and Norton Security 2002. I was able to run appwiz.cpl from task manager, and removed the two programs, and rebooted.
STATUS: SAME

Rerun MBRCHECK

MBRCHECK would not prompt me for any input. However, a little research on the web led me to the command line prompts for mbrcheck, so I was able to perform the tasks you requested.

Typing mbrcheck -f 01 -s 0 copied the XP version of the MBR

Log:
C:\Documents and Settings\me\Desktop>mbrcheck d mbrck.txt -s 0
MBRCheck, version 1.2.3
© 2010, AD

Command-line: d mbrck.txt -s 0
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003d

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)

Size Device Name MBR Status
--------------------------------------------
55 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
Press ENTER to exit...


Then, typing mbrcheck -0 -d dump.dat gave me the copy of the mbr, which I have attached, as dump.dat
Hmmm, no I haven't, I get an error saying I am not permitted to upload this kind of file.

STATUS: SAME

Rerun GMER log below:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-03-16 11:52:56
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_SV0602H rev.RH100-09
Running: v8hyozgd.exe; Driver: C:\DOCUME~1\me\LOCALS~1\Temp\pgldypow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\litsgt.sys section is writeable [0xF291C300, 0x1F510, 0xE8000020]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \FatCdrom tfsnifs.sys (Direct Access Component/VERITAS Software, Inc.)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 01: copy of MBR
Disk \Device\Harddisk0\DR0 sector 02: copy of MBR
Disk \Device\Harddisk0\DR0 sector 03: copy of MBR
Disk \Device\Harddisk0\DR0 sector 04: copy of MBR
Disk \Device\Harddisk0\DR0 sector 05: copy of MBR
Disk \Device\Harddisk0\DR0 sector 06: copy of MBR
Disk \Device\Harddisk0\DR0 sector 07: copy of MBR
Disk \Device\Harddisk0\DR0 sector 08: copy of MBR
Disk \Device\Harddisk0\DR0 sector 09: copy of MBR
Disk \Device\Harddisk0\DR0 sector 10: copy of MBR
Disk \Device\Harddisk0\DR0 sector 11: copy of MBR
Disk \Device\Harddisk0\DR0 sector 12: copy of MBR
Disk \Device\Harddisk0\DR0 sector 13: copy of MBR
Disk \Device\Harddisk0\DR0 sector 14: copy of MBR
Disk \Device\Harddisk0\DR0 sector 15: copy of MBR
Disk \Device\Harddisk0\DR0 sector 16: copy of MBR
Disk \Device\Harddisk0\DR0 sector 17: copy of MBR
Disk \Device\Harddisk0\DR0 sector 18: copy of MBR
Disk \Device\Harddisk0\DR0 sector 19: copy of MBR
Disk \Device\Harddisk0\DR0 sector 20: copy of MBR
Disk \Device\Harddisk0\DR0 sector 21: copy of MBR
Disk \Device\Harddisk0\DR0 sector 22: copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: copy of MBR
Disk \Device\Harddisk0\DR0 sector 24: copy of MBR
Disk \Device\Harddisk0\DR0 sector 25: copy of MBR
Disk \Device\Harddisk0\DR0 sector 26: copy of MBR
Disk \Device\Harddisk0\DR0 sector 27: copy of MBR
Disk \Device\Harddisk0\DR0 sector 28: copy of MBR
Disk \Device\Harddisk0\DR0 sector 29: copy of MBR
Disk \Device\Harddisk0\DR0 sector 30: copy of MBR
Disk \Device\Harddisk0\DR0 sector 31: copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: copy of MBR
Disk \Device\Harddisk0\DR0 sector 33: copy of MBR
Disk \Device\Harddisk0\DR0 sector 34: copy of MBR
Disk \Device\Harddisk0\DR0 sector 35: copy of MBR
Disk \Device\Harddisk0\DR0 sector 36: copy of MBR
Disk \Device\Harddisk0\DR0 sector 37: copy of MBR
Disk \Device\Harddisk0\DR0 sector 38: copy of MBR
Disk \Device\Harddisk0\DR0 sector 39: copy of MBR
Disk \Device\Harddisk0\DR0 sector 40: copy of MBR
Disk \Device\Harddisk0\DR0 sector 41: copy of MBR
Disk \Device\Harddisk0\DR0 sector 42: copy of MBR
Disk \Device\Harddisk0\DR0 sector 43: copy of MBR
Disk \Device\Harddisk0\DR0 sector 44: copy of MBR
Disk \Device\Harddisk0\DR0 sector 45: copy of MBR
Disk \Device\Harddisk0\DR0 sector 46: copy of MBR
Disk \Device\Harddisk0\DR0 sector 47: copy of MBR
Disk \Device\Harddisk0\DR0 sector 48: copy of MBR
Disk \Device\Harddisk0\DR0 sector 49: copy of MBR
Disk \Device\Harddisk0\DR0 sector 50: copy of MBR
Disk \Device\Harddisk0\DR0 sector 51: copy of MBR
Disk \Device\Harddisk0\DR0 sector 52: copy of MBR
Disk \Device\Harddisk0\DR0 sector 53: copy of MBR
Disk \Device\Harddisk0\DR0 sector 54: copy of MBR
Disk \Device\Harddisk0\DR0 sector 55: copy of MBR
Disk \Device\Harddisk0\DR0 sector 56: copy of MBR
Disk \Device\Harddisk0\DR0 sector 57: copy of MBR
Disk \Device\Harddisk0\DR0 sector 58: copy of MBR
Disk \Device\Harddisk0\DR0 sector 59: copy of MBR
Disk \Device\Harddisk0\DR0 sector 60: copy of MBR
Disk \Device\Harddisk0\DR0 sector 61: copy of MBR
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; copy of MBR

---- EOF - GMER 1.0.15 ----


Since I had removed Norton products, I did not disable or re-enable any protection software.

STATUS: SAME

I will proceed to Rootkit Unhooker, and post another reply.
Note you asked for dump.dat, and as I said, the forum says "Error You aren't permitted to upload this kind of file"...


Thanks again

Al Schlafli


#12 Al Schlafli

Al Schlafli
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 16 March 2011 - 12:31 PM

