Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Scour re-direct virus / GMER shows tdl4


  • This topic is locked This topic is locked
71 replies to this topic

#1 JustMyAlias

JustMyAlias

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:ATL
  • Local time:07:55 AM

Posted 30 April 2011 - 12:30 PM

I had to run GMER in safe mode - BSOD in normal Windows mode.

I have a Dell Studio 1555 laptop with no reinstall or recovery disks.
Also, I am not able to access the Recovery Console from safe mode - it tells me I have a corrupt or missing hal.dll file and to replace it. Trying that caused Windows to crash on me altogether (see other forum post...).

GMER showed tdl4@mbr code

THANKS FOR ANY HELP!!

(and I had already tried running several scanning programs prior to today and prior to crashing Windows - as posted in my "Am I Infected?" post... sorry - not touching anything else until I hear back...)

DDS.txt file:
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Cyndy Nahass at 11:56:18.60 on Sat 04/30/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2909.1788 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
FW: McAfee Firewall *Enabled*
FW: ZoneAlarm Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Dell\DellDock\DockLogin.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\DellDock\DellDock.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\idt\xpm09_6162v012\wdm\STacSV.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\FsUsbExService.Exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\AESTFltr.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Logitech\SetPointP\SetPoint.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\LogiShrd\KHAL3\KHALMNPR.EXE
C:\Program Files\Desksware\Desktop iCal\Calendar.exe
C:\Program Files\Samsung\Samsung New PC Studio\NPSAgent.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Cyndy Nahass\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.hotmail.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: RoboForm BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20100830085503.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: AcroIEToolbarHelper Class: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: {E312764E-7706-43F1-8DAB-FCDD2B1E416D} - No File
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: {F3FEE66E-E034-436a-86E4-9690573BEE8A} - No File
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn\YTSingleInstance.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Post-it® Digital Notes: {735abc4c-9266-4008-9ef6-bc60be8de31f} - mscoree.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 6.0\acrobat\AcroIEFavClient.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [iCalendar] c:\program files\desksware\desktop ical\Calendar.exe
uRun: [AutoStartNPSAgent] c:\program files\samsung\samsung new pc studio\NPSAgent.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10l_ActiveX.exe -update activex
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [AESTFltr] %SystemRoot%\system32\AESTFltr.exe /NoDlg
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [EvtMgr6] c:\program files\logitech\setpointp\SetPoint.exe /launchGaming
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop elements 6.0\apdproxy.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe
StartupFolder: c:\docume~1\cyndyn~1\startm~1\programs\startup\delldo~1.lnk - c:\program files\dell\delldock\DellDock.exe
IE: &Search
IE: Create a Post-it® Note - c:\program files\3m\pdnotes\\PSNBookMark.html
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: ccecoke.com\employee
Trusted Zone: valorbrands.net\mail
Trusted Zone: wachovia.com\onlinebanking1
Trusted Zone: wachovia.com\onlinebanking2
DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} - hxxp://office.microsoft.com/sites/production/ieawsdc32.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {361E6B79-4A69-4376-B0F2-3D1EBEE9D7E2} - hxxp://campwoof2.dyndns.org:7180/RtspVaPgDec.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {C1F8FC10-E5DB-4112-9DBF-6C3FF728D4E3} - hxxp://support.dell.com/systemprofiler/DellSystemLite.CAB
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Notify: igfxcui - igfxdev.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-11-4 64288]
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-8-30 385880]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [2010-8-30 82952]
R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-11-4 532224]
R2 DockLoginService;Dock Login Service;c:\program files\dell\delldock\DockLogin.exe [2008-12-18 155648]
R2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2010-1-18 238952]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-8-12 2146496]
R2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [2010-6-19 10448]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-30 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-30 271480]
R2 McProxy;McAfee Proxy Service;"c:\program files\common files\mcafee\mcsvchost\McSvHost.exe" /McCoreSvc [2010-8-30 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2010-8-30 170144]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2010-8-30 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\common files\mcafee\systemcore\mfevtps.exe [2010-8-30 141792]
