Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Issues Remain After Contracting Antimal Doctor


  • This topic is locked This topic is locked
29 replies to this topic

#1 dominicrouse

dominicrouse

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 13 April 2011 - 09:23 AM

Antimal Doctor window appeared last week. Upon next start up got black screen with flashing cursor. To load Windows, I now have to hit F2 on power up, exit BIOS, then Windows will start up. Getting redirect in Firefox. System slow. Google search suggestions don't work anymore but the feature is turned on. Please advise...

System:
Windows XP Version 5.1 (Build 2600.xpsp_sp3_gdr.101209-1647:Service Pack 3)

Browser:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 GTB7.1 ( .NET CLR 3.5.30729)

Programs:
Malware-bytes Anit-malerware PRO (purchased after infection)
Ad-Aware Total Security (purchased after infection)
RegTweaker (purchased after infection)
HijackThis
CWShedder
SmitfraudFix
iExplore (found no scripts running)

Ok, as per the:

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

...please see below and the attachment...thanks

D

=============Attached File  Attach.txt   20.52KB   0 downloads

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Dominic at 16:12:15.23 on 13/04/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.389 [GMT -4:00]
.
AV: Ad-Aware Total Security *Enabled/Updated* {71310606-6F3B-49F2-9A81-8315AA75FBB3}
FW: Ad-Aware Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\G Data\GDScan\GDScan.exe
C:\Program Files\Lavasoft\Ad-Aware Total Security\AVK\AVKWCtl.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Common Files\G Data\AVKProxy\AVKProxy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware Total Security\AVK\AVKService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Lavasoft\Ad-Aware Total Security\Firewall\GDFwSvc.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe
C:\WINDOWS\AsScrPro.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware Total Security\AVK\AVK.exe
C:\Documents and Settings\Dominic\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.msn.com
mStart Page = hxxp://www.msn.com
BHO: Ad-Aware WebFilter: {0124123d-61b4-456f-af86-78c53a0790c5} - c:\program files\lavasoft\ad-aware total security\webfilter\AvkWebIE.dll
BHO: QuickNet BHO: {ea5ca8b6-9b9c-4994-a7a1-947b6c631be7} - c:\program files\regtweaker\key.dll
TB: Ad-Aware WebFilter: {0124123d-61b4-456f-af86-78c53a0790c5} - c:\program files\lavasoft\ad-aware total security\webfilter\AvkWebIE.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} -
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SynAsusAcpi] c:\program files\synaptics\syntp\SynAsusAcpi.exe
mRun: [ASUS Screen Saver Protector] c:\windows\AsScrPro.exe
mRun: [RTHDCPL] RTHDCPL.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: intu-tt2010 - {97A0575E-2309-4e75-8509-B1F9390C4DE7} - c:\program files\turbotax 2010\ic2010pp.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\dominic\applic~1\mozilla\firefox\profiles\xqcl2m4i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\documents and settings\dominic\application data\mozilla\firefox\profiles\xqcl2m4i.default\extensions\{1105fc58-3295-4308-bace-00e344be1cc7}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\dominic\application data\mozilla\firefox\profiles\xqcl2m4i.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\dominic\application data\mozilla\firefox\profiles\xqcl2m4i.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: c:\documents and settings\dominic\application data\mozilla\firefox\profiles\xqcl2m4i.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - component: c:\program files\mozilla firefox\extensions\{9aa46f4f-4dc7-4c06-97af-5035170633fe}\components\AvkWebFilterFF.dll
FF - plugin: c:\documents and settings\dominic\application data\mozilla\firefox\profiles\xqcl2m4i.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\dominic\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\dominic\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\dominic\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Ad-Aware WebFilter: {9AA46F4F-4DC7-4c06-97AF-5035170633FE} - c:\program files\mozilla firefox\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170633FE}
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: YouTube mp3: info@youtube-mp3.org - %profile%\extensions\info@youtube-mp3.org
FF - Ext: Gmail Notifier: {44d0a1b4-9c90-4f86-ac92-8680b5d6549e} - %profile%\extensions\{44d0a1b4-9c90-4f86-ac92-8680b5d6549e}
FF - Ext: Zoom toolbar: {FBFB7597-9E32-46b4-A500-8B6B0412777F} - %profile%\extensions\{FBFB7597-9E32-46b4-A500-8B6B0412777F}
FF - Ext: PageZoom Buttons: 54c7d9671b9eccd9e5686a73df34ab60@button.codefisher.org - %profile%\extensions\54c7d9671b9eccd9e5686a73df34ab60@button.codefisher.org
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: ALMANSOORI WIRELINE SERVICES Community Toolbar: {1105fc58-3295-4308-bace-00e344be1cc7} - %profile%\extensions\{1105fc58-3295-4308-bace-00e344be1cc7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {6D791525-EE5B-43F0-A819-ECD8A4C2FE84} - c:\documents and settings\dominic\local settings\application data\{6D791525-EE5B-43F0-A819-ECD8A4C2FE84}
.
============= SERVICES / DRIVERS ===============
.
R0 GDBehave;GDBehave;c:\windows\system32\drivers\GDBehave.sys [2011-4-11 33480]
R0 GDNdisIc;GDNdisIc;c:\windows\system32\drivers\GDNdisIc.sys [2011-4-11 29640]
R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2010-6-23 11448]
R1 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\MiniIcpt.sys [2011-4-11 62024]
R1 GRD;G Data Rootkit Detector Driver;c:\windows\system32\drivers\GRD.sys [2011-4-11 68976]
R1 HookCentre;HookCentre;c:\windows\system32\drivers\HookCentre.sys [2011-4-11 38600]
R2 AVKProxy;Ad-Aware Total Security Proxy;c:\program files\common files\g data\avkproxy\AVKProxy.exe [2010-6-29 1081384]
R2 AVKService;Ad-Aware Scheduler;c:\program files\lavasoft\ad-aware total security\avk\AVKService.exe [2010-6-29 412944]
R2 AVKWCtl;Ad-Aware Filesystem Monitor;c:\program files\lavasoft\ad-aware total security\avk\AVKWCtl.exe [2010-6-23 1635672]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-6-23 55152]
R2 GDTdiInterceptor;GDTdiInterceptor;c:\windows\system32\drivers\GDTdiIcpt.sys [2011-4-11 51400]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2010-9-22 10384]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-4-4 363344]
R2 NAUpdate;@c:\program files\nero\update\nasvc.exe,-200;c:\program files\nero\update\NASvc.exe [2010-5-4 503080]
R3 GDFwSvc;Ad-Aware Personal Firewall;c:\program files\lavasoft\ad-aware total security\firewall\GDFwSvc.exe [2010-6-15 1834432]
R3 GDScan;Ad-Aware Scanner;c:\program files\common files\g data\gdscan\GDScan.exe [2010-6-29 624064]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-6-1 38912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-4-4 20952]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-30 136176]
S2 HidCom;USB-HID -> COM Driver Service;c:\windows\system32\drivers\HidCom.sys [2005-11-9 21016]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-6-22 1684736]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 GDBackupSvc;Ad-Aware Backup Service;c:\program files\lavasoft\ad-aware total security\avkbackup\AVKBackupService.exe [2010-6-29 911976]
S3 GDTunerSvc;Ad-Aware Tuner Service;c:\program files\lavasoft\ad-aware total security\avktuner\AVKTunerService.exe [2010-6-29 1234896]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2011-2-9 30192]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2009-10-31 18432]
S3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [2009-6-1 39040]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys --> c:\windows\system32\drivers\wdcsam.sys [?]
.
=============== Created Last 30 ================
.
2011-04-13 17:17:28 -------- d-----w- c:\docume~1\dominic\applic~1\Intuit Canada
2011-04-13 17:17:08 -------- d-----w- c:\program files\common files\Intuit
2011-04-13 17:17:01 -------- d-----w- c:\program files\TurboTax 2010
2011-04-13 17:16:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Intuit Canada
2011-04-13 13:52:48 -------- d-----w- c:\docume~1\dominic\locals~1\applic~1\G DATA
2011-04-12 03:36:51 68976 ----a-w- c:\windows\system32\drivers\GRD.sys
2011-04-12 02:26:51 15880 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-12 02:26:41 137288 ----a-w- c:\program files\mozilla firefox\extensions\{9aa46f4f-4dc7-4c06-97af-5035170633fe}\components\AvkWebFilterFF.dll
2011-04-12 02:26:19 51400 ----a-w- c:\windows\system32\drivers\GDTdiIcpt.sys
2011-04-12 02:26:19 29640 ----a-w- c:\windows\system32\drivers\GDNdisIc.sys
2011-04-12 02:26:14 62024 ----a-w- c:\windows\system32\drivers\MiniIcpt.sys
2011-04-12 02:26:14 38600 ----a-w- c:\windows\system32\drivers\HookCentre.sys
2011-04-12 02:26:14 33480 ----a-w- c:\windows\system32\drivers\GDBehave.sys
2011-04-12 02:24:50 -------- d-----w- c:\program files\Lavasoft
2011-04-12 02:24:50 -------- d-----w- c:\program files\common files\G Data
2011-04-12 02:24:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\G DATA
2011-04-11 22:44:16 2686 ----a-w- c:\windows\system32\tmp.reg
2011-04-11 20:14:41 -------- d--h--w- c:\windows\PIF
2011-04-09 00:04:58 -------- d-----w- c:\program files\RegTweaker
2011-04-06 01:12:38 -------- d-----w- c:\docume~1\dominic\locals~1\applic~1\PCHealth
2011-04-04 20:00:12 -------- d-----w- c:\docume~1\dominic\applic~1\Malwarebytes
2011-04-04 17:55:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-04 17:55:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-04 17:55:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-04 17:55:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-04 16:51:07 0 ----a-w- c:\windows\Edutik.bin
2011-04-04 16:51:05 -------- d-----w- c:\docume~1\dominic\locals~1\applic~1\{6D791525-EE5B-43F0-A819-ECD8A4C2FE84}
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2010-04-25 08:06:43 249856 ----a-w- c:\program files\SOUNDPAD.EXE
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST916031 rev.0002 -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x867C1439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x867c77d0]; MOV EAX, [0x867c784c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8717D7A8]
3 CLASSPNP[0xF74C8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006f[0x8715B250]
5 ACPI[0xF735F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x87167028]
\Driver\iaStor[0x87165950] -> IRP_MJ_CREATE -> 0x867C1439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskST9160314AS_____________________________0002SDM1#4&44f0d94&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 16:20:34.29 ===============

EDIT: Posts merged ~Budapest

Edited by Budapest, 13 April 2011 - 04:28 PM.