Here is the log from RootKit Unhooker

RkU Version: 3.8.388.590, Type LE (SR2)
==============================================
OS Name: Windows XP
Version 5.1.2600 (Service Pack 3)
Number of processors #1
==============================================
>Drivers
==============================================
0x804D7000 C:\WINDOWS\system32\ntoskrnl.exe 2188928 bytes (Microsoft Corporation, NT Kernel & System)
0x804D7000 PnpManager 2188928 bytes
0x804D7000 RAW 2188928 bytes
0x804D7000 WMIxWDM 2188928 bytes
0xBF800000 Win32k 1847296 bytes
0xBF800000 C:\WINDOWS\System32\win32k.sys 1847296 bytes (Microsoft Corporation, Multi-User Win32 Driver)
0xF9AB8000 C:\WINDOWS\system32\drivers\ALCXWDM.SYS 643072 bytes (Avance Logic, Inc., Avance AC'97 Audio Driver (WDM))
0xF9BCA000 C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys 610304 bytes (LT, LT Windows Modem)
0xF9D2B000 Ntfs.sys 577536 bytes (Microsoft Corporation, NT File System Driver)
0xF7613000 C:\WINDOWS\System32\DRIVERS\mrxsmb.sys 458752 bytes (Microsoft Corporation, Windows NT SMB Minirdr)
0xBF9D5000 C:\WINDOWS\System32\s3gnb.dll 397312 bytes (S3 Graphics, Inc., S3 ProSavage(DDR) & Twister Display Driver)
0xF99FA000 C:\WINDOWS\System32\DRIVERS\update.sys 385024 bytes (Microsoft Corporation, Update Driver)
0xF7746000 C:\WINDOWS\System32\DRIVERS\tcpip.sys 364544 bytes (Microsoft Corporation, TCP/IP Protocol Driver)
0xF259A000 C:\WINDOWS\System32\DRIVERS\srv.sys 335872 bytes (Microsoft Corporation, Server driver)
0xF2776000 C:\WINDOWS\System32\Drivers\HTTP.sys 266240 bytes (Microsoft Corporation, HTTP Protocol Stack)
0xF7869000 C:\WINDOWS\System32\Drivers\cdudf_xp.SYS 262144 bytes (Roxio, CD-UDF NT Filesystem Driver)
0xF77C4000 C:\WINDOWS\System32\Drivers\UdfReadr_xp.SYS 217088 bytes (Roxio, CD-UDF NT Filesystem Reader Driver)
0xF9E5D000 ACPI.sys 188416 bytes (Microsoft Corporation, ACPI Driver for NT)
0xF28CF000 C:\WINDOWS\System32\DRIVERS\mrxdav.sys 184320 bytes (Microsoft Corporation, Windows NT WebDav Minirdr)
0xF9CFE000 NDIS.sys 184320 bytes (Microsoft Corporation, NDIS 5.1 wrapper driver)
0xF7683000 C:\WINDOWS\System32\DRIVERS\rdbss.sys 176128 bytes (Microsoft Corporation, Redirected Drive Buffering SubSystem Driver)
0xF9C9B000 C:\WINDOWS\system32\DRIVERS\s3gnbm.sys 167936 bytes (S3 Graphics, Inc., S3 ProSavage(DDR) & Twister Miniport Driver)
0xF76F6000 C:\WINDOWS\System32\DRIVERS\netbt.sys 163840 bytes (Microsoft Corporation, MBT Transport driver)
0xF76D0000 C:\WINDOWS\system32\DRIVERS\ipnat.sys 155648 bytes (Microsoft Corporation, IP Network Address Translator)
0xF780B000 C:\WINDOWS\System32\Drivers\DVDVRRdr_xp.SYS 147456 bytes (Roxio, DVDVR XP Filesystem Reader Driver)
0xF218B000 C:\WINDOWS\System32\Drivers\Fastfat.SYS 147456 bytes (Microsoft Corporation, Fast FAT File System Driver)
0xF9A94000 C:\WINDOWS\system32\drivers\portcls.sys 147456 bytes (Microsoft Corporation, Port Class (Class Driver for Port/Miniport Devices))
0xF9B55000 C:\WINDOWS\system32\DRIVERS\USBPORT.SYS 147456 bytes (Microsoft Corporation, USB 1.1 & 2.0 Port Driver)
0xF9B96000 C:\WINDOWS\System32\DRIVERS\ks.sys 143360 bytes (Microsoft Corporation, Kernel CSA Library)
0xF76AE000 C:\WINDOWS\System32\drivers\afd.sys 139264 bytes (Microsoft Corporation, Ancillary Function Driver for WinSock)
0xF2754000 C:\WINDOWS\system32\DRIVERS\litsgt.sys 139264 bytes
0x806EE000 ACPI_HAL 131840 bytes
0x806EE000 C:\WINDOWS\system32\hal.dll 131840 bytes (Microsoft Corporation, Hardware Abstraction Layer DLL)
0xF9DF5000 fltmgr.sys 131072 bytes (Microsoft Corporation, Microsoft Filesystem Filter Manager)
0xF9E2D000 ftdisk.sys 126976 bytes (Microsoft Corporation, FT Disk Driver)
0xF9B79000 C:\WINDOWS\System32\Drivers\pwd_2K.SYS 118784 bytes (Roxio, Win2000 Framework for Packet Write Driver)
0xF9CE4000 Mup.sys 106496 bytes (Microsoft Corporation, Multiple UNC Provider driver)
0xF9E15000 atapi.sys 98304 bytes (Microsoft Corporation, IDE/ATAPI Port Driver)
0xF75FB000 C:\WINDOWS\System32\Drivers\dump_atapi.sys 98304 bytes
0xF2CC3000 C:\WINDOWS\system32\dla\tfsnudfa.sys 98304 bytes (VERITAS Software, Inc., Direct Access Component)
0xF9DB8000 KSecDD.sys 94208 bytes (Microsoft Corporation, Kernel Security Support Provider Interface)
0xF9A69000 C:\WINDOWS\System32\DRIVERS\ndiswan.sys 94208 bytes (Microsoft Corporation, MS PPP Framing Driver (Strong Encryption))
0xF2CDB000 C:\WINDOWS\system32\dla\tfsnudf.sys 94208 bytes (VERITAS Software, Inc., Direct Access Component)
0xF29B6000 C:\WINDOWS\system32\drivers\wdmaud.sys 86016 bytes (Microsoft Corporation, MMSYSTEM Wave/Midi API mapper)
0xF9DCF000 drvmcdb.sys 81920 bytes (VERITAS Software, Inc., Device Driver)
0xF9A80000 C:\WINDOWS\System32\DRIVERS\parport.sys 81920 bytes (Microsoft Corporation, Parallel Port Driver)
0xF9C5F000 C:\WINDOWS\system32\DRIVERS\VIDEOPRT.SYS 81920 bytes (Microsoft Corporation, Video Port Driver)
0xF779F000 C:\WINDOWS\System32\DRIVERS\ipsec.sys 77824 bytes (Microsoft Corporation, IPSec Driver)
0xBF9C3000 C:\WINDOWS\System32\drivers\dxg.sys 73728 bytes (Microsoft Corporation, DirectX Graphics Driver)
0xF9DE3000 sr.sys 73728 bytes (Microsoft Corporation, System Restore Filesystem Filter Driver)
0xF9BB9000 C:\WINDOWS\System32\Drivers\Cdr4_xp.SYS 69632 bytes (Roxio, CDR4_XP CDR Helper)
0xF9E4C000 pci.sys 69632 bytes (Microsoft Corporation, NT Plug and Play PCI Enumerator)
0xF9A58000 C:\WINDOWS\System32\DRIVERS\psched.sys 69632 bytes (Microsoft Corporation, MS QoS Packet Scheduler)
0xFA08C000 C:\WINDOWS\System32\Drivers\Cdfs.SYS 65536 bytes (Microsoft Corporation, CD-ROM File System Driver)
0xF9F5C000 C:\WINDOWS\System32\DRIVERS\cdrom.sys 65536 bytes (Microsoft Corporation, SCSI CD-ROM Driver)
0xF9F8C000 C:\WINDOWS\system32\DRIVERS\serial.sys 65536 bytes (Microsoft Corporation, Serial Device Driver)