R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
R3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [2009-9-18 113024]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [2010-8-30 55456]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [2009-9-18 143840]
R3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [2010-1-18 36608]
R3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [2009-9-18 110080]
R3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [2009-9-18 176640]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-8-30 152320]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-8-30 51688]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [2010-8-30 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [2010-8-30 88480]
R3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\drivers\OA008Ufd.sys [2009-9-18 133632]
R3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\drivers\OA008Vid.sys [2009-9-18 274112]
S2 Application Updater;Application Updater;"c:\program files\application updater\applicationupdater.exe" --> c:\program files\application updater\ApplicationUpdater.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [2009-9-18 1656960]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-1-31 135664]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\mcafee security scan\2.0.181\McCHSvc.exe [2010-1-15 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [2010-8-30 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2010-8-30 83496]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2011-04-28 14:29:42 1377112 ----a-w- C:\tdsskiller.exe
2011-04-28 14:21:55 1377112 ----a-w- c:\documents and settings\cyndy nahass\tdsskiller.exe
2011-04-28 13:57:25 54016 ----a-w- c:\windows\system32\drivers\xwjn.sys
2011-04-28 03:02:26 54016 ----a-w- c:\windows\system32\drivers\icgi.sys
2011-04-28 01:29:47 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-04-28 01:21:10 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-28 01:20:28 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2011-04-28 00:02:01 -------- d-----w- C:\$WIN_NT$.~BT
2011-04-28 00:01:59 -------- d-----w- c:\windows\setup.pss
2011-04-28 00:01:34 -------- d-----w- c:\windows\setupupd
2011-04-27 17:49:30 388096 ----a-r- c:\docume~1\cyndyn~1\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-04-27 17:49:30 -------- d-----w- c:\program files\Trend Micro
2011-04-27 15:48:13 -------- d-----w- c:\docume~1\cyndyn~1\applic~1\Malwarebytes
2011-04-27 15:48:07 38224 ---ha-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-27 15:48:06 -------- d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2011-04-27 15:48:03 20952 ---ha-w- c:\windows\system32\drivers\mbam.sys
2011-04-27 15:48:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-27 15:25:04 98816 ---ha-w- c:\windows\sed.exe
2011-04-27 15:25:04 89088 ---ha-w- c:\windows\MBR.exe
2011-04-27 15:25:04 256512 ---ha-w- c:\windows\PEV.exe
2011-04-27 15:25:04 161792 ---ha-w- c:\windows\SWREG.exe
2011-04-14 07:30:31 -------- d--h--w- c:\windows\ServicePackFiles
2011-03-31 20:13:27 -------- d-----w- c:\program files\hp deskjet 825c series
2011-03-31 20:09:07 25856 -c-ha-w- c:\windows\system32\dllcache\usbprint.sys
2011-03-31 20:09:07 25856 ---ha-w- c:\windows\system32\drivers\usbprint.sys
.
==================== Find3M ====================
.
2011-04-27 13:19:50 26112 ---ha-w- c:\windows\system32\userinit.exe
2011-04-26 22:28:31 16432 ---ha-w- c:\windows\system32\lsdelete.exe
2011-03-07 05:33:50 692736 ---ha-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ---ha-w- c:\windows\system32\vbscript.dll
2011-03-03 13:27:43 1866880 ---ha-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ---ha-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ---ha-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ---ha-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ---ha-w- c:\windows\system32\html.iec
2011-02-17 13:55:00 398760 ---ha-r- c:\windows\system32\cpnprt2.cid
2011-02-17 12:32:12 5120 ---ha-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56:39 290432 ---ha-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25:52 229888 ---ha-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53:52 270848 ---ha-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ---ha-w- c:\windows\system32\encdec.dll
2011-02-08 13:33:55 978944 ---ha-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33:55 974848 ---ha-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58:35 2067456 ---ha-w- c:\windows\system32\mstscax.dll
.
============= FINISH: 11:58:49.43 ===============

GMER ark.txt file:

GMER 1.0.15.15572 - http://www.gmer.net
Rootkit scan 2011-04-30 13:17:13
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 ST950042 rev.0003
Running: gmer.exe; Driver: C:\DOCUME~1\CYNDYN~1\LOCALS~1\Temp\kwryiuow.sys


---- Devices - GMER 1.0.15 ----

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)
Device B8BB7D20

AttachedDevice fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Fs_Rec.SYS (File System Recognizer Driver/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)

Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Tcp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD)

AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB9C82782]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateKey [0xB9CA16DC]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xB9C9BEB4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xB9C9C2A2]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0xB9CA5916]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB9C83398]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteKey [0xB9CA2FE4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteValueKey [0xB9CA293C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xB9C9ADF0]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey [0xB9CA393C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB9CA3B44]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB9C82FAA]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenProcess [0xB9C9E1CE]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenThread [0xB9C9DDF8]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB9CA48D2]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwReplaceKey [0xB9CA4208]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRestoreKey [0xB9CA52A4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xB9C887DC]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB9C8375C]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xB9CA4E12]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetValueKey [0xB9CA20C4]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xB9C9CF0A]
SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xB9C9CC86]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[1940] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00C2000C
.text C:\WINDOWS\Explorer.EXE[1940] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C3000A
.text C:\WINDOWS\Explorer.EXE[1940] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00DF000A
.text C:\WINDOWS\system32\svchost.exe[1756] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D3000C
.text C:\WINDOWS\system32\svchost.exe[1756] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D4000A
.text C:\WINDOWS\system32\svchost.exe[1756] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D5000A
.text C:\WINDOWS\system32\svchost.exe[1756] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 0178000A

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF7455D74]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF7455D88]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by JustMyAlias, 30 April 2011 - 12:34 PM.


BC AdBot (Login to Remove)

 


#2 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:55 AM

Posted 30 April 2011 - 04:04 PM

Good evening. :)

Take a trip to this webpage for download links and instructions for running Combofix by sUBs: http://www.bleepingcomputer.com/combofix/how-to-use-combofix *

  • When prompted to save Combofix, change the filename BEFORE saving it - any name will do, as long as it has .exe at the end.
  • Please be aware that this tool may require the PC to be rebooted so close any programs you have open before you start.
  • When CF has finished, it will produce a log - C:\ComboFix.txt - copy and paste
  • Let me know how the PC is behaving.
* There are two points to note from the instructions page:

1) The Recovery Console.

It is recommended that you install this as, in certain circumstances, it may be the difference between a successful repair and a reformat. If you are uncertain as to whether or not you already have the Recovery Console installed, simply run CF and it will prompt you if it does not detect it.
CF will complete some, but not all, of it's removal tasks without the installation of the Console, so you are free to choose whether you want to complete this step, but it is in your interests to do so.

2) Disabling your Anti-Virus.

CF has been the victim of false-positive detections on occasion and a resident AV may incorrectly identify and delete part of the tool which won't do it much good. If you don't disable your AV, you may not get the results you hoped for!

So long, and thanks for all the fish.

 

 


#3 JustMyAlias

JustMyAlias
  • Topic Starter

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:ATL
  • Local time:07:55 AM

Posted 30 April 2011 - 08:20 PM

Okay -
this was all done in Safe Mode -
regarding your first point...
Recovery Console:
I am not able to install this. When I tried previously (Thurs?), I received a message that my hal.dll file was missing or corrupt, and to replace the file. When I replaced the file, I was unable to boot Windows at all in an mode. Using Ubuntu, I was able to restore my original hal file and boot Windows again.
regarding your second point...
Disabling Anti-Virus:
I use Ad-Aware/ Live Watch. I closed it by right-clicking the icon in the system tray and selecting shut down.

However, this is what happened (in order) when I ran ComboFix.
It told me that Ad-Aware was still active. (even using crt+alt+del, I couldn't find any processes still running...)
It then told me that Recovery COnsole was not installed and I chose to allow it to install for me.
I received an error regarding Win XP SP2 CD Boot Floppies that extracting the file failed due to low memory or a corrupted Cabinet file.
I then received another error that extract.cfxxe encountered a problem and needs to close.
The another - c:\cmdcons are not in order. Please disbale security program and try again.
Then I had the option to continue scanning and I selected YES.

Here is my log:

(tx!)