BC AdBot (Login to Remove)

 


#2 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:13 PM

Posted 22 April 2011 - 04:30 AM

Hi,

Sorry for delayed response. Forums have been really busy. If you still need help with this post a fresh dds log, please.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#3 dominicrouse

dominicrouse
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 25 April 2011 - 09:00 PM

Yes, still require assistance please...many thanks

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Dominic at 21:53:57.51 on 25/04/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.293 [GMT -4:00]
.
AV: Ad-Aware Total Security *Enabled/Updated* {71310606-6F3B-49F2-9A81-8315AA75FBB3}
FW: Ad-Aware Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\G Data\GDScan\GDScan.exe
C:\Program Files\Lavasoft\Ad-Aware Total Security\AVK\AVKWCtl.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\G Data\AVKProxy\AVKProxy.exe
C:\Program Files\Lavasoft\Ad-Aware Total Security\AVK\AVKService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Lavasoft\Ad-Aware Total Security\Firewall\GDFwSvc.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe
C:\WINDOWS\AsScrPro.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dominic\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://www.msn.com
BHO: Ad-Aware WebFilter: {0124123d-61b4-456f-af86-78c53a0790c5} - c:\program files\lavasoft\ad-aware total

security\webfilter\AvkWebIE.dll
BHO: QuickNet BHO: {ea5ca8b6-9b9c-4994-a7a1-947b6c631be7} - c:\program files\regtweaker\key.dll
TB: Ad-Aware WebFilter: {0124123d-61b4-456f-af86-78c53a0790c5} - c:\program files\lavasoft\ad-aware total

security\webfilter\AvkWebIE.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} -
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SynAsusAcpi] c:\program files\synaptics\syntp\SynAsusAcpi.exe
mRun: [ASUS Screen Saver Protector] c:\windows\AsScrPro.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid

engine\SuperHybridEngine.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12

\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: intu-tt2010 - {97A0575E-2309-4e75-8509-B1F9390C4DE7} - c:\program files\turbotax 2010\ic2010pp.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
AppInit_DLLs: c:\progra~1\google\google~2\GOEC62~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\dominic\applic~1\mozilla\firefox\profiles\xqcl2m4i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\documents and settings\dominic\application

data\mozilla\firefox\profiles\xqcl2m4i.default\extensions\{1105fc58-3295-4308-bace-00e344be1cc7}

\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\dominic\application

data\mozilla\firefox\profiles\xqcl2m4i.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\dominic\application

data\mozilla\firefox\profiles\xqcl2m4i.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-

ff3.dll
FF - component: c:\documents and settings\dominic\application

data\mozilla\firefox\profiles\xqcl2m4i.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - component: c:\program files\mozilla firefox\extensions\{9aa46f4f-4dc7-4c06-97af-5035170633fe}

\components\AvkWebFilterFF.dll
FF - plugin: c:\documents and settings\dominic\application

data\mozilla\firefox\profiles\xqcl2m4i.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\dominic\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\dominic\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\dominic\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-

a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-

0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-

0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-

0000-0021-ABCDEFFEDCBA}
FF - Ext: Ad-Aware WebFilter: {9AA46F4F-4DC7-4c06-97AF-5035170633FE} - c:\program files\mozilla firefox\extensions\{9AA46F4F

-4DC7-4c06-97AF-5035170633FE}
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869

-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-

46ed-80e3-08825760534b}
FF - Ext: YouTube mp3: info@youtube-mp3.org - %profile%\extensions\info@youtube-mp3.org
FF - Ext: Gmail Notifier: {44d0a1b4-9c90-4f86-ac92-8680b5d6549e} - %profile%\extensions\{44d0a1b4-9c90-4f86-ac92-

8680b5d6549e}
FF - Ext: Zoom toolbar: {FBFB7597-9E32-46b4-A500-8B6B0412777F} - %profile%\extensions\{FBFB7597-9E32-46b4-A500-8B6B0412777F}
FF - Ext: PageZoom Buttons: 54c7d9671b9eccd9e5686a73df34ab60@button.codefisher.org - %profile%

\extensions\54c7d9671b9eccd9e5686a73df34ab60@button.codefisher.org
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: ALMANSOORI WIRELINE SERVICES Community Toolbar: {1105fc58-3295-4308-bace-00e344be1cc7} - %profile%

\extensions\{1105fc58-3295-4308-bace-00e344be1cc7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} -

c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {6D791525-EE5B-43F0-A819-ECD8A4C2FE84} - c:\documents and settings\dominic\local settings\application

data\{6D791525-EE5B-43F0-A819-ECD8A4C2FE84}
.
============= SERVICES / DRIVERS ===============
.
R0 GDBehave;GDBehave;c:\windows\system32\drivers\GDBehave.sys [2011-4-11 33480]
R0 GDNdisIc;GDNdisIc;c:\windows\system32\drivers\GDNdisIc.sys [2011-4-11 29640]
R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2010-6-23 11448]
R1 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\MiniIcpt.sys [2011-4-11 62024]
R1 GRD;G Data Rootkit Detector Driver;c:\windows\system32\drivers\GRD.sys [2011-4-11 68976]
R1 HookCentre;HookCentre;c:\windows\system32\drivers\HookCentre.sys [2011-4-11 38600]
R2 AVKProxy;Ad-Aware Total Security Proxy;c:\program files\common files\g data\avkproxy\AVKProxy.exe [2010-6-29 1081384]
R2 AVKService;Ad-Aware Scheduler;c:\program files\lavasoft\ad-aware total security\avk\AVKService.exe [2010-6-29 412944]
R2 AVKWCtl;Ad-Aware Filesystem Monitor;c:\program files\lavasoft\ad-aware total security\avk\AVKWCtl.exe [2010-6-23 1635672]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-6-23 55152]
R2 GDTdiInterceptor;GDTdiInterceptor;c:\windows\system32\drivers\GDTdiIcpt.sys [2011-4-11 51400]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2010-9-22 10384]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-4-4 363344]
R2 NAUpdate;@c:\program files\nero\update\nasvc.exe,-200;c:\program files\nero\update\NASvc.exe [2010-5-4 503080]
R3 GDFwSvc;Ad-Aware Personal Firewall;c:\program files\lavasoft\ad-aware total security\firewall\GDFwSvc.exe [2010-6-15

1834432]
R3 GDScan;Ad-Aware Scanner;c:\program files\common files\g data\gdscan\GDScan.exe [2010-6-29 624064]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys

[2009-6-1 38912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-4-4 20952]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-30 136176]
S2 HidCom;USB-HID -> COM Driver Service;c:\windows\system32\drivers\HidCom.sys [2005-11-9 21016]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-6-22 1684736]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 GDBackupSvc;Ad-Aware Backup Service;c:\program files\lavasoft\ad-aware total security\avkbackup\AVKBackupService.exe

[2010-6-29 911976]
S3 GDTunerSvc;Ad-Aware Tuner Service;c:\program files\lavasoft\ad-aware total security\avktuner\AVKTunerService.exe [2010-6-

29 1234896]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop

search\GoogleDesktop.exe [2011-2-9 30192]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2009-10-31 18432]
S3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [2009-6-1 39040]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys --> c:\windows\system32\drivers\wdcsam.sys [?]
.
=============== Created Last 30 ================
.
2011-04-13 17:17:28 -------- d-----w- c:\docume~1\dominic\applic~1\Intuit Canada
2011-04-13 17:17:08 -------- d-----w- c:\program files\common files\Intuit
2011-04-13 17:17:01 -------- d-----w- c:\program files\TurboTax 2010
2011-04-13 17:16:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Intuit Canada
2011-04-13 13:52:48 -------- d-----w- c:\docume~1\dominic\locals~1\applic~1\G DATA
2011-04-12 03:36:51 68976 ----a-w- c:\windows\system32\drivers\GRD.sys
2011-04-12 02:26:51 15880 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-12 02:26:41 137288 ----a-w- c:\program files\mozilla firefox\extensions\{9aa46f4f-4dc7-4c06-97af-

5035170633fe}\components\AvkWebFilterFF.dll
2011-04-12 02:26:19 51400 ----a-w- c:\windows\system32\drivers\GDTdiIcpt.sys
2011-04-12 02:26:19 29640 ----a-w- c:\windows\system32\drivers\GDNdisIc.sys
2011-04-12 02:26:14 62024 ----a-w- c:\windows\system32\drivers\MiniIcpt.sys
2011-04-12 02:26:14 38600 ----a-w- c:\windows\system32\drivers\HookCentre.sys
2011-04-12 02:26:14 33480 ----a-w- c:\windows\system32\drivers\GDBehave.sys
2011-04-12 02:24:50 -------- d-----w- c:\program files\Lavasoft
2011-04-12 02:24:50 -------- d-----w- c:\program files\common files\G Data
2011-04-12 02:24:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\G DATA
2011-04-11 22:44:16 2686 ----a-w- c:\windows\system32\tmp.reg
2011-04-11 20:14:41 -------- d--h--w- c:\windows\PIF
2011-04-09 00:04:58 -------- d-----w- c:\program files\RegTweaker
2011-04-06 01:12:38 -------- d-----w- c:\docume~1\dominic\locals~1\applic~1\PCHealth
2011-04-04 20:00:12 -------- d-----w- c:\docume~1\dominic\applic~1\Malwarebytes
2011-04-04 17:55:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-04 17:55:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-04 17:55:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-04 17:55:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-04 16:51:07 0 ----a-w- c:\windows\Edutik.bin
2011-04-04 16:51:05 -------- d-----w- c:\docume~1\dominic\locals~1\applic~1\{6D791525-EE5B-43F0-A819-

ECD8A4C2FE84}
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2010-04-25 08:06:43 249856 ----a-w- c:\program files\SOUNDPAD.EXE
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST916031 rev.0002 -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x87134439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8713a7d0]; MOV EAX, [0x8713a84c]; PUSH EBX; PUSH

ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8717E690]
3 CLASSPNP[0xF74C8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000006f[0x8717EF18]
5 ACPI[0xF735F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8714B028]
\Driver\iaStor[0x87152990] -> IRP_MJ_CREATE -> 0x87134439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ;

REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskST9160314AS_____________________________0002SDM1#4&44f0d94&0&0.0.0#{53f56307-

b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 21:57:38.64 ===============
Attached File  Attach.txt   16.27KB   1 downloads

#4 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:13 PM

Posted 26 April 2011 - 12:20 AM

Hi,

Please disable word wrap in notepad to make logs appear in more readable format.


uTorrent

Above listed ones are P2P file sharing programs. P2P downloads are nowadays one of those things that most likely bring infection into the system. My recommendation is to uninstall these (and other if present) P2P file sharing programs.



Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully first.

Please continue as follows:

  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
    Remember to re-enable them afterwards.

  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New dds log.