0xF9F7C000 C:\WINDOWS\system32\drivers\drmk.sys 61440 bytes (Microsoft Corporation, Microsoft Kernel DRM Descrambler Filter)
0xF9F6C000 C:\WINDOWS\System32\DRIVERS\redbook.sys 61440 bytes (Microsoft Corporation, Redbook Audio Filter Driver)
0xF2E92000 C:\WINDOWS\System32\Drivers\Scandrv.SYS 61440 bytes (Plustek Corporation., Plustek Parallel Port Class Driver.)
0xF2C03000 C:\WINDOWS\system32\drivers\sysaudio.sys 61440 bytes (Microsoft Corporation, System Audio WDM Filter)
0xFA01C000 C:\WINDOWS\system32\DRIVERS\usbhub.sys 61440 bytes (Microsoft Corporation, Default Hub Driver for USB)
0xF998A000 C:\WINDOWS\system32\dla\tfsnifs.sys 57344 bytes (VERITAS Software, Inc., Direct Access Component)
0xF9EEC000 C:\WINDOWS\System32\DRIVERS\CLASSPNP.SYS 53248 bytes (Microsoft Corporation, SCSI Class System Dll)
0xF9F9C000 C:\WINDOWS\System32\DRIVERS\i8042prt.sys 53248 bytes (Microsoft Corporation, i8042 Port Driver)
0xF9FAC000 C:\WINDOWS\System32\DRIVERS\rasl2tp.sys 53248 bytes (Microsoft Corporation, RAS L2TP mini-port/call-manager driver)
0xF9ECC000 VolSnap.sys 53248 bytes (Microsoft Corporation, Volume Shadow Copy Driver)
0xF9FCC000 C:\WINDOWS\System32\DRIVERS\raspptp.sys 49152 bytes (Microsoft Corporation, Peer-to-Peer Tunneling Protocol)
0xFA06C000 C:\WINDOWS\System32\Drivers\Fips.SYS 45056 bytes (Microsoft Corporation, FIPS Crypto Driver)
0xF9F3C000 C:\WINDOWS\system32\DRIVERS\imapi.sys 45056 bytes (Microsoft Corporation, IMAPI Kernel Driver)
0xF9EBC000 MountMgr.sys 45056 bytes (Microsoft Corporation, Mount Manager)
0xF9FBC000 C:\WINDOWS\System32\DRIVERS\raspppoe.sys 45056 bytes (Microsoft Corporation, RAS PPPoE mini-port/call-manager driver)
0xF9F2C000 C:\WINDOWS\System32\DRIVERS\amdk7.sys 40960 bytes (Microsoft Corporation, Processor Device Driver)
0xF999A000 C:\WINDOWS\system32\drivers\drvnddm.sys 40960 bytes (VERITAS Software, Inc., Device Driver Manager)
0xF9EAC000 isapnp.sys 40960 bytes (Microsoft Corporation, PNP ISA Bus Driver)
0xFA00C000 C:\WINDOWS\System32\Drivers\NDProxy.SYS 40960 bytes (Microsoft Corporation, NDIS Proxy)
0xF9FEC000 C:\WINDOWS\System32\DRIVERS\termdd.sys 40960 bytes (Microsoft Corporation, Terminal Server Driver)
0xF9F4C000 C:\WINDOWS\System32\Drivers\AFS2K.SYS 36864 bytes (Oak Technology Inc., Audio File System)
0xF9EDC000 disk.sys 36864 bytes (Microsoft Corporation, PnP Disk Driver)
0xF9FDC000 C:\WINDOWS\System32\DRIVERS\msgpc.sys 36864 bytes (Microsoft Corporation, MS General Packet Classifier)
0xFA04C000 C:\WINDOWS\System32\DRIVERS\netbios.sys 36864 bytes (Microsoft Corporation, NetBIOS interface driver)
0xF23E2000 C:\WINDOWS\System32\Drivers\Normandy.SYS 36864 bytes (RKU Driver)
0xF996A000 C:\WINDOWS\system32\dla\tfsncofs.sys 36864 bytes (VERITAS Software, Inc., Direct Access Component)
0xFA03C000 C:\WINDOWS\System32\DRIVERS\wanarp.sys 36864 bytes (Microsoft Corporation, MS Remote Access and Routing ARP Driver)
0xFA164000 C:\WINDOWS\System32\Drivers\Modem.SYS 32768 bytes (Microsoft Corporation, Modem Device Driver)
0xFA2B4000 C:\WINDOWS\System32\Drivers\Npfs.SYS 32768 bytes (Microsoft Corporation, NPFS Driver)
0xFA1B4000 C:\WINDOWS\system32\DRIVERS\fdc.sys 28672 bytes (Microsoft Corporation, Floppy Disk Controller Driver)
0xFA284000 C:\WINDOWS\System32\DRIVERS\HIDPARSE.SYS 28672 bytes (Microsoft Corporation, Hid Parsing Library)
0xFA12C000 C:\WINDOWS\System32\DRIVERS\PCIIDEX.SYS 28672 bytes (Microsoft Corporation, PCI IDE Bus Driver Extension)
0xFA294000 C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS 28672 bytes (Microsoft Corporation, USB Mass Storage Class Driver)
0xFA144000 viaagp1.sys 28672 bytes (VIA Technologies, Inc., VIA NT AGP Filter)
0xFA184000 C:\WINDOWS\System32\Drivers\Cdralw2k.SYS 24576 bytes (Roxio, CDRAL for Windows 2000 Kernel Driver)
0xFA1DC000 C:\WINDOWS\System32\DRIVERS\kbdclass.sys 24576 bytes (Microsoft Corporation, Keyboard Class Driver)
0xFA244000 C:\WINDOWS\System32\Drivers\mmc_2K.SYS 24576 bytes (Roxio, CD-R/RW AddOn MMC Driver (W2K))
0xFA1D4000 C:\WINDOWS\System32\DRIVERS\mouclass.sys 24576 bytes (Microsoft Corporation, Mouse Class Driver)
0xFA16C000 C:\WINDOWS\System32\DRIVERS\RTL8139.SYS 24576 bytes (Realtek Semiconductor Corporation, Realtek RTL8139 NDIS 5.0 Driver)
0xFA274000 C:\WINDOWS\system32\drivers\ssrtln.sys 24576 bytes (VERITAS Software, Inc., Shared Driver Component)
0xFA1C4000 C:\WINDOWS\system32\dla\tfsnboio.sys 24576 bytes (VERITAS Software, Inc., Direct Access Component)
0xFA19C000 C:\WINDOWS\system32\DRIVERS\usbuhci.sys 24576 bytes (Microsoft Corporation, UHCI USB Miniport Driver)
0xFA28C000 C:\WINDOWS\System32\drivers\vga.sys 24576 bytes (Microsoft Corporation, VGA/Super VGA Video Driver)
0xFA224000 C:\WINDOWS\System32\DRIVERS\wanatw4.sys 24576 bytes (America Online, Inc., Wan Miniport (ATW))
0xFA254000 C:\WINDOWS\System32\DRIVERS\flpydisk.sys 20480 bytes (Microsoft Corporation, Floppy Driver)
0xFA2A4000 C:\WINDOWS\System32\Drivers\Msfs.SYS 20480 bytes (Microsoft Corporation, Mailslot driver)
0xFA134000 PartMgr.sys 20480 bytes (Microsoft Corporation, Partition Manager)
0xFA1CC000 C:\WINDOWS\System32\DRIVERS\point32.sys 20480 bytes (Microsoft Corporation, Point32.sys)
0xFA20C000 C:\WINDOWS\System32\DRIVERS\ptilink.sys 20480 bytes (Parallel Technologies, Inc., Parallel Technologies DirectParallel IO Library)
0xFA13C000 PxHelp20.sys 20480 bytes (Sonic Solutions, Px Engine Device Driver for Windows 2000/XP)
0xFA21C000 C:\WINDOWS\System32\DRIVERS\raspti.sys 20480 bytes (Microsoft Corporation, PTI DirectParallel® mini-port/call-manager driver)
0xFA1FC000 C:\WINDOWS\System32\DRIVERS\TDI.SYS 20480 bytes (Microsoft Corporation, TDI Wrapper)
0xFA1E4000 C:\WINDOWS\System32\watchdog.sys 20480 bytes (Microsoft Corporation, Watchdog Driver)