ComboFix 11-04-30.02 - Cyndy Nahass 04/30/2011 18:53:46.4.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2909.1537 [GMT -4:00]
Running from: c:\documents and settings\Cyndy Nahass\Desktop\12345.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
FW: ZoneAlarm Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Cyndy Nahass\tdsskiller.exe
c:\windows\system32\Drivers\icgi.sys
c:\windows\system32\Drivers\xwjn.sys
c:\windows\system32\igfxpph(37).dll
c:\windows\system32\ReadMe.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-03-28 to 2011-04-30 )))))))))))))))))))))))))))))))
.
.
2011-04-30 22:37 . 2011-04-30 22:44 -------- d-----w- C:\32788R22FWJFW
2011-04-30 17:42 . 2011-04-30 17:48 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-04-28 14:29 . 2011-04-28 02:30 1377112 ----a-w- C:\tdsskiller.exe
2011-04-28 01:29 . 2011-04-28 01:29 12872 ----a-w- c:\windows\system32\bootdelete.exe
2011-04-28 01:21 . 2011-04-28 01:21 16968 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-04-28 01:20 . 2011-04-28 01:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2011-04-28 00:02 . 2011-04-28 00:02 -------- d-----w- C:\$WIN_NT$.~BT
2011-04-27 17:49 . 2011-04-27 17:49 388096 ----a-r- c:\documents and settings\Cyndy Nahass\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-04-27 17:49 . 2011-04-27 17:49 -------- d-----w- c:\program files\Trend Micro
2011-04-27 15:48 . 2011-04-27 15:48 -------- d-----w- c:\documents and settings\Cyndy Nahass\Application Data\Malwarebytes
2011-04-27 15:48 . 2010-12-20 22:09 38224 ---ha-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-04-27 15:48 . 2011-04-27 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-04-27 15:48 . 2011-04-27 15:48 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-04-27 15:48 . 2010-12-20 22:08 20952 ---ha-w- c:\windows\system32\drivers\mbam.sys
2011-04-14 07:30 . 2011-04-14 07:30 -------- d--h--w- c:\windows\ServicePackFiles
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-04-27 13:19 . 2008-04-25 16:16 26112 ---ha-w- c:\windows\system32\userinit.exe
2011-04-26 22:28 . 2010-01-15 16:42 16432 ---ha-w- c:\windows\system32\lsdelete.exe
2011-03-07 05:33 . 2008-04-25 21:27 692736 ---ha-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2008-04-25 16:16 420864 ---ha-w- c:\windows\system32\vbscript.dll
2011-03-03 13:27 . 2008-04-25 16:16 1866880 ---ha-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2008-04-25 16:16 916480 ---ha-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2008-04-25 16:16 43520 ---ha-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2008-04-25 16:16 1469440 ---ha-w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2008-04-25 16:16 385024 ---ha-w- c:\windows\system32\html.iec
2011-02-17 13:55 . 2011-01-06 17:18 398760 ---ha-r- c:\windows\system32\cpnprt2.cid
2011-02-17 13:18 . 2008-04-25 16:16 455936 ---ha-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-17 13:18 . 2008-04-25 16:16 357888 ---ha-w- c:\windows\system32\drivers\srv.sys
2011-02-17 12:32 . 2009-10-19 14:27 5120 ---ha-w- c:\windows\system32\xpsp4res.dll
2011-02-15 12:56 . 2008-04-25 16:16 290432 ---ha-w- c:\windows\system32\atmfd.dll
2011-02-11 13:25 . 2008-04-25 21:26 229888 ---ha-w- c:\windows\system32\fxscover.exe
2011-02-09 13:53 . 2008-04-25 16:16 270848 ---ha-w- c:\windows\system32\sbe.dll
2011-02-09 13:53 . 2008-04-25 16:16 186880 ---ha-w- c:\windows\system32\encdec.dll
2011-02-08 13:33 . 2008-04-25 16:16 978944 ---ha-w- c:\windows\system32\mfc42.dll
2011-02-08 13:33 . 2008-04-25 16:16 974848 ---ha-w- c:\windows\system32\mfc42u.dll
2011-02-02 07:58 . 2008-04-25 21:26 2067456 ---ha-w- c:\windows\system32\mstscax.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-04-27_15.43.10 )))))))))))))))))))))))))))))))))))))))))
.