A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#5 dominicrouse

dominicrouse
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 26 April 2011 - 09:26 PM

ComboFix 11-04-26.02 - Dominic 26/04/2011 21:40:57.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.429 [GMT -4:00]
Running from: c:\documents and settings\Dominic\Desktop\ComboFix.exe
AV: Ad-Aware Total Security *Disabled/Updated* {71310606-6F3B-49F2-9A81-8315AA75FBB3}
FW: Ad-Aware Personal Firewall *Disabled* {6E6F4BA6-C07D-443F-A130-0A57DA59A082}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Dominic\Application Data\Adobe\plugs
c:\documents and settings\Dominic\Application Data\Adobe\shed
c:\windows\Fonts\HandelGotDOT-Bol.otf
c:\windows\system32\system
c:\windows\system32\Thumbs.db
c:\windows\system32\tmp.reg
.
.
\\.\PhysicalDrive0 - Bootkit TDL4 was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2011-03-27 to 2011-04-27 )))))))))))))))))))))))))))))))
.
.
2011-04-15 18:16 . 2011-04-16 08:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-13 17:17 . 2011-04-13 17:17 -------- d-----w- c:\documents and settings\Dominic\Application Data\Intuit Canada
2011-04-13 17:17 . 2011-04-13 17:17 -------- d-----w- c:\program files\Common Files\Intuit
2011-04-13 17:17 . 2011-04-13 17:35 -------- d-----w- c:\program files\TurboTax 2010
2011-04-13 17:16 . 2011-04-13 17:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit Canada
2011-04-13 13:52 . 2011-04-13 13:52 -------- d-----w- c:\documents and settings\Dominic\Local Settings\Application Data\G DATA
2011-04-12 03:36 . 2011-04-12 03:36 68976 ----a-w- c:\windows\system32\drivers\GRD.sys
2011-04-12 02:26 . 2011-04-12 02:21 15880 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-12 02:26 . 2010-05-11 08:19 137288 ----a-w- c:\program files\Mozilla Firefox\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170633FE}\Components\AvkWebFilterFF.dll
2011-04-12 02:26 . 2011-04-12 02:26 51400 ----a-w- c:\windows\system32\drivers\GDTdiIcpt.sys
2011-04-12 02:26 . 2011-04-12 02:26 29640 ----a-w- c:\windows\system32\drivers\GDNdisIc.sys
2011-04-12 02:26 . 2011-04-12 02:26 62024 ----a-w- c:\windows\system32\drivers\MiniIcpt.sys
2011-04-12 02:26 . 2011-04-12 02:26 38600 ----a-w- c:\windows\system32\drivers\HookCentre.sys
2011-04-12 02:26 . 2011-04-12 02:26 33480 ----a-w- c:\windows\system32\drivers\GDBehave.sys
2011-04-12 02:24 . 2011-04-12 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\G DATA
2011-04-12 02:24 . 2011-04-12 02:24 -------- d-----w- c:\program files\Common Files\G Data
2011-04-12 02:24 . 2011-04-12 02:24 -------- d-----w- c:\program files\Lavasoft
2011-04-11 20:14 . 2011-04-11 20:14 -------- d--h--w- c:\windows\PIF
2011-04-11 19:45 . 2011-04-11 19:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-04-09 00:04 . 2011-04-09 00:04 -------- d-----w- c:\program files\RegTweaker
2011-04-06 01:12 . 2011-04-06 01:12 -------- d-----w- c:\documents and settings\Dominic\Local Settings\Application Data\PCHealth
2011-04-04 20:00 . 2011-04-04 20:00 -------- d-----w- c:\documents and settings\Dominic\Application Data\Malwarebytes
2011-04-04 17:55 . 2011-04-04 17:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-04 17:55 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-04 17:55 . 2011-04-04 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-04 17:55 . 2011-04-08 13:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-04 17:55 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-04 16:51 . 2011-04-08 17:35 0 ----a-w- c:\windows\Edutik.bin
2011-04-04 16:51 . 2011-04-04 16:51 -------- d-----w- c:\documents and settings\Dominic\Local Settings\Application Data\{6D791525-EE5B-43F0-A819-ECD8A4C2FE84}
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2009-05-20 19:07 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2009-05-20 19:07 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2009-05-20 19:16 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57 . 2009-05-20 19:16 677888 ----a-w- c:\windows\system32\mstsc.exe
2010-04-25 08:06 . 2001-10-31 04:07 249856 ----a-w- c:\program files\SOUNDPAD.EXE
2011-02-09 15:50 . 2011-02-09 15:50 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA5CA8B6-9B9C-4994-A7A1-947B6C631BE7}]
2011-03-29 14:01 243200 ----a-w- c:\program files\RegTweaker\key.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension1]
@="{fe25455d-b4c2-4e32-97d2-92632ec1c224}"
[HKEY_CLASSES_ROOT\CLSID\{fe25455d-b4c2-4e32-97d2-92632ec1c224}]
2009-11-07 05:07 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension2]
@="{1fae2d88-a78e-4f03-909f-be818a3c1ce6}"
[HKEY_CLASSES_ROOT\CLSID\{1fae2d88-a78e-4f03-909f-be818a3c1ce6}]
2009-11-07 05:07 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-04-17 630784]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-03-13 98304]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-04-17 118784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1434920]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-03-06 79144]
"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2009-07-08 3054136]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-27 17567744]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-6-22 376832]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Dominic^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Dominic\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Dominic^Start Menu^Programs^Startup^SolidWorks Task Scheduler Engine.lnk]
path=c:\documents and settings\Dominic\Start Menu\Programs\Startup\SolidWorks Task Scheduler Engine.lnk
backup=c:\windows\pss\SolidWorks Task Scheduler Engine.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 18:37 932288 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-22 05:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eyobekawepazuc]
2008-04-14 12:00 372736 ----a-w- c:\windows\azomutivolubu.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\G Data AntiVirus Tray Application]
2010-06-29 21:20 981504 ----a-w- c:\program files\Lavasoft\Ad-Aware Total Security\AVKTray\AVKTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GDFirewallTray]
2010-06-29 21:22 1550576 ----a-w- c:\program files\Lavasoft\Ad-Aware Total Security\Firewall\GDFirewallTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2011-02-09 15:49 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-30 10:46 136176 ----atw- c:\documents and settings\Dominic\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-14 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 09:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2009-06-17 16:55 55824 ----a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveUpdate]
2010-01-29 15:18 751592 ----a-w- c:\program files\ASUS\LiveUpdate\LiveUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2010-12-20 22:08 443728 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-02-07 01:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2008-04-14 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 09:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-05-14 15:44 248552 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xmarks]
2010-09-28 05:38 1048576 ----a-w- c:\program files\Xmarks\IE Extension\xmarkssync.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Dominic\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12455:UDP"= 12455:UDP:iTap
"443:TCP"= 443:TCP:Foxtel Downloader 2
.
R0 GDBehave;GDBehave;c:\windows\system32\drivers\GDBehave.sys [11/04/2011 10:26 PM 33480]
R0 GDNdisIc;GDNdisIc;c:\windows\system32\drivers\GDNdisIc.sys [11/04/2011 10:26 PM 29640]
R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [23/06/2010 10:26 AM 11448]
R1 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\MiniIcpt.sys [11/04/2011 10:26 PM 62024]
R1 GRD;G Data Rootkit Detector Driver;c:\windows\system32\drivers\GRD.sys [11/04/2011 11:36 PM 68976]
R1 HookCentre;HookCentre;c:\windows\system32\drivers\HookCentre.sys [11/04/2011 10:26 PM 38600]
R2 AVKProxy;Ad-Aware Total Security Proxy;c:\program files\Common Files\G Data\AVKProxy\AVKProxy.exe [29/06/2010 5:22 PM 1081384]
R2 AVKService;Ad-Aware Scheduler;c:\program files\Lavasoft\Ad-Aware Total Security\AVK\AVKService.exe [29/06/2010 5:22 PM 412944]
R2 AVKWCtl;Ad-Aware Filesystem Monitor;c:\program files\Lavasoft\Ad-Aware Total Security\AVK\AVKWCtl.exe [23/06/2010 12:35 PM 1635672]
R2 GDTdiInterceptor;GDTdiInterceptor;c:\windows\system32\drivers\GDTdiIcpt.sys [11/04/2011 10:26 PM 51400]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [22/09/2010 9:47 PM 10384]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [04/04/2011 1:55 PM 363344]
R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [04/05/2010 1:07 PM 503080]
R3 GDFwSvc;Ad-Aware Personal Firewall;c:\program files\Lavasoft\Ad-Aware Total Security\Firewall\GDFwSvc.exe [15/06/2010 11:14 AM 1834432]
R3 GDScan;Ad-Aware Scanner;c:\program files\Common Files\G Data\GDScan\GDScan.exe [29/06/2010 5:16 PM 624064]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [01/06/2009 3:26 AM 38912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [04/04/2011 1:55 PM 20952]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/04/2010 6:46 AM 136176]
S2 HidCom;USB-HID -> COM Driver Service;c:\windows\system32\drivers\HidCom.sys [09/11/2005 1:01 PM 21016]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [22/06/2009 11:49 PM 1684736]
S3 GDBackupSvc;Ad-Aware Backup Service;c:\program files\Lavasoft\Ad-Aware Total Security\AVKBackup\AVKBackupService.exe [29/06/2010 5:15 PM 911976]
S3 GDTunerSvc;Ad-Aware Tuner Service;c:\program files\Lavasoft\Ad-Aware Total Security\AVKTuner\AVKTunerService.exe [29/06/2010 5:15 PM 1234896]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [09/02/2011 11:49 AM 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [30/04/2010 6:46 AM 136176]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [31/10/2009 4:55 PM 18432]
S3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [01/06/2009 3:26 AM 39040]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-30 10:46]
.
2011-04-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-30 10:46]
.
2011-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-68344126-3362229131-3438012487-1005Core.job
- c:\documents and settings\Dominic\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-07 10:46]
.
2011-04-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-68344126-3362229131-3438012487-1005UA.job
- c:\documents and settings\Dominic\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-07 10:46]
.
2011-02-10 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2006-11-21 10:08]
.
2011-02-20 c:\windows\Tasks\mixpadShakeIcon.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-04-25 08:09]
.
2011-03-28 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-04-25 08:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://www.msn.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Dominic\Application Data\Mozilla\Firefox\Profiles\xqcl2m4i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Ad-Aware WebFilter: {9AA46F4F-4DC7-4c06-97AF-5035170633FE} - c:\program files\Mozilla Firefox\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170633FE}
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: YouTube mp3: info@youtube-mp3.org - %profile%\extensions\info@youtube-mp3.org
FF - Ext: Gmail Notifier: {44d0a1b4-9c90-4f86-ac92-8680b5d6549e} - %profile%\extensions\{44d0a1b4-9c90-4f86-ac92-8680b5d6549e}
FF - Ext: Zoom toolbar: {FBFB7597-9E32-46b4-A500-8B6B0412777F} - %profile%\extensions\{FBFB7597-9E32-46b4-A500-8B6B0412777F}
FF - Ext: PageZoom Buttons: 54c7d9671b9eccd9e5686a73df34ab60@button.codefisher.org - %profile%\extensions\54c7d9671b9eccd9e5686a73df34ab60@button.codefisher.org
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: ALMANSOORI WIRELINE SERVICES Community Toolbar: {1105fc58-3295-4308-bace-00e344be1cc7} - %profile%\extensions\{1105fc58-3295-4308-bace-00e344be1cc7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {6D791525-EE5B-43F0-A819-ECD8A4C2FE84} - c:\documents and settings\Dominic\Local Settings\Application Data\{6D791525-EE5B-43F0-A819-ECD8A4C2FE84}
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-BrMfcWnd - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe
MSConfigStartUp-ControlCenter3 - c:\program files\Brother\ControlCenter3\brctrcen.exe
MSConfigStartUp-k70ccreloc - c:\documents and settings\Dominic\Application Data\2CB5FE0CD8ED5B773626E38628914F23\k70ccreloc.exe
MSConfigStartUp-SetDefPrt - c:\program files\Brother\Brmfl06a\BrStDvPt.exe
MSConfigStartUp-tvncontrol - c:\program files\TightVNC\tvnserver.exe
AddRemove-Power Tools_is1 - c:\documents and settings\Dominic\My Documents\Downloads\Setup_PowerTools_V1.05\Setup_Power Tools_V1.05\Power Tools_V1.05\unins000.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-26 22:07
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST916031 rev.0002 -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x867B4439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x867ba7d0]; MOV EAX, [0x867ba84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x87174030]
3 CLASSPNP[0xF7505FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000070[0x8717AB58]
5 ACPI[0xF739C620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x87145028]
\Driver\iaStor[0x87171500] -> IRP_MJ_CREATE -> 0x867B4439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskST9160314AS_____________________________0002SDM1#4&44f0d94&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-68344126-3362229131-3438012487-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FBA0D318-D97B-974B-96FB-2388840E3407}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"oamedmmllbgppmlfmmnkenkpiabafl"=hex:6a,61,69,6c,65,67,69,6d,65,6d,6d,6d,6e,64,
6f,68,67,6e,6e,67,00,54
"nagejkfjngkhagbgeocagbohpfdg"=hex:6a,61,69,6c,65,67,69,6d,65,6d,6d,6d,6e,64,
6f,68,67,6e,6e,67,00,54
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(796)
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'lsass.exe'(856)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(10948)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\program files\ASUS\Eee Storage\XPClient.dll
c:\program files\ASUS\Eee Storage\LogicNP.EZShellExtensions.dll
c:\program files\ASUS\Eee Storage\EcaremeDLL.dll
c:\windows\assembly\GAC_MSIL\SqliteShared\1.0.3390.31024__0d0f4b69e50e559b\SqliteShared.dll
c:\windows\assembly\GAC_32\System.Data.SQLite\1.0.60.0__db937bc2d44ff139\System.Data.SQLite.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
.
**************************************************************************
.
Completion time: 2011-04-26 22:17:06 - machine was rebooted
ComboFix-quarantined-files.txt 2011-04-27 02:16
.
Pre-Run: 18,298,912,768 bytes free
Post-Run: 18,544,009,216 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 65DA68D10CE8A3445BFC6864A42E08CB