0xF291C000 C:\WINDOWS\System32\Drivers\Aspi32.SYS 16384 bytes (Adaptec, ASPI for WIN32 Kernel Driver)
0xFA378000 C:\WINDOWS\System32\DRIVERS\mssmbios.sys 16384 bytes (Microsoft Corporation, System Management BIOS Driver)
0xF2DA6000 C:\WINDOWS\System32\DRIVERS\ndisuio.sys 16384 bytes (Microsoft Corporation, NDIS User mode I/O Driver)
0xFA350000 C:\WINDOWS\system32\DRIVERS\serenum.sys 16384 bytes (Microsoft Corporation, Serial Port Enumerator)
0xF2E16000 C:\WINDOWS\system32\dla\tfsnopio.sys 16384 bytes (VERITAS Software, Inc., Direct Access Component)
0xFA2BC000 C:\WINDOWS\system32\BOOTVID.dll 12288 bytes (Microsoft Corporation, VGA Boot Driver)
0xF9C8F000 C:\WINDOWS\System32\drivers\Dxapi.sys 12288 bytes (Microsoft Corporation, DirectX API Driver)
0xFA35C000 C:\WINDOWS\System32\DRIVERS\gameenum.sys 12288 bytes (Microsoft Corporation, Game Port Enumerator)
0xFA364000 C:\WINDOWS\System32\DRIVERS\ndistapi.sys 12288 bytes (Microsoft Corporation, NDIS 3.0 connection wrapper driver)
0xFA34C000 C:\WINDOWS\System32\DRIVERS\rasacd.sys 12288 bytes (Microsoft Corporation, RAS Automatic Connection Driver)
0xF27F3000 C:\WINDOWS\system32\DRIVERS\tansgt.sys 12288 bytes
0xFA3CE000 C:\WINDOWS\System32\Drivers\Beep.SYS 8192 bytes (Microsoft Corporation, BEEP Driver)
0xFA3DC000 C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS 8192 bytes
0xFA3CA000 C:\WINDOWS\System32\Drivers\Fs_Rec.SYS 8192 bytes (Microsoft Corporation, File System Recognizer Driver)
0xFA3B2000 intelide.sys 8192 bytes (Microsoft Corporation, Intel PCI IDE Driver)
0xFA3AC000 C:\WINDOWS\system32\KDCOM.DLL 8192 bytes (Microsoft Corporation, Kernel Debugger HW Extension DLL)
0xFA3D2000 C:\WINDOWS\System32\Drivers\mnmdd.SYS 8192 bytes (Microsoft Corporation, Frame buffer simulator)
0xFA3D4000 C:\WINDOWS\System32\Drivers\ParVdm.SYS 8192 bytes (Microsoft Corporation, VDM Parallel Driver)
0xFA3D6000 C:\WINDOWS\System32\DRIVERS\RDPCDD.sys 8192 bytes (Microsoft Corporation, RDP Miniport)
0xFA3B8000 C:\WINDOWS\system32\drivers\sscdbhk5.sys 8192 bytes (VERITAS Software, Inc., Shared Driver Component)
0xFA3BE000 C:\WINDOWS\System32\DRIVERS\swenum.sys 8192 bytes (Microsoft Corporation, Plug and Play Software Device Enumerator)
0xFA400000 C:\WINDOWS\system32\dla\tfsnpool.sys 8192 bytes (VERITAS Software, Inc., Direct Access Component)
0xFA3C4000 C:\WINDOWS\system32\DRIVERS\USBD.SYS 8192 bytes (Microsoft Corporation, Universal Serial Bus Driver)
0xFA3B0000 viaide.sys 8192 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xFA3AE000 C:\WINDOWS\system32\DRIVERS\WMILIB.SYS 8192 bytes (Microsoft Corporation, WMILIB WMI support library Dll)
0xFA52F000 C:\WINDOWS\System32\DRIVERS\audstub.sys 4096 bytes (Microsoft Corporation, AudStub Driver)
0xFA4D3000 C:\WINDOWS\System32\drivers\dxgthk.sys 4096 bytes (Microsoft Corporation, DirectX Graphics Driver Thunk)
0xFA52B000 C:\WINDOWS\system32\drivers\msmpu401.sys 4096 bytes (Microsoft Corporation, MPU401 Adapter Driver)
0xFA579000 C:\WINDOWS\System32\Drivers\Null.SYS 4096 bytes (Microsoft Corporation, NULL Driver)
0xFA474000 pciide.sys 4096 bytes (Microsoft Corporation, Generic PCI IDE Bus Driver)
0xFA5A6000 C:\WINDOWS\system32\dla\tfsndrct.sys 4096 bytes (VERITAS Software, Inc., Direct Access Component)
0xFA589000 C:\WINDOWS\system32\dla\tfsndres.sys 4096 bytes (VERITAS Software, Inc., Direct Access Component)
==============================================
>Stealth
==============================================
WARNING: Virus alike driver modification [hsfdpsp2.sys]
WARNING: Virus alike driver modification [atinrvxx.sys]
WARNING: Virus alike driver modification [ati1mdxx.sys]
WARNING: Virus alike driver modification [mdmxsdk.sys]
WARNING: Virus alike driver modification [wadv11nt.sys]
WARNING: Virus alike driver modification [ati1pdxx.sys]
WARNING: Virus alike driver modification [SymIDS.sys]
WARNING: Virus alike driver modification [mtlmnt5.sys]
WARNING: Virus alike driver modification [slnt7554.sys]
WARNING: Virus alike driver modification [mtlstrm.sys]
WARNING: Virus alike driver modification [slwdmsup.sys]
WARNING: Virus alike driver modification [recagent.sys]
WARNING: Virus alike driver modification [atinmdxx.sys]
WARNING: Virus alike driver modification [atinttxx.sys]
WARNING: Virus alike driver modification [atinpdxx.sys]
WARNING: Virus alike driver modification [ntmtlfax.sys]
WARNING: Virus alike driver modification [nv4_mini.sys]
WARNING: Virus alike driver modification [ati1ttxx.sys]
WARNING: Virus alike driver modification [Dvd_2k.sys]
WARNING: Virus alike driver modification [hsfbs2s2.sys]
WARNING: Virus alike driver modification [ati1snxx.sys]
WARNING: Virus alike driver modification [atinsnxx.sys]
WARNING: Virus alike driver modification [ati1xbxx.sys]
WARNING: Virus alike driver modification [ati1raxx.sys]
WARNING: Virus alike driver modification [atinxbxx.sys]
WARNING: Virus alike driver modification [ati2mtaa.sys]
WARNING: Virus alike driver modification [ati1xsxx.sys]
WARNING: Virus alike driver modification [ati1tuxx.sys]
WARNING: Virus alike driver modification [slntamr.sys]
WARNING: Virus alike driver modification [mtxparhm.sys]
WARNING: Virus alike driver modification [CDR4VSD.SYS]
WARNING: Virus alike driver modification [atinraxx.sys]
WARNING: Virus alike driver modification [ati1btxx.sys]
WARNING: Virus alike driver modification [atinbtxx.sys]
WARNING: Virus alike driver modification [atinxsxx.sys]
WARNING: Virus alike driver modification [ati1rvxx.sys]
WARNING: Virus alike driver modification [hsfcxts2.sys]
WARNING: Virus alike driver modification [ati2mtag.sys]
WARNING: Virus alike driver modification [atintuxx.sys]
WARNING: Virus alike driver modification [slnthal.sys]