- 2009-10-13 16:15 . 2011-04-26 22:28 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-13 16:15 . 2011-04-28 14:11 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-10-13 16:15 . 2011-04-28 14:11 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2009-10-13 16:15 . 2011-04-26 22:28 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2010-01-31 20:36 . 2011-04-28 14:11 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2010-01-31 20:36 . 2011-04-26 22:28 16384 c:\windows\system32\config\systemprofile\IETldCache\index.dat
+ 2011-04-28 13:04 . 2011-04-28 14:11 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2001-07-14 21:32 . 2001-07-14 21:32 69632 c:\windows\setupupd\temp\wsdueng.dll
+ 2009-09-30 18:21 . 2009-09-30 18:21 177208 c:\windows\system32\halTROUBLE.dll
+ 2011-04-27 17:49 . 2011-04-27 17:49 1094656 c:\windows\Installer\3f987.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-11-03 39408]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"iCalendar"="c:\program files\Desksware\Desktop iCal\Calendar.exe" [2008-03-16 2774528]
"AutoStartNPSAgent"="c:\program files\Samsung\Samsung New PC Studio\NPSAgent.exe" [2009-11-06 116056]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-12-04 1422632]
"AESTFltr"="c:\windows\system32\AESTFltr.exe" [2009-03-20 737280]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-12-04 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-12-04 178712]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-12-04 150040]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2008-11-14 1708032]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2009-02-05 128232]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"EvtMgr6"="c:\program files\Logitech\SetPointP\SetPoint.exe" [2010-05-18 1311312]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2010-06-23 126976]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-07-01 1193848]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2010-10-08 47904]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Elements 6.0\apdproxy.exe" [2007-09-11 67488]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-11-02 196608]
.
c:\documents and settings\Cyndy Nahass\Start Menu\Programs\Startup\
Dell Dock.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
Dell Dock First Run.lnk - c:\program files\Dell\DellDock\DellDock.exe [2009-5-28 1320288]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2010-05-06 09:29 64592 ----a-w- c:\program files\Common Files\LogiShrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell DataSafe Online]
2009-07-07 15:23 1779952 ----a-w- c:\program files\Dell DataSafe Online\DataSafeOnline.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2009-07-26 21:44 3883856 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell Video Chat\\DellVideoChat.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsasvr.exe"=
"c:\\Program Files\\Samsung\\Samsung New PC Studio\\npsvsvr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/4/2009 9:46 AM 64288]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\system32\drivers\mfetdi2k.sys [8/30/2010 8:54 AM 82952]
R2 McMPFSvc;McAfee Personal Firewall Service;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/30/2010 8:54 AM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [8/30/2010 8:55 AM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [8/30/2010 8:54 AM 141792]
R3 k57w2k;Broadcom NetLink ™ Gigabit Ethernet;c:\windows\system32\drivers\k57xp32.sys [9/18/2009 5:21 AM 176640]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys [8/30/2010 8:54 AM 312616]
R3 mfendiskmp;mfendiskmp;c:\windows\system32\drivers\mfendisk.sys [8/30/2010 8:54 AM 88480]
S2 Application Updater;Application Updater;"c:\program files\Application Updater\ApplicationUpdater.exe" --> c:\program files\Application Updater\ApplicationUpdater.exe [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [12/18/2008 3:05 PM 155648]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [1/18/2010 2:31 PM 238952]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 1:41 AM 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [8/12/2010 8:15 AM 2146496]