*****************************************************************************
*****************************************************************************


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Dominic at 22:23:01.23 on 26/04/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.476 [GMT -4:00]
.
AV: Ad-Aware Total Security *Enabled/Updated* {71310606-6F3B-49F2-9A81-8315AA75FBB3}
FW: Ad-Aware Personal Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\G Data\GDScan\GDScan.exe
C:\Program Files\Lavasoft\Ad-Aware Total Security\AVK\AVKWCtl.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Common Files\G Data\AVKProxy\AVKProxy.exe
C:\Program Files\Lavasoft\Ad-Aware Total Security\AVK\AVKService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Lavasoft\Ad-Aware Total Security\Firewall\GDFwSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe
C:\WINDOWS\AsScrPro.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Dominic\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://www.msn.com
BHO: Ad-Aware WebFilter: {0124123d-61b4-456f-af86-78c53a0790c5} - c:\program files\lavasoft\ad-aware total security\webfilter\AvkWebIE.dll
BHO: QuickNet BHO: {ea5ca8b6-9b9c-4994-a7a1-947b6c631be7} - c:\program files\regtweaker\key.dll
TB: Ad-Aware WebFilter: {0124123d-61b4-456f-af86-78c53a0790c5} - c:\program files\lavasoft\ad-aware total security\webfilter\AvkWebIE.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SynAsusAcpi] c:\program files\synaptics\syntp\SynAsusAcpi.exe
mRun: [ASUS Screen Saver Protector] c:\windows\AsScrPro.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: intu-tt2010 - {97A0575E-2309-4e75-8509-B1F9390C4DE7} - c:\program files\turbotax 2010\ic2010pp.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\dominic\applic~1\mozilla\firefox\profiles\xqcl2m4i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\documents and settings\dominic\application data\mozilla\firefox\profiles\xqcl2m4i.default\extensions\{1105fc58-3295-4308-bace-00e344be1cc7}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\dominic\application data\mozilla\firefox\profiles\xqcl2m4i.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\dominic\application data\mozilla\firefox\profiles\xqcl2m4i.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: c:\documents and settings\dominic\application data\mozilla\firefox\profiles\xqcl2m4i.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - component: c:\program files\mozilla firefox\extensions\{9aa46f4f-4dc7-4c06-97af-5035170633fe}\components\AvkWebFilterFF.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Ad-Aware WebFilter: {9AA46F4F-4DC7-4c06-97AF-5035170633FE} - c:\program files\mozilla firefox\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170633FE}
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: YouTube mp3: info@youtube-mp3.org - %profile%\extensions\info@youtube-mp3.org
FF - Ext: Gmail Notifier: {44d0a1b4-9c90-4f86-ac92-8680b5d6549e} - %profile%\extensions\{44d0a1b4-9c90-4f86-ac92-8680b5d6549e}
FF - Ext: Zoom toolbar: {FBFB7597-9E32-46b4-A500-8B6B0412777F} - %profile%\extensions\{FBFB7597-9E32-46b4-A500-8B6B0412777F}
FF - Ext: PageZoom Buttons: 54c7d9671b9eccd9e5686a73df34ab60@button.codefisher.org - %profile%\extensions\54c7d9671b9eccd9e5686a73df34ab60@button.codefisher.org
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: ALMANSOORI WIRELINE SERVICES Community Toolbar: {1105fc58-3295-4308-bace-00e344be1cc7} - %profile%\extensions\{1105fc58-3295-4308-bace-00e344be1cc7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {6D791525-EE5B-43F0-A819-ECD8A4C2FE84} - c:\documents and settings\dominic\local settings\application data\{6D791525-EE5B-43F0-A819-ECD8A4C2FE84}
.
============= SERVICES / DRIVERS ===============
.
R0 GDBehave;GDBehave;c:\windows\system32\drivers\GDBehave.sys [2011-4-11 33480]
R0 GDNdisIc;GDNdisIc;c:\windows\system32\drivers\GDNdisIc.sys [2011-4-11 29640]
R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2010-6-23 11448]
R1 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\MiniIcpt.sys [2011-4-11 62024]
R1 GRD;G Data Rootkit Detector Driver;c:\windows\system32\drivers\GRD.sys [2011-4-11 68976]
R1 HookCentre;HookCentre;c:\windows\system32\drivers\HookCentre.sys [2011-4-11 38600]
R2 AVKProxy;Ad-Aware Total Security Proxy;c:\program files\common files\g data\avkproxy\AVKProxy.exe [2010-6-29 1081384]
R2 AVKService;Ad-Aware Scheduler;c:\program files\lavasoft\ad-aware total security\avk\AVKService.exe [2010-6-29 412944]
R2 AVKWCtl;Ad-Aware Filesystem Monitor;c:\program files\lavasoft\ad-aware total security\avk\AVKWCtl.exe [2010-6-23 1635672]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-6-23 55152]
R2 GDTdiInterceptor;GDTdiInterceptor;c:\windows\system32\drivers\GDTdiIcpt.sys [2011-4-11 51400]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2010-9-22 10384]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-4-4 363344]
R2 NAUpdate;@c:\program files\nero\update\nasvc.exe,-200;c:\program files\nero\update\NASvc.exe [2010-5-4 503080]
R3 GDFwSvc;Ad-Aware Personal Firewall;c:\program files\lavasoft\ad-aware total security\firewall\GDFwSvc.exe [2010-6-15 1834432]
R3 GDScan;Ad-Aware Scanner;c:\program files\common files\g data\gdscan\GDScan.exe [2010-6-29 624064]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-6-1 38912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-4-4 20952]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-30 136176]
S2 HidCom;USB-HID -> COM Driver Service;c:\windows\system32\drivers\HidCom.sys [2005-11-9 21016]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-6-22 1684736]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 GDBackupSvc;Ad-Aware Backup Service;c:\program files\lavasoft\ad-aware total security\avkbackup\AVKBackupService.exe [2010-6-29 911976]
S3 GDTunerSvc;Ad-Aware Tuner Service;c:\program files\lavasoft\ad-aware total security\avktuner\AVKTunerService.exe [2010-6-29 1234896]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2011-2-9 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-30 136176]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2009-10-31 18432]
S3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [2009-6-1 39040]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys --> c:\windows\system32\drivers\wdcsam.sys [?]
.
=============== Created Last 30 ================
.
2011-04-27 01:24:09 -------- d-sha-r- C:\cmdcons
2011-04-27 01:15:27 98816 ----a-w- c:\windows\sed.exe
2011-04-27 01:15:27 89088 ----a-w- c:\windows\MBR.exe
2011-04-27 01:15:27 256512 ----a-w- c:\windows\PEV.exe
2011-04-27 01:15:27 161792 ----a-w- c:\windows\SWREG.exe
2011-04-13 17:17:28 -------- d-----w- c:\docume~1\dominic\applic~1\Intuit Canada
2011-04-13 17:17:08 -------- d-----w- c:\program files\common files\Intuit
2011-04-13 17:17:01 -------- d-----w- c:\program files\TurboTax 2010
2011-04-13 17:16:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Intuit Canada
2011-04-13 13:52:48 -------- d-----w- c:\docume~1\dominic\locals~1\applic~1\G DATA
2011-04-12 03:36:51 68976 ----a-w- c:\windows\system32\drivers\GRD.sys
2011-04-12 02:26:51 15880 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-12 02:26:41 137288 ----a-w- c:\program files\mozilla firefox\extensions\{9aa46f4f-4dc7-4c06-97af-5035170633fe}\components\AvkWebFilterFF.dll
2011-04-12 02:26:19 51400 ----a-w- c:\windows\system32\drivers\GDTdiIcpt.sys
2011-04-12 02:26:19 29640 ----a-w- c:\windows\system32\drivers\GDNdisIc.sys
2011-04-12 02:26:14 62024 ----a-w- c:\windows\system32\drivers\MiniIcpt.sys
2011-04-12 02:26:14 38600 ----a-w- c:\windows\system32\drivers\HookCentre.sys
2011-04-12 02:26:14 33480 ----a-w- c:\windows\system32\drivers\GDBehave.sys
2011-04-12 02:24:50 -------- d-----w- c:\program files\Lavasoft
2011-04-12 02:24:50 -------- d-----w- c:\program files\common files\G Data
2011-04-12 02:24:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\G DATA
2011-04-11 20:14:41 -------- d--h--w- c:\windows\PIF
2011-04-09 00:04:58 -------- d-----w- c:\program files\RegTweaker
2011-04-06 01:12:38 -------- d-----w- c:\docume~1\dominic\locals~1\applic~1\PCHealth
2011-04-04 20:00:12 -------- d-----w- c:\docume~1\dominic\applic~1\Malwarebytes
2011-04-04 17:55:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-04 17:55:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-04 17:55:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-04 17:55:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-04 16:51:07 0 ----a-w- c:\windows\Edutik.bin
2011-04-04 16:51:05 -------- d-----w- c:\docume~1\dominic\locals~1\applic~1\{6D791525-EE5B-43F0-A819-ECD8A4C2FE84}
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2010-04-25 08:06:43 249856 ----a-w- c:\program files\SOUNDPAD.EXE
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST916031 rev.0002 -> Harddisk0\DR0 -> \Device\Ide\iaStor0
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x867B4439]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x867ba7d0]; MOV EAX, [0x867ba84c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x87174030]
3 CLASSPNP[0xF7505FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000070[0x8717AB58]
5 ACPI[0xF739C620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x87145028]
\Driver\iaStor[0x87171500] -> IRP_MJ_CREATE -> 0x867B4439
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x147; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskST9160314AS_____________________________0002SDM1#4&44f0d94&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 312581806 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 22:25:33.04 ===============
Attached File  Attach.txt   16.26KB   1 downloads