STATUS: SAME

Al Schlafli

#13 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:36 AM

Posted 16 March 2011 - 04:41 PM

Hello,

Something is just not adding up. I'm still seeing an infection. The tools that should be picking up and fixing this problem is not doing so. Please download a new copy of TDDSKIller to your desktop and runit. Then Delete the copy of Combofix you have on your desktop and download a fresh copy and run it.
You can refer here for the download sites http://www.bleepingcomputer.com/forums/topic383113.html/page__view__findpost__p__2166948



Lets also check some files to see if there infected.


Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Please click this link-->Jotti

When the jotti page has finished loading, click the Browse button and navigate each of the following files and click Submit.

c:\windows\explorer.exe
c:\windows\system32\dllcache\iexplore.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif


#14 Al Schlafli

Al Schlafli
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:03:36 AM

Posted 16 March 2011 - 06:36 PM

TDDSKiller - Seems the most recent version was zipped now.
2011/03/16 16:57:57.0280 2820 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/16 16:57:57.0859 2820 ================================================================================
2011/03/16 16:57:57.0859 2820 SystemInfo:
2011/03/16 16:57:57.0859 2820
2011/03/16 16:57:57.0859 2820 OS Version: 5.1.2600 ServicePack: 3.0
2011/03/16 16:57:57.0859 2820 Product type: Workstation
2011/03/16 16:57:57.0859 2820 ComputerName: SUSAN
2011/03/16 16:57:57.0859 2820 UserName: me
2011/03/16 16:57:57.0859 2820 Windows directory: C:\WINDOWS
2011/03/16 16:57:57.0859 2820 System windows directory: C:\WINDOWS
2011/03/16 16:57:57.0859 2820 Processor architecture: Intel x86
2011/03/16 16:57:57.0859 2820 Number of processors: 1
2011/03/16 16:57:57.0859 2820 Page size: 0x1000
2011/03/16 16:57:57.0859 2820 Boot type: Normal boot
2011/03/16 16:57:57.0859 2820 ================================================================================
2011/03/16 16:57:58.0234 2820 Initialize success
2011/03/16 16:58:09.0923 2848 ================================================================================
2011/03/16 16:58:09.0923 2848 Scan started
2011/03/16 16:58:09.0923 2848 Mode: Manual;
2011/03/16 16:58:09.0923 2848 ================================================================================
2011/03/16 16:58:10.0970 2848 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/16 16:58:11.0220 2848 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/03/16 16:58:11.0626 2848 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/03/16 16:58:11.0829 2848 AFD (322d0e36693d6e24a2398bee62a268cd) C:\WINDOWS\System32\drivers\afd.sys
2011/03/16 16:58:12.0079 2848 AFS2K (0ebb674888cbdefd5773341c16dd6a07) C:\WINDOWS\system32\drivers\AFS2K.sys
2011/03/16 16:58:12.0907 2848 ALCXWDM (627909fdc8ed535e903fbb2f889dbc16) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
2011/03/16 16:58:13.0392 2848 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2011/03/16 16:58:14.0470 2848 Aspi32 (8a0bfff5ac14084baf6fe66448441c5a) C:\WINDOWS\system32\drivers\Aspi32.sys
2011/03/16 16:58:14.0720 2848 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/16 16:58:14.0939 2848 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/16 16:58:15.0376 2848 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/16 16:58:15.0626 2848 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/16 16:58:15.0892 2848 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/16 16:58:16.0392 2848 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/16 16:58:16.0611 2848 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/03/16 16:58:17.0033 2848 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/16 16:58:17.0283 2848 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/16 16:58:17.0517 2848 Cdr4vsd (de446eca26479dfe406d30e8953490fa) C:\WINDOWS\system32\drivers\Cdr4vsd.sys
2011/03/16 16:58:17.0752 2848 Cdr4_xp (595d2f56dd1ad85a028e77fc720495f2) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
2011/03/16 16:58:17.0986 2848 Cdralw2k (ac28c8814b9952f1852f8c742a6f63b5) C:\WINDOWS\system32\drivers\Cdralw2k.sys
2011/03/16 16:58:18.0314 2848 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/16 16:58:18.0564 2848 cdudf_xp (a690ae31c54e71207ff9755eadbcb7f2) C:\WINDOWS\system32\drivers\cdudf_xp.sys
2011/03/16 16:58:19.0955 2848 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/16 16:58:20.0299 2848 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/16 16:58:20.0643 2848 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/03/16 16:58:20.0893 2848 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/16 16:58:21.0143 2848 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/16 16:58:21.0611 2848 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/16 16:58:21.0846 2848 drvmcdb (a605a3d1a946d7b9b8e011a056445136) C:\WINDOWS\system32\drivers\drvmcdb.sys
2011/03/16 16:58:22.0096 2848 drvnddm (394d65a0da6bd18eaca54ae4fef28054) C:\WINDOWS\system32\drivers\drvnddm.sys
2011/03/16 16:58:22.0346 2848 DVDVRRdr_xp (ded7e27d6bc4aa63d385a96edc654f47) C:\WINDOWS\system32\drivers\DVDVRRdr_xp.sys
2011/03/16 16:58:22.0565 2848 dvd_2K (89914a1a19beb6145ff574eafd52764f) C:\WINDOWS\system32\drivers\dvd_2K.sys
2011/03/16 16:58:22.0815 2848 eaps2kbd (53ce0799c9384cac99942ff032285f21) C:\WINDOWS\system32\DRIVERS\eaps2kbd.sys
2011/03/16 16:58:23.0112 2848 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/16 16:58:23.0393 2848 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/03/16 16:58:23.0643 2848 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/16 16:58:23.0862 2848 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/03/16 16:58:24.0112 2848 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/03/16 16:58:24.0362 2848 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/16 16:58:24.0580 2848 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/16 16:58:24.0831 2848 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2011/03/16 16:58:25.0049 2848 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/16 16:58:25.0331 2848 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/16 16:58:25.0971 2848 HPZid412 (287a63bd8509bd78e7978823b38afa81) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/03/16 16:58:26.0221 2848 HPZipr12 (0b4fda2657c3e0315eaa57f9c6d4fd1f) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/03/16 16:58:26.0456 2848 HPZius12 (29559db25258b60510a60c4e470fce32) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/03/16 16:58:26.0721 2848 HTTP (f6aacf5bce2893e0c1754afeb672e5c9) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/16 16:58:27.0378 2848 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/16 16:58:27.0612 2848 i81x (007dbb8f9c35df8f8a20b8e7c1204b8b) C:\WINDOWS\system32\DRIVERS\i81xnt5.sys
2011/03/16 16:58:27.0831 2848 iAimFP0 (19f03895ce0b9e7fb514e67bb17edcb5) C:\WINDOWS\system32\DRIVERS\wADV01nt.sys
2011/03/16 16:58:28.0065 2848 iAimFP1 (479278c265b596c4fc1a2e0f51e70736) C:\WINDOWS\system32\DRIVERS\wADV02NT.sys
2011/03/16 16:58:28.0300 2848 iAimFP2 (66317ecbed58d15541cad4ed60888430) C:\WINDOWS\system32\DRIVERS\wADV05NT.sys
2011/03/16 16:58:28.0487 2848 iAimFP3 (5807920dcd9fe760ffd733a1297d164a) C:\WINDOWS\system32\DRIVERS\wSiINTxx.sys
2011/03/16 16:58:28.0706 2848 iAimFP4 (afb6725ddf3f417495ab99198979ffb1) C:\WINDOWS\system32\DRIVERS\wVchNTxx.sys
2011/03/16 16:58:28.0925 2848 iAimTV0 (3de116fe9fc7f15b0a5e0e611b344236) C:\WINDOWS\system32\DRIVERS\wATV01nt.sys
2011/03/16 16:58:29.0144 2848 iAimTV1 (275b8ec3a1aa555e3f1586eaf1302ac5) C:\WINDOWS\system32\DRIVERS\wATV02NT.sys
2011/03/16 16:58:29.0550 2848 iAimTV3 (31d5981e35d0f158cd1031e0ee74c6fe) C:\WINDOWS\system32\DRIVERS\wATV04nt.sys
2011/03/16 16:58:29.0753 2848 iAimTV4 (78b4456a11582a927e9b1eca87d1e4f6) C:\WINDOWS\system32\DRIVERS\wCh7xxNT.sys
2011/03/16 16:58:29.0972 2848 ialm (86ba1718dee415bcd63fbe35f425d874) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/03/16 16:58:30.0269 2848 iComp (b100615d9497d205b065a985bc9d73c3) C:\WINDOWS\system32\DRIVERS\HCWUSB2.sys
2011/03/16 16:58:30.0581 2848 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/16 16:58:31.0081 2848 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/03/16 16:58:31.0472 2848 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/03/16 16:58:31.0722 2848 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/16 16:58:31.0956 2848 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/16 16:58:32.0191 2848 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/16 16:58:32.0425 2848 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/16 16:58:32.0660 2848 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/16 16:58:32.0894 2848 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/16 16:58:33.0144 2848 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/16 16:58:33.0394 2848 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/03/16 16:58:33.0644 2848 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/16 16:58:33.0894 2848 KSecDD (1705745d900dabf2d89f90ebaddc7517) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/16 16:58:34.0441 2848 litsgt (454b6c19c69ea71e83be967ab5444c55) C:\WINDOWS\system32\DRIVERS\litsgt.sys
2011/03/16 16:58:34.0754 2848 ltmodem5 (fa2ed4a054360f3f873c15420f1f19cc) C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
2011/03/16 16:58:35.0035 2848 MKEUSB01 (3317653c60730eaad5903107acbb3d58) C:\WINDOWS\system32\Drivers\MkeUsb01.sys
2011/03/16 16:58:35.0285 2848 mmc_2K (b3edb63f33a8eadf2636a86b5c744967) C:\WINDOWS\system32\drivers\mmc_2K.sys