S2 LBeepKE;Logitech Beep Suppression Driver;c:\windows\system32\drivers\LBeepKE.sys [6/19/2010 1:58 PM 10448]
S2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [8/30/2010 8:54 AM 271480]
S3 AESTAud;AE Audio Service;c:\windows\system32\drivers\AESTAud.sys [9/18/2009 5:21 AM 113024]
S3 AMBFilt;Creative AMB Service;c:\windows\system32\drivers\AMBFilt.sys [9/18/2009 5:21 AM 1656960]
S3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys [8/30/2010 8:54 AM 55456]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\drivers\CtClsFlt.sys [9/18/2009 2:43 AM 143840]
S3 FsUsbExDisk;FsUsbExDisk;c:\windows\system32\FsUsbExDisk.Sys [1/18/2010 2:31 PM 36608]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 1:41 AM 135664]
S3 IntcHdmiAddService;Intel® High Definition Audio HDMI Service;c:\windows\system32\drivers\IntcHdmi.sys [9/18/2009 5:21 AM 110080]
S3 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [1/15/2010 8:49 AM 227232]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\system32\drivers\mfendisk.sys [8/30/2010 8:54 AM 88480]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [8/30/2010 8:54 AM 83496]
S3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\drivers\OA008Ufd.sys [9/18/2009 5:21 AM 133632]
S3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\drivers\OA008Vid.sys [9/18/2009 5:21 AM 274112]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - LBEEPKE
*Deregistered* - kwryiuow
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
Contents of the 'Scheduled Tasks' folder
.
2011-04-30 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-08-12 08:50]
.
2011-04-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]
.
2011-04-27 c:\windows\Tasks\dbbackup.job
- c:\documents and settings\Cyndy Nahass\Desktop\Valor Brands\dbbackup.bat [2009-06-24 00:28]
.
2011-04-30 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 05:41]
.
2011-04-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 05:41]
.
2011-04-25 c:\windows\Tasks\PCDoctorBackgroundMonitorTask.job
- c:\program files\Dell Support Center\uaclauncher.exe [2010-11-18 15:13]
.
2011-04-30 c:\windows\Tasks\SystemToolsDailyTest.job
- c:\program files\Dell Support Center\pcdrcui.exe [2010-11-18 15:13]
.
2011-04-30 c:\windows\Tasks\User_Feed_Synchronization-{80579CD3-590F-428A-AB94-C1C909A48213}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hotmail.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Create a Post-it® Note - c:\program files\3M\PDNotes\\PSNBookMark.html
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
Trusted Zone: ccecoke.com\employee
Trusted Zone: valorbrands.net\mail
Trusted Zone: wachovia.com\onlinebanking1
Trusted Zone: wachovia.com\onlinebanking2
DPF: {361E6B79-4A69-4376-B0F2-3D1EBEE9D7E2} - hxxp://campwoof2.dyndns.org:7180/RtspVaPgDec.cab
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-04-30 19:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@DACL=(02 0010)
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@DACL=(02 0010)
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@DACL=(02 0010)
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1348)
c:\windows\system32\WININET.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'lsass.exe'(1416)
c:\windows\system32\WININET.dll
.
Completion time: 2011-04-30 19:38:46
ComboFix-quarantined-files.txt 2011-04-30 23:38
ComboFix2.txt 2011-04-28 00:37
ComboFix3.txt 2011-04-27 22:37
ComboFix4.txt 2011-04-27 15:46
.
Pre-Run: 426,922,082,304 bytes free
Post-Run: 427,162,439,680 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
.
- - End Of File - - 23AA7EDAED691DF0643A6C159A50C0D3