#6 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:13 PM

Posted 27 April 2011 - 01:27 AM

Hi,

1. Download TDSSKiller and extract its contents into a folder in desired location (i.e. c:\tdsskiller).
2. Execute the file TDSSKiller.exe.
3. Click Start Scan. If threats are found, select cure and click Continue (tool may prompt for a reboot).
4. Post back contents of log file in c: drive root (name should be in UtilityName.Version_Date_Time_log.txt format)

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#7 dominicrouse

dominicrouse
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 29 April 2011 - 09:21 PM

2011/04/29 21:33:34.0703 3920 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/29 21:33:34.0875 3920 ================================================================================
2011/04/29 21:33:34.0875 3920 SystemInfo:
2011/04/29 21:33:34.0875 3920
2011/04/29 21:33:34.0875 3920 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/29 21:33:34.0875 3920 Product type: Workstation
2011/04/29 21:33:34.0875 3920 ComputerName: IDOM
2011/04/29 21:33:34.0875 3920 UserName: Dominic
2011/04/29 21:33:34.0875 3920 Windows directory: C:\WINDOWS
2011/04/29 21:33:34.0875 3920 System windows directory: C:\WINDOWS
2011/04/29 21:33:34.0875 3920 Processor architecture: Intel x86
2011/04/29 21:33:34.0875 3920 Number of processors: 2
2011/04/29 21:33:34.0875 3920 Page size: 0x1000
2011/04/29 21:33:34.0875 3920 Boot type: Normal boot
2011/04/29 21:33:34.0875 3920 ================================================================================
2011/04/29 21:33:35.0453 3920 Initialize success
2011/04/29 21:33:42.0781 1052 ================================================================================
2011/04/29 21:33:42.0781 1052 Scan started
2011/04/29 21:33:42.0781 1052 Mode: Manual;
2011/04/29 21:33:42.0781 1052 ================================================================================
2011/04/29 21:33:44.0312 1052 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/04/29 21:33:44.0406 1052 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/04/29 21:33:44.0546 1052 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/04/29 21:33:44.0656 1052 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/04/29 21:33:44.0984 1052 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
2011/04/29 21:33:45.0234 1052 AR5416 (e0ee769d14128014965e03b433f5f46e) C:\WINDOWS\system32\DRIVERS\athw.sys
2011/04/29 21:33:45.0531 1052 AsUpIO (e67493490466b5f04b58c22d2590e8ca) C:\WINDOWS\system32\drivers\AsUpIO.sys
2011/04/29 21:33:45.0593 1052 AsusACPI (12415a4b61ded200fe9932b47a35fa42) C:\WINDOWS\system32\DRIVERS\ASUSACPI.sys
2011/04/29 21:33:45.0687 1052 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/04/29 21:33:45.0750 1052 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/04/29 21:33:45.0875 1052 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/04/29 21:33:45.0953 1052 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/04/29 21:33:46.0093 1052 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/04/29 21:33:46.0203 1052 BrScnUsb (92a964547b96d697e5e9ed43b4297f5a) C:\WINDOWS\system32\DRIVERS\BrScnUsb.sys
2011/04/29 21:33:46.0281 1052 BrSerIf (d48c13f4a409aee8dafaddac81e34557) C:\WINDOWS\system32\Drivers\BrSerIf.sys
2011/04/29 21:33:46.0359 1052 BrUsbSer (8fa0ac830a8312912a3aa0c0431cba0d) C:\WINDOWS\system32\Drivers\BrUsbSer.sys
2011/04/29 21:33:46.0453 1052 btaudio (4b43dfe1c1fbb305a1dc5504ef9bb34e) C:\WINDOWS\system32\drivers\btaudio.sys
2011/04/29 21:33:46.0562 1052 BTDriver (2f9f111d31aa3fbbe5781d829a4524e6) C:\WINDOWS\system32\DRIVERS\btport.sys
2011/04/29 21:33:46.0640 1052 BTKRNL (70455baffc078b6152d1e52376296467) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2011/04/29 21:33:46.0750 1052 BTWDNDIS (485020a1e1fc5c51a800ca69c618d881) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
2011/04/29 21:33:46.0812 1052 btwhid (949eca9c56f657c06d3166d51f3226c7) C:\WINDOWS\system32\DRIVERS\btwhid.sys
2011/04/29 21:33:46.0859 1052 BTWUSB (2cfc2bd8785f82a42fcad83de1fa5a36) C:\WINDOWS\system32\Drivers\btwusb.sys
2011/04/29 21:33:47.0000 1052 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/04/29 21:33:47.0078 1052 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/04/29 21:33:47.0187 1052 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/04/29 21:33:47.0281 1052 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/04/29 21:33:47.0359 1052 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/04/29 21:33:47.0515 1052 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/04/29 21:33:47.0609 1052 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/04/29 21:33:47.0890 1052 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/04/29 21:33:48.0000 1052 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/04/29 21:33:48.0078 1052 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/04/29 21:33:48.0156 1052 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/04/29 21:33:48.0250 1052 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/04/29 21:33:48.0375 1052 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/04/29 21:33:48.0515 1052 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/04/29 21:33:48.0593 1052 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/04/29 21:33:48.0640 1052 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/04/29 21:33:48.0703 1052 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/04/29 21:33:48.0796 1052 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/04/29 21:33:48.0937 1052 fssfltr (960f5e5e4e1f720465311ac68a99c2df) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2011/04/29 21:33:49.0000 1052 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/04/29 21:33:49.0078 1052 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/04/29 21:33:49.0140 1052 GDBehave (f074fc0594e6e0bf1f6dd197c7c1e141) C:\WINDOWS\system32\drivers\GDBehave.sys
2011/04/29 21:33:49.0234 1052 GDMnIcpt (ce8deffa86465d6acb61c0952c9a524a) C:\WINDOWS\system32\drivers\MiniIcpt.sys
2011/04/29 21:33:49.0281 1052 GDNdisIc (d5dc02aa98917f8e5ee8777f82fc7148) C:\WINDOWS\system32\drivers\GDNdisIc.sys
2011/04/29 21:33:49.0359 1052 GDTdiInterceptor (051f27f0aa00612407b58eb22d35fd5c) C:\WINDOWS\system32\drivers\GDTdiIcpt.sys
2011/04/29 21:33:49.0453 1052 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/04/29 21:33:49.0546 1052 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/04/29 21:33:49.0625 1052 GRD (9a912682d2f1990ff9cffcf9a3fff506) C:\WINDOWS\system32\drivers\GRD.sys
2011/04/29 21:33:49.0734 1052 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/04/29 21:33:49.0843 1052 HidCom (e77383ae71a1b5acb3e634f17fb0b700) C:\WINDOWS\system32\DRIVERS\HidCom.sys
2011/04/29 21:33:49.0921 1052 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/04/29 21:33:50.0000 1052 HookCentre (cb44a699b8d2a494ffd19dbd9bedfe84) C:\WINDOWS\system32\drivers\HookCentre.sys
2011/04/29 21:33:50.0125 1052 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/04/29 21:33:50.0312 1052 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/04/29 21:33:50.0578 1052 ialm (0f68e2ec713f132ffb19e45415b09679) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/04/29 21:33:50.0796 1052 iaStor (8ef427c54497c5f8a7a645990e4278c7) C:\WINDOWS\system32\drivers\iaStor.sys
2011/04/29 21:33:50.0890 1052 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/04/29 21:33:51.0218 1052 IntcAzAudAddService (1ae3cff80017ef89da959350724c7194) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/04/29 21:33:51.0484 1052 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/04/29 21:33:51.0546 1052 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/04/29 21:33:51.0609 1052 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/04/29 21:33:51.0656 1052 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/04/29 21:33:51.0734 1052 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/04/29 21:33:51.0843 1052 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/04/29 21:33:51.0906 1052 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/04/29 21:33:52.0000 1052 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/04/29 21:33:52.0093 1052 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/04/29 21:33:52.0140 1052 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/04/29 21:33:52.0218 1052 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/04/29 21:33:52.0296 1052 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/04/29 21:33:52.0343 1052 L1c (6c8658587e91ea25b0fd2e71781ad228) C:\WINDOWS\system32\DRIVERS\l1c51x86.sys
2011/04/29 21:33:52.0453 1052 LBeepKE (9ffd1cf2a782f2560e78eec4b8b8689e) C:\WINDOWS\system32\Drivers\LBeepKE.sys
2011/04/29 21:33:52.0578 1052 LHidFilt (7f9c7b28cf1c859e1c42619eea946dc8) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
2011/04/29 21:33:52.0671 1052 LMouFilt (ab33792a87285344f43b5ce23421bab0) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
2011/04/29 21:33:52.0750 1052 MBAMProtector (836e0e09ca9869be7eb39ef2cf3602c7) C:\WINDOWS\system32\drivers\mbam.sys
2011/04/29 21:33:52.0859 1052 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/04/29 21:33:52.0937 1052 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/04/29 21:33:53.0046 1052 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
2011/04/29 21:33:53.0203 1052 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/04/29 21:33:53.0281 1052 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/04/29 21:33:53.0328 1052 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/04/29 21:33:53.0453 1052 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/04/29 21:33:53.0531 1052 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/04/29 21:33:53.0656 1052 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/04/29 21:33:53.0750 1052 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/04/29 21:33:53.0812 1052 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/04/29 21:33:53.0875 1052 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/04/29 21:33:53.0953 1052 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/04/29 21:33:54.0046 1052 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/04/29 21:33:54.0125 1052 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/04/29 21:33:54.0187 1052 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/04/29 21:33:54.0312 1052 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/04/29 21:33:54.0390 1052 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/04/29 21:33:54.0453 1052 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/04/29 21:33:54.0515 1052 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/04/29 21:33:54.0562 1052 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/04/29 21:33:54.0656 1052 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/04/29 21:33:54.0718 1052 Netaapl (7afd0e39ab15cb355487b7cc19f4e2c5) C:\WINDOWS\system32\DRIVERS\netaapl.sys
2011/04/29 21:33:54.0781 1052 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/04/29 21:33:54.0875 1052 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/04/29 21:33:55.0015 1052 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/04/29 21:33:55.0109 1052 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/04/29 21:33:55.0250 1052 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/04/29 21:33:55.0343 1052 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/04/29 21:33:55.0390 1052 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/04/29 21:33:55.0515 1052 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/04/29 21:33:55.0578 1052 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/04/29 21:33:55.0656 1052 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/04/29 21:33:55.0718 1052 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/04/29 21:33:55.0812 1052 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/04/29 21:33:55.0890 1052 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/04/29 21:33:56.0531 1052 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/04/29 21:33:56.0593 1052 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/04/29 21:33:56.0640 1052 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/04/29 21:33:56.0937 1052 QV2KUX (0087f01d35a65b32393cc8bba46ee4a6) C:\WINDOWS\system32\DRIVERS\qv2kux.sys
2011/04/29 21:33:57.0015 1052 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/04/29 21:33:57.0078 1052 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/04/29 21:33:57.0125 1052 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/04/29 21:33:57.0187 1052 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/04/29 21:33:57.0265 1052 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/04/29 21:33:57.0359 1052 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/04/29 21:33:57.0484 1052 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/04/29 21:33:57.0562 1052 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/04/29 21:33:57.0796 1052 SCDEmu (20b2751cd4c8f3fd989739ca661b9f30) C:\WINDOWS\system32\drivers\SCDEmu.sys
2011/04/29 21:33:57.0906 1052 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/04/29 21:33:57.0984 1052 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/04/29 21:33:58.0062 1052 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/04/29 21:33:58.0187 1052 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/04/29 21:33:58.0328 1052 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/04/29 21:33:58.0484 1052 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/04/29 21:33:58.0562 1052 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/04/29 21:33:58.0671 1052 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/04/29 21:33:58.0796 1052 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/04/29 21:33:58.0859 1052 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/04/29 21:33:58.0937 1052 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/04/29 21:33:59.0203 1052 SynTP (a10d781153bb23036b474ffedb448266) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/04/29 21:33:59.0296 1052 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/04/29 21:33:59.0421 1052 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/04/29 21:33:59.0515 1052 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/04/29 21:33:59.0562 1052 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/04/29 21:33:59.0625 1052 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/04/29 21:33:59.0828 1052 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/04/29 21:33:59.0953 1052 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/04/29 21:34:00.0093 1052 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/04/29 21:34:00.0187 1052 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/04/29 21:34:00.0265 1052 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/04/29 21:34:00.0359 1052 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/04/29 21:34:00.0437 1052 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/04/29 21:34:00.0500 1052 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/04/29 21:34:00.0578 1052 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/04/29 21:34:00.0640 1052 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/04/29 21:34:00.0718 1052 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/04/29 21:34:00.0781 1052 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/04/29 21:34:00.0828 1052 uvclf (c019889035cdc1a06f2febc93cbb6897) C:\WINDOWS\system32\DRIVERS\uvclf.sys
2011/04/29 21:34:00.0906 1052 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/04/29 21:34:01.0062 1052 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/04/29 21:34:01.0187 1052 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/04/29 21:34:01.0312 1052 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/04/29 21:34:01.0453 1052 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/04/29 21:34:01.0734 1052 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/04/29 21:34:01.0812 1052 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/04/29 21:34:01.0859 1052 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/04/29 21:34:02.0062 1052 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/04/29 21:34:02.0078 1052 ================================================================================
2011/04/29 21:34:02.0078 1052 Scan finished
2011/04/29 21:34:02.0078 1052 ================================================================================
2011/04/29 21:34:02.0109 2952 Detected object count: 1
2011/04/29 21:34:44.0171 2952 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/04/29 21:34:44.0171 2952 \HardDisk0 - ok
2011/04/29 21:34:44.0171 2952 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/04/29 21:34:46.0640 2256 Deinitialize success