2011/03/16 16:58:35.0519 2848 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/16 16:58:35.0769 2848 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/16 16:58:36.0019 2848 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/16 16:58:36.0269 2848 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/16 16:58:36.0488 2848 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/16 16:58:36.0894 2848 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/16 16:58:37.0129 2848 MRxSmb (68755f0ff16070178b54674fe5b847b0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/16 16:58:37.0426 2848 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/16 16:58:37.0691 2848 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/16 16:58:37.0910 2848 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/16 16:58:38.0223 2848 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/16 16:58:38.0457 2848 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/16 16:58:38.0676 2848 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/03/16 16:58:38.0910 2848 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys
2011/03/16 16:58:39.0160 2848 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/16 16:58:39.0395 2848 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/03/16 16:58:39.0660 2848 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/16 16:58:39.0879 2848 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/03/16 16:58:40.0129 2848 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/16 16:58:40.0395 2848 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/16 16:58:40.0598 2848 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/16 16:58:40.0848 2848 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/16 16:58:41.0161 2848 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/16 16:58:41.0395 2848 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/16 16:58:41.0707 2848 NETMDUSB (986acdece933131288f1957dc359865f) C:\WINDOWS\system32\Drivers\NETMDUSB.sys
2011/03/16 16:58:41.0911 2848 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/16 16:58:42.0176 2848 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/16 16:58:42.0473 2848 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/16 16:58:42.0708 2848 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/16 16:58:42.0911 2848 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/16 16:58:43.0145 2848 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/03/16 16:58:43.0395 2848 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/16 16:58:43.0630 2848 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/16 16:58:43.0848 2848 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/16 16:58:44.0270 2848 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/03/16 16:58:44.0536 2848 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/03/16 16:58:46.0052 2848 PLUsbbc2 (deb5a23f8625d7d84daff899478a4893) C:\WINDOWS\system32\Drivers\usbbc2.sys
2011/03/16 16:58:46.0286 2848 Point32 (bd5a1efe9e08ba4b2770c3eab3a95d91) C:\WINDOWS\system32\DRIVERS\point32.sys
2011/03/16 16:58:46.0552 2848 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/16 16:58:46.0786 2848 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/03/16 16:58:47.0067 2848 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/16 16:58:47.0302 2848 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/16 16:58:47.0536 2848 pwd_2K (ed3cea80b2cd7506f3509457661cbdcd) C:\WINDOWS\system32\drivers\pwd_2K.sys
2011/03/16 16:58:47.0786 2848 PxHelp20 (183ef96bcc2ec3d5294cb2c2c0ecbcd1) C:\WINDOWS\system32\DRIVERS\PxHelp20.sys
2011/03/16 16:58:48.0958 2848 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/16 16:58:49.0224 2848 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/16 16:58:49.0458 2848 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/16 16:58:49.0693 2848 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/16 16:58:49.0927 2848 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/16 16:58:50.0349 2848 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/16 16:58:50.0662 2848 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/16 16:58:50.0990 2848 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/16 16:58:51.0318 2848 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/03/16 16:58:51.0568 2848 S3Psddr (0dbcc071a268e0340a2ba6bdd98bace4) C:\WINDOWS\system32\DRIVERS\s3gnbm.sys
2011/03/16 16:58:51.0646 2848 S3SavageNB (0dbcc071a268e0340a2ba6bdd98bace4) C:\WINDOWS\system32\DRIVERS\s3gnbm.sys
2011/03/16 16:58:51.0896 2848 Scandrv (29b1bd3248921af0b36ceb1370237516) C:\WINDOWS\system32\drivers\Scandrv.sys
2011/03/16 16:58:52.0193 2848 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/16 16:58:52.0459 2848 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/03/16 16:58:52.0677 2848 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/03/16 16:58:52.0928 2848 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/03/16 16:58:53.0381 2848 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/03/16 16:58:53.0818 2848 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/16 16:58:54.0084 2848 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/16 16:58:54.0365 2848 Srv (5252605079810904e31c332e241cd59b) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/16 16:58:54.0615 2848 sscdbhk5 (0885506bd787a1ae7041ea1d0e0f7922) C:\WINDOWS\system32\drivers\sscdbhk5.sys
2011/03/16 16:58:54.0850 2848 ssrtln (a9e4acee2d7c9736cd753d630e13a386) C:\WINDOWS\system32\drivers\ssrtln.sys
2011/03/16 16:58:55.0084 2848 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/03/16 16:58:55.0318 2848 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/16 16:58:55.0553 2848 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/16 16:58:56.0569 2848 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/16 16:58:56.0819 2848 tansgt (65e9377beddba680da9034da3ed44725) C:\WINDOWS\system32\DRIVERS\tansgt.sys
2011/03/16 16:58:57.0084 2848 Tcpip (93ea8d04ec73a85db02eb8805988f733) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/16 16:58:57.0334 2848 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/16 16:58:57.0553 2848 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/16 16:58:57.0787 2848 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/16 16:58:58.0037 2848 tfsnboio (471b28101ee53b965b836033d8fe7955) C:\WINDOWS\system32\dla\tfsnboio.sys
2011/03/16 16:58:58.0381 2848 tfsncofs (70766ef81e05ea358118468a722fa1f5) C:\WINDOWS\system32\dla\tfsncofs.sys
2011/03/16 16:58:58.0584 2848 tfsndrct (66fd0aac1648bc38cd3cd130a4ea12e0) C:\WINDOWS\system32\dla\tfsndrct.sys
2011/03/16 16:58:58.0819 2848 tfsndres (2b35fcaa75b1c475374d1474a1c2efe1) C:\WINDOWS\system32\dla\tfsndres.sys
2011/03/16 16:58:59.0038 2848 tfsnifs (7aaa22c17642d19c64b81caae888b43f) C:\WINDOWS\system32\dla\tfsnifs.sys
2011/03/16 16:58:59.0272 2848 tfsnopio (a56ebc32e332f66488cbf9c5ef4e084a) C:\WINDOWS\system32\dla\tfsnopio.sys
2011/03/16 16:58:59.0506 2848 tfsnpool (53809135b8eb9eb2b29525f125456741) C:\WINDOWS\system32\dla\tfsnpool.sys
2011/03/16 16:58:59.0725 2848 tfsnudf (03e0ce19e5f6a8009ebdc3cc087a6c9c) C:\WINDOWS\system32\dla\tfsnudf.sys
2011/03/16 16:59:00.0038 2848 tfsnudfa (3f8f05be8f1d68a598412927aeb57bd9) C:\WINDOWS\system32\dla\tfsnudfa.sys
2011/03/16 16:59:00.0428 2848 tj2knd5 (73b33c262b923a67f00212e80aa5d0f0) C:\WINDOWS\system32\DRIVERS\tj2knd5.sys
2011/03/16 16:59:00.0725 2848 tj2kunic (857f0f768298ee5e466e225d77100904) C:\WINDOWS\system32\DRIVERS\tj2kunic.sys
2011/03/16 16:59:01.0272 2848 UdfReadr_xp (a698c64feb06884e2bb836068b949900) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
2011/03/16 16:59:01.0538 2848 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/16 16:59:01.0991 2848 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/16 16:59:02.0304 2848 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/03/16 16:59:02.0522 2848 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/16 16:59:02.0757 2848 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/16 16:59:02.0991 2848 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/16 16:59:03.0226 2848 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/03/16 16:59:03.0460 2848 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/03/16 16:59:03.0694 2848 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/16 16:59:03.0913 2848 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/16 16:59:04.0132 2848 USB_RNDIS (bee793d4a059caea55d6ac20e19b3a8f) C:\WINDOWS\system32\DRIVERS\usb8023.sys
2011/03/16 16:59:04.0398 2848 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/03/16 16:59:04.0648 2848 viaagp1 (099f10c7b9d4c7a2bf48d4c6eca1e7f1) C:\WINDOWS\system32\DRIVERS\viaagp1.sys
2011/03/16 16:59:04.0866 2848 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/03/16 16:59:05.0085 2848 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/16 16:59:05.0398 2848 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/16 16:59:05.0663 2848 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
2011/03/16 16:59:05.0882 2848 wandrv (30211add92098d4b5cfadbf3da01e69b) C:\WINDOWS\system32\DRIVERS\wandrv.sys
2011/03/16 16:59:06.0320 2848 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/16 16:59:06.0820 2848 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/03/16 16:59:07.0132 2848 {6080A529-897E-4629-A488-ABA0C29B635E} (5b3d453a2f38105bcd0c573b94dea346) C:\WINDOWS\system32\drivers\ialmsbw.sys
2011/03/16 16:59:07.0429 2848 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (e147bd61a697701096ca5c830a5adb90) C:\WINDOWS\system32\drivers\ialmkchw.sys
2011/03/16 16:59:07.0617 2848 ================================================================================
2011/03/16 16:59:07.0617 2848 Scan finished
2011/03/16 16:59:07.0617 2848 ================================================================================