***************************************************

***************************************************

***************************************************

***************************************************

***************************************************


.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Dominic at 21:36:50.60 on Fri 29/04/2011
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.625 [GMT -4:00]
.
AV: Ad-Aware Total Security *Disabled/Updated* {71310606-6F3B-49F2-9A81-8315AA75FBB3}
FW: Ad-Aware Personal Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Common Files\G Data\GDScan\GDScan.exe
C:\Program Files\Lavasoft\Ad-Aware Total Security\AVK\AVKWCtl.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Common Files\G Data\AVKProxy\AVKProxy.exe
C:\Program Files\Lavasoft\Ad-Aware Total Security\AVK\AVKService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Nero\Update\NASvc.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Synaptics\SynTP\SynAsusAcpi.exe
C:\WINDOWS\AsScrPro.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe
C:\WINDOWS\system32\igfxext.exe
C:\Documents and Settings\Dominic\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://www.msn.com
BHO: Ad-Aware WebFilter: {0124123d-61b4-456f-af86-78c53a0790c5} - c:\program files\lavasoft\ad-aware total security\webfilter\AvkWebIE.dll
BHO: QuickNet BHO: {ea5ca8b6-9b9c-4994-a7a1-947b6c631be7} - c:\program files\regtweaker\key.dll
TB: Ad-Aware WebFilter: {0124123d-61b4-456f-af86-78c53a0790c5} - c:\program files\lavasoft\ad-aware total security\webfilter\AvkWebIE.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SynAsusAcpi] c:\program files\synaptics\syntp\SynAsusAcpi.exe
mRun: [ASUS Screen Saver Protector] c:\windows\AsScrPro.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
Handler: intu-tt2010 - {97A0575E-2309-4e75-8509-B1F9390C4DE7} - c:\program files\turbotax 2010\ic2010pp.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\dominic\applic~1\mozilla\firefox\profiles\xqcl2m4i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - component: c:\documents and settings\dominic\application data\mozilla\firefox\profiles\xqcl2m4i.default\extensions\{1105fc58-3295-4308-bace-00e344be1cc7}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\dominic\application data\mozilla\firefox\profiles\xqcl2m4i.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\frozen.dll
FF - component: c:\documents and settings\dominic\application data\mozilla\firefox\profiles\xqcl2m4i.default\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}\components\googletoolbar-ff3.dll
FF - component: c:\documents and settings\dominic\application data\mozilla\firefox\profiles\xqcl2m4i.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - component: c:\program files\mozilla firefox\extensions\{9aa46f4f-4dc7-4c06-97af-5035170633fe}\components\AvkWebFilterFF.dll
FF - plugin: c:\documents and settings\dominic\application data\mozilla\firefox\profiles\xqcl2m4i.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
FF - plugin: c:\documents and settings\dominic\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\dominic\application data\mozilla\plugins\npgtpo3dautoplugin.dll
FF - plugin: c:\documents and settings\dominic\local settings\application data\google\update\1.2.183.39\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - plugin: c:\windows\system32\tvuax\npTVUAx.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}
FF - Ext: Ad-Aware WebFilter: {9AA46F4F-4DC7-4c06-97AF-5035170633FE} - c:\program files\mozilla firefox\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170633FE}
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: YouTube mp3: info@youtube-mp3.org - %profile%\extensions\info@youtube-mp3.org
FF - Ext: Gmail Notifier: {44d0a1b4-9c90-4f86-ac92-8680b5d6549e} - %profile%\extensions\{44d0a1b4-9c90-4f86-ac92-8680b5d6549e}
FF - Ext: Zoom toolbar: {FBFB7597-9E32-46b4-A500-8B6B0412777F} - %profile%\extensions\{FBFB7597-9E32-46b4-A500-8B6B0412777F}
FF - Ext: PageZoom Buttons: 54c7d9671b9eccd9e5686a73df34ab60@button.codefisher.org - %profile%\extensions\54c7d9671b9eccd9e5686a73df34ab60@button.codefisher.org
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: ALMANSOORI WIRELINE SERVICES Community Toolbar: {1105fc58-3295-4308-bace-00e344be1cc7} - %profile%\extensions\{1105fc58-3295-4308-bace-00e344be1cc7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {6D791525-EE5B-43F0-A819-ECD8A4C2FE84} - c:\documents and settings\dominic\local settings\application data\{6D791525-EE5B-43F0-A819-ECD8A4C2FE84}
.
============= SERVICES / DRIVERS ===============
.
R?2 NAUpdate;@c:\program files\nero\update\nasvc.exe,-200;c:\program files\nero\update\NASvc.exe [2010-5-4 503080]
R0 GDBehave;GDBehave;c:\windows\system32\drivers\GDBehave.sys [2011-4-11 33480]
R0 GDNdisIc;GDNdisIc;c:\windows\system32\drivers\GDNdisIc.sys [2011-4-11 29640]
R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [2010-6-23 11448]
R1 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\MiniIcpt.sys [2011-4-11 62024]
R1 GRD;G Data Rootkit Detector Driver;c:\windows\system32\drivers\GRD.sys [2011-4-11 68976]
R1 HookCentre;HookCentre;c:\windows\system32\drivers\HookCentre.sys [2011-4-11 38600]
R2 AVKProxy;Ad-Aware Total Security Proxy;c:\program files\common files\g data\avkproxy\AVKProxy.exe [2010-6-29 1081384]
R2 AVKService;Ad-Aware Scheduler;c:\program files\lavasoft\ad-aware total security\avk\AVKService.exe [2010-6-29 412944]
R2 AVKWCtl;Ad-Aware Filesystem Monitor;c:\program files\lavasoft\ad-aware total security\avk\AVKWCtl.exe [2010-6-23 1635672]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-6-23 55152]
R2 GDTdiInterceptor;GDTdiInterceptor;c:\windows\system32\drivers\GDTdiIcpt.sys [2011-4-11 51400]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2010-9-22 10384]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-4-4 363344]
R3 GDScan;Ad-Aware Scanner;c:\program files\common files\g data\gdscan\GDScan.exe [2010-6-29 624064]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-6-1 38912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-4-4 20952]
S?2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-4-30 136176]
S2 HidCom;USB-HID -> COM Driver Service;c:\windows\system32\drivers\HidCom.sys [2005-11-9 21016]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-6-22 1684736]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
S3 GDBackupSvc;Ad-Aware Backup Service;c:\program files\lavasoft\ad-aware total security\avkbackup\AVKBackupService.exe [2010-6-29 911976]
S3 GDFwSvc;Ad-Aware Personal Firewall;c:\program files\lavasoft\ad-aware total security\firewall\GDFwSvc.exe [2010-6-15 1834432]
S3 GDTunerSvc;Ad-Aware Tuner Service;c:\program files\lavasoft\ad-aware total security\avktuner\AVKTunerService.exe [2010-6-29 1234896]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\google\google desktop search\GoogleDesktop.exe [2011-2-9 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-4-30 136176]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [2009-10-31 18432]
S3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [2009-6-1 39040]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys --> c:\windows\system32\drivers\wdcsam.sys [?]
.
=============== Created Last 30 ================
.
2011-04-27 01:24:09 -------- d-sha-r- C:\cmdcons
2011-04-27 01:15:27 98816 ----a-w- c:\windows\sed.exe
2011-04-27 01:15:27 89088 ----a-w- c:\windows\MBR.exe
2011-04-27 01:15:27 256512 ----a-w- c:\windows\PEV.exe
2011-04-27 01:15:27 161792 ----a-w- c:\windows\SWREG.exe
2011-04-13 17:17:28 -------- d-----w- c:\docume~1\dominic\applic~1\Intuit Canada
2011-04-13 17:17:08 -------- d-----w- c:\program files\common files\Intuit
2011-04-13 17:17:01 -------- d-----w- c:\program files\TurboTax 2010
2011-04-13 17:16:47 -------- d-----w- c:\docume~1\alluse~1\applic~1\Intuit Canada
2011-04-13 13:52:48 -------- d-----w- c:\docume~1\dominic\locals~1\applic~1\G DATA
2011-04-12 03:36:51 68976 ----a-w- c:\windows\system32\drivers\GRD.sys
2011-04-12 02:26:51 15880 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-12 02:26:41 137288 ----a-w- c:\program files\mozilla firefox\extensions\{9aa46f4f-4dc7-4c06-97af-5035170633fe}\components\AvkWebFilterFF.dll
2011-04-12 02:26:19 51400 ----a-w- c:\windows\system32\drivers\GDTdiIcpt.sys
2011-04-12 02:26:19 29640 ----a-w- c:\windows\system32\drivers\GDNdisIc.sys
2011-04-12 02:26:14 62024 ----a-w- c:\windows\system32\drivers\MiniIcpt.sys
2011-04-12 02:26:14 38600 ----a-w- c:\windows\system32\drivers\HookCentre.sys
2011-04-12 02:26:14 33480 ----a-w- c:\windows\system32\drivers\GDBehave.sys
2011-04-12 02:24:50 -------- d-----w- c:\program files\Lavasoft
2011-04-12 02:24:50 -------- d-----w- c:\program files\common files\G Data
2011-04-12 02:24:50 -------- d-----w- c:\docume~1\alluse~1\applic~1\G DATA
2011-04-11 20:14:41 -------- d--h--w- c:\windows\PIF
2011-04-09 00:04:58 -------- d-----w- c:\program files\RegTweaker
2011-04-06 01:12:38 -------- d-----w- c:\docume~1\dominic\locals~1\applic~1\PCHealth
2011-04-04 20:00:12 -------- d-----w- c:\docume~1\dominic\applic~1\Malwarebytes
2011-04-04 17:55:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-04 17:55:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-04 17:55:34 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-04-04 17:55:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-04 16:51:07 0 ----a-w- c:\windows\Edutik.bin
2011-04-04 16:51:05 -------- d-----w- c:\docume~1\dominic\locals~1\applic~1\{6D791525-EE5B-43F0-A819-ECD8A4C2FE84}
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2010-04-25 08:06:43 249856 ----a-w- c:\program files\SOUNDPAD.EXE
.
============= FINISH: 21:38:15.17 ===============






Attached File  Attach.txt   15.85KB   0 downloads

#8 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:13 PM

Posted 30 April 2011 - 03:24 AM

Hi again,


Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\Edutik.bin
c:\windows\azomutivolubu.dll
Firefox::
FF - Ext: XULRunner: {6D791525-EE5B-43F0-A819-ECD8A4C2FE84} - c:\documents and settings\Dominic\Local Settings\Application Data\{6D791525-EE5B-43F0-A819-ECD8A4C2FE84}
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Eyobekawepazuc]
Regnull::
[HKEY_USERS\S-1-5-21-68344126-3362229131-3438012487-1005\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{FBA0D318-D97B-974B-96FB-2388840E3407}*]


Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Posted Image

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one ((Adobe Reader X + 10.0.1 update for it)) here or get Foxit Reader here. Make sure you don't (unless you want to) install toolbar if choose Foxit Reader! You may also check free readers introduced here.


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 25.
  • Click the
    Download
    button to the right.
  • Select Windows on platform combobox and check the box that says:
    Accept License Agreement. Click continue.
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u25-windows-i586-p.exe to install the newest version. Uncheck Carbonite online backup trial if it's offered there.


* Go here to run an online scanner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is UNchecked.
  • Click Scan
  • Wait for the scan to finish.

Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#9 dominicrouse

dominicrouse
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 02 May 2011 - 06:59 PM

ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.17095 (vista_gdr.101217-1830)
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=41bdd1503e7a63489863997046aa2430
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-05-02 11:50:42
# local_time=2011-05-02 07:50:42 (-0500, Eastern Daylight Time)
# country="Australia"
# lang=9
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=4096 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=95934
# found=0
# cleaned=0
# scan_time=4266




************************************************************
************************************************************
************************************************************
************************************************************
************************************************************
************************************************************