ComboFix - new download, new log
BTW - Once I re-enabled all services / startup, and fixed up the newtowrk, I am able to use Firefox on the system to access the web. So ComboFix also installed the recovery tool...

ComboFix 11-03-16.01 - me 03/16/2011 17:36:07.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.223.123 [GMT -5:00]
Running from: c:\documents and settings\me\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\compaq.reg
.
.
((((((((((((((((((((((((( Files Created from 2011-02-16 to 2011-03-16 )))))))))))))))))))))))))))))))
.
.
2011-03-16 22:50 . 2011-03-16 22:50 -------- d-----w- c:\windows\LastGood
2011-03-16 17:05 . 2011-03-15 20:03 80384 ----a-w- C:\MBRCheck.exe
2011-03-16 16:57 . 2011-03-16 16:57 -------- d-----w- c:\documents and settings\me\Application Data\Talkback
2011-03-16 16:57 . 2011-03-16 16:57 -------- d-----w- c:\documents and settings\me\Local Settings\Application Data\Mozilla
2011-03-15 23:00 . 2008-04-14 10:42 507904 ----a-w- c:\windows\system32\winlogon.ex_
2011-03-15 20:52 . 2011-03-16 22:50 -------- d-----w- c:\windows\system32\CatRoot2
2011-03-15 20:41 . 2001-08-17 18:56 7552 -c--a-w- c:\windows\system32\dllcache\sonypvu1.sys
2011-03-15 20:40 . 2001-08-17 19:56 245632 -c--a-w- c:\windows\system32\dllcache\s3savmx.dll
2011-03-15 20:39 . 2008-04-14 05:10 8832 -c--a-w- c:\windows\system32\dllcache\powerfil.sys
2011-03-15 20:38 . 2008-04-14 05:16 61696 -c--a-w- c:\windows\system32\dllcache\ohci1394.sys
2011-03-15 20:37 . 2008-04-14 05:16 49024 -c--a-w- c:\windows\system32\dllcache\mstape.sys
2011-03-15 20:37 . 2001-08-17 18:48 12416 -c--a-w- c:\windows\system32\dllcache\msriffwv.sys
2011-03-15 20:37 . 2008-04-14 05:24 22016 -c--a-w- c:\windows\system32\dllcache\msircomm.sys
2011-03-15 20:37 . 2001-08-17 19:02 35200 -c--a-w- c:\windows\system32\dllcache\msgame.sys
2011-03-15 20:37 . 2001-08-17 18:48 6016 -c--a-w- c:\windows\system32\dllcache\msfsio.sys
2011-03-15 20:37 . 2001-08-17 18:52 17280 -c--a-w- c:\windows\system32\dllcache\mraid35x.sys
2011-03-15 20:37 . 2001-08-17 18:57 16128 -c--a-w- c:\windows\system32\dllcache\modemcsa.sys
2011-03-15 20:37 . 2001-08-17 18:52 6528 -c--a-w- c:\windows\system32\dllcache\miniqic.sys
2011-03-15 20:37 . 2001-08-17 17:50 320384 -c--a-w- c:\windows\system32\dllcache\mgaum.sys
2011-03-15 20:37 . 2001-08-17 19:56 235648 -c--a-w- c:\windows\system32\dllcache\mgaud.dll
2011-03-15 20:35 . 2008-04-14 10:39 6144 -c--a-w- c:\windows\system32\dllcache\kbd106.dll
2011-03-15 20:34 . 2001-08-17 18:28 50751 -c--a-w- c:\windows\system32\dllcache\hsf_tone.sys
2011-03-15 20:33 . 2001-08-18 03:36 92160 -c--a-w- c:\windows\system32\dllcache\fuusd.dll
2011-03-15 20:32 . 2001-08-17 18:47 23808 -c--a-w- c:\windows\system32\dllcache\dot4usb.sys
2011-03-15 20:31 . 2001-08-17 18:51 6656 -c--a-w- c:\windows\system32\dllcache\cmdide.sys
2011-03-15 20:30 . 2001-08-17 18:51 13824 -c--a-w- c:\windows\system32\dllcache\bulltlp3.sys
2011-03-15 20:29 . 2001-08-17 19:07 56960 -c--a-w- c:\windows\system32\dllcache\aic78xx.sys
2011-03-15 20:28 . 2001-08-17 19:56 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll
2011-03-15 20:28 . 2008-04-14 05:54 2145280 -c--a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2011-03-04 23:25 . 2011-03-04 23:25 -------- d-----w- c:\documents and settings\me\Application Data\SUPERAntiSpyware.com
2011-03-04 23:25 . 2011-03-04 23:25 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-03-04 23:19 . 2011-03-04 23:19 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-03-04 16:18 . 2008-04-14 05:42 1033728 -c--a-w- c:\windows\system32\dllcache\explorer.exe
2011-03-04 16:18 . 2008-04-14 05:42 1033728 ----a-w- c:\windows\explorer.exe
2011-03-03 00:55 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-03-03 00:55 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-03-03 00:02 . 2008-04-14 09:41 10240 -c--a-w- c:\windows\system32\dllcache\tmigrate.dll
2011-03-03 00:02 . 2008-04-14 02:13 455168 -c--a-w- c:\windows\system32\dllcache\tintsetp.exe
2011-03-03 00:02 . 2008-04-14 02:13 44032 -c--a-w- c:\windows\system32\dllcache\tintlphr.exe
2011-03-03 00:02 . 2004-08-17 00:49 185344 -c--a-w- c:\windows\system32\dllcache\thawbrkr.dll
2011-03-03 00:00 . 2004-08-17 00:48 229439 -c--a-w- c:\windows\system32\dllcache\multibox.dll
2011-03-02 23:59 . 2004-08-17 00:47 10129408 -c--a-w- c:\windows\system32\dllcache\hwxkor.dll
2011-03-02 23:58 . 2004-08-17 00:48 54528 -c--a-w- c:\windows\system32\dllcache\cap7146.sys
2011-03-02 23:57 . 2004-05-13 05:39 876653 -c--a-w- c:\windows\system32\dllcache\fp4awel.dll
2011-03-02 23:44 . 2004-08-17 00:48 16384 -c--a-w- c:\windows\system32\dllcache\isignup.exe
2011-03-02 23:44 . 2004-08-17 00:48 16384 ----a-w- c:\program files\Internet Explorer\Connection Wizard\isignup.exe
2011-03-02 23:44 . 2008-04-14 09:41 7168 -c--a-w- c:\windows\system32\dllcache\bitsprx4.dll
2011-03-02 23:44 . 2008-04-14 09:41 7168 ----a-w- c:\windows\system32\bitsprx4.dll
2011-03-02 23:41 . 2008-04-14 09:42 53248 ----a-w- c:\windows\system32\tsgqec.dll
2011-03-02 23:41 . 2008-04-14 09:42 290304 -c--a-w- c:\windows\system32\dllcache\rhttpaa.dll
2011-03-02 23:41 . 2008-04-14 09:42 290304 ----a-w- c:\windows\system32\rhttpaa.dll
2011-03-02 23:41 . 2008-04-14 09:41 136192 -c--a-w- c:\windows\system32\dllcache\aaclient.dll
2011-03-02 23:41 . 2008-04-14 09:41 136192 ----a-w- c:\windows\system32\aaclient.dll
2011-03-02 23:35 . 2008-04-14 03:05 20992 -c--a-w- c:\windows\system32\dllcache\rtl8139.sys
2011-03-02 23:35 . 2008-04-14 03:05 20992 ----a-w- c:\windows\system32\drivers\RTL8139.sys
2011-03-02 23:29 . 2004-08-17 00:49 24661 -c--a-w- c:\windows\system32\dllcache\spxcoins.dll
2011-03-02 23:29 . 2004-08-17 00:49 24661 ----a-w- c:\windows\system32\spxcoins.dll
2011-03-02 23:29 . 2004-08-17 00:48 13312 -c--a-w- c:\windows\system32\dllcache\irclass.dll
2011-03-02 23:29 . 2004-08-17 00:48 13312 ----a-w- c:\windows\system32\irclass.dll
2011-03-02 23:29 . 2008-04-14 11:34 16535 ----a-r- c:\windows\SETD2.tmp
2011-03-02 23:29 . 2008-04-14 11:34 1088840 ----a-r- c:\windows\SETC6.tmp
2011-03-02 23:29 . 2008-04-14 11:40 1296669 ----a-r- c:\windows\SETC5.tmp
2011-03-02 18:18 . 2011-03-02 18:24 -------- d-----w- c:\windows\L2Schemas
2011-03-02 18:18 . 2011-03-02 18:24 -------- d-----w- c:\windows\system32\scripting
2011-03-02 18:18 . 2011-03-02 18:23 -------- d-----w- c:\windows\system32\en
2011-02-22 17:36 . 2011-02-22 17:36 -------- d-----w- c:\windows\system32\wbem\Repository
2011-02-21 23:52 . 2011-02-21 23:52 -------- d-----w- C:\$AVG
2011-02-19 00:57 . 2011-02-19 00:57 -------- d-----w- c:\documents and settings\me\Application Data\Malwarebytes