ComboFix 11-04-26.02 - Dominic 01/05/2011 15:36:06.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.581 [GMT -4:00]
Running from: c:\documents and settings\Dominic\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Dominic\Desktop\CFScript.txt
AV: Ad-Aware Total Security *Disabled/Updated* {71310606-6F3B-49F2-9A81-8315AA75FBB3}
FW: Ad-Aware Personal Firewall *Disabled* {6E6F4BA6-C07D-443F-A130-0A57DA59A082}
.
FILE ::
"c:\windows\azomutivolubu.dll"
"c:\windows\Edutik.bin"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Dominic\Local Settings\Application Data\{6D791525-EE5B-43F0-A819-ECD8A4C2FE84}
c:\documents and settings\Dominic\Local Settings\Application Data\{6D791525-EE5B-43F0-A819-ECD8A4C2FE84}\chrome.manifest
c:\documents and settings\Dominic\Local Settings\Application Data\{6D791525-EE5B-43F0-A819-ECD8A4C2FE84}\chrome\content\_cfg.js
c:\documents and settings\Dominic\Local Settings\Application Data\{6D791525-EE5B-43F0-A819-ECD8A4C2FE84}\chrome\content\overlay.xul
c:\documents and settings\Dominic\Local Settings\Application Data\{6D791525-EE5B-43F0-A819-ECD8A4C2FE84}\install.rdf
c:\windows\azomutivolubu.dll
c:\windows\Edutik.bin
.
.
((((((((((((((((((((((((( Files Created from 2011-04-01 to 2011-05-01 )))))))))))))))))))))))))))))))
.
.
2011-04-15 18:16 . 2011-04-16 08:01 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-13 17:17 . 2011-04-13 17:17 -------- d-----w- c:\documents and settings\Dominic\Application Data\Intuit Canada
2011-04-13 17:17 . 2011-04-13 17:17 -------- d-----w- c:\program files\Common Files\Intuit
2011-04-13 17:17 . 2011-04-13 17:35 -------- d-----w- c:\program files\TurboTax 2010
2011-04-13 17:16 . 2011-04-13 17:16 -------- d-----w- c:\documents and settings\All Users\Application Data\Intuit Canada
2011-04-13 13:52 . 2011-04-13 13:52 -------- d-----w- c:\documents and settings\Dominic\Local Settings\Application Data\G DATA
2011-04-12 03:36 . 2011-04-12 03:36 68976 ----a-w- c:\windows\system32\drivers\GRD.sys
2011-04-12 02:26 . 2011-04-12 02:21 15880 ----a-w- c:\windows\system32\lsdelete.exe
2011-04-12 02:26 . 2010-05-11 08:19 137288 ----a-w- c:\program files\Mozilla Firefox\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170633FE}\Components\AvkWebFilterFF.dll
2011-04-12 02:26 . 2011-04-12 02:26 51400 ----a-w- c:\windows\system32\drivers\GDTdiIcpt.sys
2011-04-12 02:26 . 2011-04-12 02:26 29640 ----a-w- c:\windows\system32\drivers\GDNdisIc.sys
2011-04-12 02:26 . 2011-04-12 02:26 62024 ----a-w- c:\windows\system32\drivers\MiniIcpt.sys
2011-04-12 02:26 . 2011-04-12 02:26 38600 ----a-w- c:\windows\system32\drivers\HookCentre.sys
2011-04-12 02:26 . 2011-04-12 02:26 33480 ----a-w- c:\windows\system32\drivers\GDBehave.sys
2011-04-12 02:24 . 2011-04-12 02:50 -------- d-----w- c:\documents and settings\All Users\Application Data\G DATA
2011-04-12 02:24 . 2011-04-12 02:24 -------- d-----w- c:\program files\Common Files\G Data
2011-04-12 02:24 . 2011-04-12 02:24 -------- d-----w- c:\program files\Lavasoft
2011-04-11 20:14 . 2011-04-11 20:14 -------- d--h--w- c:\windows\PIF
2011-04-11 19:45 . 2011-04-11 19:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-04-09 00:04 . 2011-04-09 00:04 -------- d-----w- c:\program files\RegTweaker
2011-04-06 01:12 . 2011-04-06 01:12 -------- d-----w- c:\documents and settings\Dominic\Local Settings\Application Data\PCHealth
2011-04-04 20:00 . 2011-04-04 20:00 -------- d-----w- c:\documents and settings\Dominic\Application Data\Malwarebytes
2011-04-04 17:55 . 2011-04-04 17:55 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-04-04 17:55 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-04 17:55 . 2011-04-04 17:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-04 17:55 . 2011-04-08 13:35 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-04 17:55 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-09 13:53 . 2009-05-20 19:07 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2009-05-20 19:07 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 07:58 . 2009-05-20 19:16 2067456 ----a-w- c:\windows\system32\mstscax.dll
2010-04-25 08:06 . 2001-10-31 04:07 249856 ----a-w- c:\program files\SOUNDPAD.EXE
2011-02-09 15:50 . 2011-02-09 15:50 119808 ----a-w- c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-27_02.09.27 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-05-20 19:07 . 2011-05-01 17:52 68906 c:\windows\system32\perfc009.dat
- 2009-05-20 19:07 . 2011-04-27 02:09 68906 c:\windows\system32\perfc009.dat
+ 2009-05-20 19:07 . 2011-05-01 17:52 436160 c:\windows\system32\perfh009.dat
- 2009-05-20 19:07 . 2011-04-27 02:09 436160 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA5CA8B6-9B9C-4994-A7A1-947B6C631BE7}]
2011-03-29 14:01 243200 ----a-w- c:\program files\RegTweaker\key.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension1]
@="{fe25455d-b4c2-4e32-97d2-92632ec1c224}"
[HKEY_CLASSES_ROOT\CLSID\{fe25455d-b4c2-4e32-97d2-92632ec1c224}]
2009-11-07 05:07 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayIconExtension2]
@="{1fae2d88-a78e-4f03-909f-be818a3c1ce6}"
[HKEY_CLASSES_ROOT\CLSID\{1fae2d88-a78e-4f03-909f-be818a3c1ce6}]
2009-11-07 05:07 297808 ----a-w- c:\windows\system32\mscoree.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-04-17 630784]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-03-13 98304]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2009-04-17 118784]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-19 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-19 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-19 131072]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-03-06 1434920]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-03-06 79144]
"ASUS Screen Saver Protector"="c:\windows\AsScrPro.exe" [2009-07-08 3054136]
"RTHDCPL"="RTHDCPL.EXE" [2009-03-27 17567744]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2009-6-22 376832]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk
backup=c:\windows\pss\Bluetooth.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Dominic^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\Dominic\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Dominic^Start Menu^Programs^Startup^SolidWorks Task Scheduler Engine.lnk]
path=c:\documents and settings\Dominic\Start Menu\Programs\Startup\SolidWorks Task Scheduler Engine.lnk
backup=c:\windows\pss\SolidWorks Task Scheduler Engine.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\G Data AntiVirus Tray Application]
2010-06-29 21:20 981504 ----a-w- c:\program files\Lavasoft\Ad-Aware Total Security\AVKTray\AVKTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GDFirewallTray]
2010-06-29 21:22 1550576 ----a-w- c:\program files\Lavasoft\Ad-Aware Total Security\Firewall\GDFirewallTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
2011-02-09 15:49 30192 ----a-w- c:\program files\Google\Google Desktop Search\GoogleDesktop.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-04-30 10:46 136176 ----atw- c:\documents and settings\Dominic\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2008-04-14 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2010-12-13 09:16 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
2009-06-17 16:55 55824 ----a-w- c:\windows\KHALMNPR.Exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LiveUpdate]
2010-01-29 15:18 751592 ----a-w- c:\program files\ASUS\LiveUpdate\LiveUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2010-12-20 22:08 443728 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-02-07 01:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2008-04-14 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2008-04-14 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 09:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Xmarks]
2010-09-28 05:38 1048576 ----a-w- c:\program files\Xmarks\IE Extension\xmarkssync.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Documents and Settings\\Dominic\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12455:UDP"= 12455:UDP:iTap
"443:TCP"= 443:TCP:Foxtel Downloader 2
.
R0 GDBehave;GDBehave;c:\windows\system32\drivers\GDBehave.sys [11/04/2011 10:26 PM 33480]
R0 GDNdisIc;GDNdisIc;c:\windows\system32\drivers\GDNdisIc.sys [11/04/2011 10:26 PM 29640]
R1 AsUpIO;AsUpIO;c:\windows\system32\drivers\AsUpIO.sys [23/06/2010 10:26 AM 11448]
R1 GDMnIcpt;GDMnIcpt;c:\windows\system32\drivers\MiniIcpt.sys [11/04/2011 10:26 PM 62024]
R1 GRD;G Data Rootkit Detector Driver;c:\windows\system32\drivers\GRD.sys [11/04/2011 11:36 PM 68976]
R1 HookCentre;HookCentre;c:\windows\system32\drivers\HookCentre.sys [11/04/2011 10:26 PM 38600]
R2 AVKProxy;Ad-Aware Total Security Proxy;c:\program files\Common Files\G Data\AVKProxy\AVKProxy.exe [29/06/2010 5:22 PM 1081384]
R2 AVKService;Ad-Aware Scheduler;c:\program files\Lavasoft\Ad-Aware Total Security\AVK\AVKService.exe [29/06/2010 5:22 PM 412944]
R2 AVKWCtl;Ad-Aware Filesystem Monitor;c:\program files\Lavasoft\Ad-Aware Total Security\AVK\AVKWCtl.exe [23/06/2010 12:35 PM 1635672]
R2 GDTdiInterceptor;GDTdiInterceptor;c:\windows\system32\drivers\GDTdiIcpt.sys [11/04/2011 10:26 PM 51400]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [22/09/2010 9:47 PM 10384]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [4/04/2011 1:55 PM 363344]
R2 NAUpdate;@c:\program files\Nero\Update\NASvc.exe,-200;c:\program files\Nero\Update\NASvc.exe [4/05/2010 1:07 PM 503080]
R3 GDFwSvc;Ad-Aware Personal Firewall;c:\program files\Lavasoft\Ad-Aware Total Security\Firewall\GDFwSvc.exe [15/06/2010 11:14 AM 1834432]
R3 GDScan;Ad-Aware Scanner;c:\program files\Common Files\G Data\GDScan\GDScan.exe [29/06/2010 5:16 PM 624064]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [1/06/2009 3:26 AM 38912]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [4/04/2011 1:55 PM 20952]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30/04/2010 6:46 AM 136176]
S2 HidCom;USB-HID -> COM Driver Service;c:\windows\system32\drivers\HidCom.sys [9/11/2005 1:01 PM 21016]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [22/06/2009 11:49 PM 1684736]
S3 GDBackupSvc;Ad-Aware Backup Service;c:\program files\Lavasoft\Ad-Aware Total Security\AVKBackup\AVKBackupService.exe [29/06/2010 5:15 PM 911976]
S3 GDTunerSvc;Ad-Aware Tuner Service;c:\program files\Lavasoft\Ad-Aware Total Security\AVKTuner\AVKTunerService.exe [29/06/2010 5:15 PM 1234896]
S3 GoogleDesktopManager-051210-111108;Google Desktop Manager 5.9.1005.12335;c:\program files\Google\Google Desktop Search\GoogleDesktop.exe [9/02/2011 11:49 AM 30192]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [30/04/2010 6:46 AM 136176]
S3 Netaapl;Apple Mobile Device Ethernet Service;c:\windows\system32\drivers\netaapl.sys [31/10/2009 4:55 PM 18432]
S3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [1/06/2009 3:26 AM 39040]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\DRIVERS\wdcsam.sys --> c:\windows\system32\DRIVERS\wdcsam.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-30 10:46]
.
2011-05-01 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-30 10:46]
.
2011-04-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-68344126-3362229131-3438012487-1005Core.job
- c:\documents and settings\Dominic\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-07 10:46]
.
2011-05-01 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-68344126-3362229131-3438012487-1005UA.job
- c:\documents and settings\Dominic\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-09-07 10:46]
.
2011-02-10 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2006-11-21 10:08]
.
2011-02-20 c:\windows\Tasks\mixpadShakeIcon.job
- c:\program files\NCH Swift Sound\MixPad\mixpad.exe [2010-04-25 08:09]
.
2011-03-28 c:\windows\Tasks\wavepadShakeIcon.job
- c:\program files\NCH Swift Sound\WavePad\wavepad.exe [2010-04-25 08:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ca/
mStart Page = hxxp://www.msn.com
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
FF - ProfilePath - c:\documents and settings\Dominic\Application Data\Mozilla\Firefox\Profiles\xqcl2m4i.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Ad-Aware WebFilter: {9AA46F4F-4DC7-4c06-97AF-5035170633FE} - c:\program files\Mozilla Firefox\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170633FE}
FF - Ext: Xmarks: foxmarks@kei.com - %profile%\extensions\foxmarks@kei.com
FF - Ext: Google Toolbar for Firefox: {3112ca9c-de6d-4884-a869-9855de68056c} - %profile%\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: YouTube mp3: info@youtube-mp3.org - %profile%\extensions\info@youtube-mp3.org
FF - Ext: Gmail Notifier: {44d0a1b4-9c90-4f86-ac92-8680b5d6549e} - %profile%\extensions\{44d0a1b4-9c90-4f86-ac92-8680b5d6549e}
FF - Ext: Zoom toolbar: {FBFB7597-9E32-46b4-A500-8B6B0412777F} - %profile%\extensions\{FBFB7597-9E32-46b4-A500-8B6B0412777F}
FF - Ext: PageZoom Buttons: 54c7d9671b9eccd9e5686a73df34ab60@button.codefisher.org - %profile%\extensions\54c7d9671b9eccd9e5686a73df34ab60@button.codefisher.org
FF - Ext: TVU Web Player: firefox@tvunetworks.com - %profile%\extensions\firefox@tvunetworks.com
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - Ext: ALMANSOORI WIRELINE SERVICES Community Toolbar: {1105fc58-3295-4308-bace-00e344be1cc7} - %profile%\extensions\{1105fc58-3295-4308-bace-00e344be1cc7}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe ARM - c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
MSConfigStartUp-SunJavaUpdateSched - c:\program files\Common Files\Java\Java Update\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-01 15:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(756)
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(5184)
c:\windows\system32\WININET.dll
c:\program files\ASUS\Eee Storage\XPClient.dll
c:\program files\ASUS\Eee Storage\LogicNP.EZShellExtensions.dll
c:\program files\ASUS\Eee Storage\EcaremeDLL.dll
c:\windows\assembly\GAC_MSIL\SqliteShared\1.0.3390.31024__0d0f4b69e50e559b\SqliteShared.dll
c:\windows\assembly\GAC_32\System.Data.SQLite\1.0.60.0__db937bc2d44ff139\System.Data.SQLite.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxext.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-05-01 16:00:37 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-01 20:00
ComboFix2.txt 2011-04-27 02:17
.
Pre-Run: 18,240,700,416 bytes free
Post-Run: 18,387,021,824 bytes free
.
- - End Of File - - FB0BECBA1B7D3FBBF7989E4A5944AA79


Attached File  Attach.txt   16.33KB   1 downloads

#10 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:13 PM

Posted 03 May 2011 - 12:07 AM

Good. Any issues left or shall we move on to the final steps?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#11 dominicrouse

dominicrouse
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 03 May 2011 - 02:56 PM

The system has improved considerably! Let's move on please...thank you

#12 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:13 PM

Posted 03 May 2011 - 03:23 PM

Good. Please take the following steps to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis



Now lets uninstall ComboFix:
  • Click START then RUN
  • Now copy-paste Combofix /uninstall in the runbox and click OK



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.


Download and run Secunia Personal Software Inspector (PSI) and fix its findings.


Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade B)

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.


#13 dominicrouse

dominicrouse
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 08 May 2011 - 09:53 PM

Ok, problem with Secunia PSI...see attached screenshot of the error message. I'm connected to the internet (hence being able to post this message) and I'm not using a proxy server (to my knowledge)...please advise

Also, and not sure if this is a symptom of post Antimal Doctor or not but my mouse is acting strange. On right-click it takes about 5 seconds to react. When scrolling down right-click menu it always gets stuck on "Send To". This has never happened before and is obviously irritating.


Attached File  Secunia PSI.jpg   91.4KB   2 downloads

Edited by dominicrouse, 08 May 2011 - 09:54 PM.


#14 dominicrouse

dominicrouse
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:13 AM

Posted 08 May 2011 - 10:11 PM

My proxy server settings are indeed off...see attached

Attached File  Proxy Server.jpg   130.59KB   2 downloads

#15 Blade81

Blade81

    Bleepin' Rocker


  • Malware Response Team
  • 6,465 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:03:13 PM

Posted 08 May 2011 - 11:51 PM

Hi,

Is PSI allowed from firewall?

Microsoft Windows Insider MVP 2016-2017

Microsoft MVP Consumer Security 2008-2015
UNITE member since 2006
unite_blue.png

Provided malware removal related instructions are meant to be used in the correspondent user's case only. If you have similar symptoms create own topic instead of following instructions given to some other, please.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users