2011-02-19 00:57 . 2011-02-19 00:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-02-19 00:57 . 2011-03-03 00:58 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2006-07-21 19:14 . 2006-07-21 19:14 60526 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2006-07-21 19:14 . 2006-07-21 19:14 49256 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2006-07-21 19:14 . 2006-07-21 19:14 166000 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-01-13 2424560]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"PhotoShow Deluxe Media Manager"="c:\progra~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe" [2005-01-22 163840]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WCOLOREAL"="c:\program files\COMPAQ\Coloreal\coloreal.exe" [2002-02-21 143360]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2004-03-19 184320]
"ToolKit"="c:\program files\SeagateToolkit\Toolkit.exe" [2005-03-24 888832]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2006-07-21 180269]
"tgcmd"="c:\program files\Support.com\bin\tgcmd.exe" [2005-06-15 1757184]
"SunJavaUpdateSched"="c:\program files\Java\j2re1.4.2_11\bin\jusched.exe" [2006-02-13 32881]
"StorageGuard"="c:\program files\VERITAS Software\Update Manager\sgtray.exe" [2002-05-09 155648]
"srmclean"="c:\cpqs\Scom\srmclean.exe" [2001-07-25 36864]
"SRFirstRun"="srclient.dll" [2008-04-14 67584]
"RoxioEngineUtility"="c:\program files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 65536]
"RoxioDragToDisc"="c:\program files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-10-21 868352]
"RoxioAudioCentral"="c:\program files\Roxio\Easy CD Creator 6\AudioCentral\RxMon.exe" [2003-07-15 319488]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-07-05 212992]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2004-06-22 98304]
"Malwarebytes' Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\xyz.exe" [2010-12-20 963976]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2004-03-19 212992]
"IgfxTray"="c:\windows\System32\igfxtray.exe" [2002-05-15 155648]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 52736]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 241664]
"HotKeysCmds"="c:\windows\System32\hkcmd.exe" [2002-05-15 114688]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2002-07-16 106549]
"CookieWall"="c:\program files\AnalogX\CookieWall\cookie.exe" [2005-08-04 97796]
"AOLDialer"="c:\program files\Common Files\AOL\ACS\AOLDial.exe" [2004-04-07 496752]
"AOL Spyware Protection"="c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-07-08 78960]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-24 29696]
Google Updater.lnk - c:\program files\Google\Google Updater\GoogleUpdater.exe [2006-7-21 111600]
ipalm Monitor 1.0.lnk - c:\program files\ipalm Camera Driver 1.0\ipalmmon.exe [2006-6-24 61440]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Speed Disk service"=2 (0x2)
"SBService"=2 (0x2)
"NProtectService"=2 (0x2)
"navapsvc"=2 (0x2)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\support.com\\bin\\tgcmd.exe"=
"c:\\Program Files\\America Online 9.0\\waol.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1344:UDP"= 1344:UDP:Windows Media Format SDK (waol.exe)
"1345:UDP"= 1345:UDP:Windows Media Format SDK (waol.exe)
.
R2 litsgt;litsgt;c:\windows\system32\drivers\litsgt.sys [1/11/2006 8:15 PM 137344]
R2 Scandrv;Plustek Scanner;c:\windows\system32\drivers\SCANDRV.SYS [1/5/2003 2:27 AM 195120]
R2 tansgt;tansgt;c:\windows\system32\drivers\tansgt.sys [1/11/2006 8:15 PM 12032]
S0 Cdr4vsd;Cdr4vsd;c:\windows\system32\drivers\CDR4VSD.SYS [2/12/2004 1:32 PM 47520]
S2 MKEUSB01;%MKEUSB01.SvcDesc%;c:\windows\system32\drivers\MkeUsb01.sys [2/14/2003 4:40 AM 26288]
S2 msCMTSrvc;Content Monitoring Tool;c:\windows\system32\msCMTSrvc.exe --> c:\windows\system32\msCMTSrvc.exe [?]
S3 iComp;Hauppauge WinTV PVR USB2 Encoder;c:\windows\system32\drivers\HCWUSB2.sys [10/6/2005 2:49 PM 1442752]
S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [10/5/2006 3:10 PM 8960]
S3 tj2knd5;Terayon Cable Modem (NDIS);c:\windows\system32\drivers\tj2knd5.sys [4/10/2005 3:15 AM 17616]
S3 tj2kunic;Terayon Cable Modem (WDM);c:\windows\system32\drivers\tj2kunic.sys [4/10/2005 3:15 AM 69680]
.
Contents of the 'Scheduled Tasks' folder
.
2003-10-04 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-02 07:04]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.adelphia.net/
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: {{2ef50289-0ea7-482e-a30b-4947a81e44cf} - c:\program files\Trillian\Trillian
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {0612502E-29F8-11D6-BC3C-00C0F0167E34} - hxxp://www.crsdata.net/CRSDataObject/CRSNInfo.cab
FF - ProfilePath - c:\documents and settings\me\Application Data\Mozilla\Firefox\Profiles\l025fwuo.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-Pure Networks Port Magic - c:\progra~1\PURENE~1\PORTMA~1\PortAOL.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-16 17:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(532)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\netdde.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\compaq\Compaq Advisor\bin\compaq-rba.exe
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\wanmpsvc.exe
c:\windows\System32\MsPMSPSv.exe
c:\windows\system32\WgaTray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-03-16 18:06:49 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-16 23:06
ComboFix2.txt 2011-03-14 20:31
ComboFix3.txt 2011-02-22 18:19
.
Pre-Run: 46,762,799,104 bytes free
Post-Run: 46,542,221,312 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin
.
- - End Of File - - 4BD13C404E85E06CC0C5E17FAEC529EA

Also ran Jotti on both files as you asked - both had been scanned before, and neither one reported any infections/problems...

Onward and upward!
Oh yeh, if computers were easy to fix, then everyone would do it! If it's fixable, it will be a 5 minute fix - just takes hours to find...

Al Schlafli

#15 fireman4it

fireman4it

    Bleepin' Fireman


  • Malware Response Team
  • 13,512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Greenup, Ill USA
  • Local time:05:36 AM

Posted 16 March 2011 - 08:36 PM

Hello,

I'm consulting some of the other experts here to see what they think. I will be back with a possible solution soon.

" Extinguishing Malware from the world"

The Virus, Trojan, Spyware, and Malware Removal forum is very busy. If I'm helping you and I've not posted back within 24 hrs., send a PM with your topic link. Thank you.

ALL OTHER HELP REQUESTS VIA THE PM SYSTEM WILL BE IGNORED. The Forums are there for a reason!
Thanks-


  userbar_eis_500.gif

If I have helped you, consider making a donation to help me continue the fight against Malware! Just click btn_donate_LG.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users