Edited by JustMyAlias, 30 April 2011 - 08:21 PM.


#4 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:55 AM

Posted 01 May 2011 - 01:38 PM

Good evening. :)

Download aswMBR.exe from here and save it to your Desktop.

  • Double click the tool to run it.
  • Click the Scan button to, well, start the scan - obvious really!
  • Once the scan reports "Scan finished successfully", which takes less than a minute on my system, click Save log.
  • On my system it offers to save it to the Desktop, which may or may not be it's default behaviour, but it's as handy a place as any.
  • You'll also see a file called MBR.dat appear as well - this is a backup that it created, just in case it's needed. Keep it handy for now.

I'd like the contents of aswMBR.txt in your next reply, if you'd be so kind.

So long, and thanks for all the fish.

 

 


#5 JustMyAlias

JustMyAlias
  • Topic Starter

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:ATL
  • Local time:07:55 AM

Posted 01 May 2011 - 09:28 PM

(still runnning in safe mode)
tx!

aswMBR log:

aswMBR version 0.9.5.232 Copyright© 2011 AVAST Software
Run date: 2011-05-01 22:26:39
-----------------------------
22:26:39.203 OS Version: Windows 5.1.2600 Service Pack 3
22:26:39.203 Number of processors: 2 586 0x170A
22:26:39.203 ComputerName: CHNPC_D94LM8K1 UserName: Cyndy Nahass
22:26:40.500 Initialize success
22:27:00.203 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
22:27:00.203 Disk 0 Vendor: ST950042 0003 Size: 476940MB BusType: 3
22:27:00.218 Disk 0 MBR read successfully
22:27:00.234 Disk 0 MBR scan
22:27:00.234 Disk 0 TDL4@MBR code has been found
22:27:00.250 Disk 0 MBR hidden
22:27:00.265 Disk 0 MBR [TDL4] **ROOTKIT**
22:27:00.265 Disk 0 trace - called modules:
22:27:00.281 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8b5e54f0]<<
22:27:00.296 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b5f4260]
22:27:00.296 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> [0x8b5c2d80]
22:27:00.312 \Driver\iaStor[0x8b5f3928] -> IRP_MJ_CREATE -> 0x8b5e54f0
22:27:00.328 Scan finished successfully
22:27:43.812 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Cyndy Nahass\Desktop\MBR.dat"
22:27:43.828 The log file has been saved successfully to "C:\Documents and Settings\Cyndy Nahass\Desktop\aswMBR.txt"

#6 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:55 AM

Posted 02 May 2011 - 01:59 PM

Good evening. :)

Why are you still running in Safe Mode?

So long, and thanks for all the fish.

 

 


#7 JustMyAlias

JustMyAlias
  • Topic Starter

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:ATL
  • Local time:07:55 AM

Posted 02 May 2011 - 02:03 PM

I keep 'crashing' - getting the BSOD.
Not always right away, but it continues to happen with greater frequency.
I am not acitively using the laptop right now (only when you request something) - I am on a different computer for work.
Do I need to try to re-run the scan in normal Windows mode?

#8 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:55 AM

Posted 02 May 2011 - 02:09 PM

No, stick with Safe Mode and see what happens. Run aswMBR.exe again:

  • Click the Scan button as before.
  • Once the scan has completed, the Fix button should become active - click it.
  • If FixMBR becomes active instead, click that one.
  • The tool will decide which option to give you, but take Fix first, if it's offered.
  • Once complete, click Save log as before, save it to your desktop and post in your next reply.

So long, and thanks for all the fish.

 

 


#9 JustMyAlias

JustMyAlias
  • Topic Starter

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:ATL
  • Local time:07:55 AM

Posted 02 May 2011 - 02:25 PM

It gave me just the 'FIX' option.
Log:

aswMBR version 0.9.5.232 Copyright© 2011 AVAST Software
Run date: 2011-05-02 15:23:58
-----------------------------
15:23:58.296 OS Version: Windows 5.1.2600 Service Pack 3
15:23:58.296 Number of processors: 2 586 0x170A
15:23:58.296 ComputerName: CHNPC_D94LM8K1 UserName: Cyndy Nahass
15:23:59.406 Initialize success
15:24:06.312 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
15:24:06.328 Disk 0 Vendor: ST950042 0003 Size: 476940MB BusType: 3
15:24:06.328 Disk 0 MBR read successfully
15:24:06.343 Disk 0 MBR scan
15:24:06.343 Disk 0 TDL4@MBR code has been found
15:24:06.359 Disk 0 MBR hidden
15:24:06.375 Disk 0 MBR [TDL4] **ROOTKIT**
15:24:06.375 Disk 0 trace - called modules:
15:24:06.390 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8b6224f0]<<
15:24:06.406 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8b6333a0]
15:24:06.406 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> [0x8ac1c260]
15:24:06.421 \Driver\iaStor[0x8b5ca720] -> IRP_MJ_CREATE -> 0x8b6224f0
15:24:06.437 Scan finished successfully
15:24:11.718 Disk 0 fixing MBR
15:24:21.718 Disk 0 MBR restored successfully
15:24:21.718 Infection fixed successfully - please reboot ASAP
15:24:21.953 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Cyndy Nahass\Desktop\MBR.dat"
15:24:21.953 The log file has been saved successfully to "C:\Documents and Settings\Cyndy Nahass\Desktop\aswMBR.txt"

#10 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:55 AM

Posted 02 May 2011 - 02:57 PM

OK, try booting into Normal Mode and see how it behaves.

So long, and thanks for all the fish.

 

 


#11 JustMyAlias

JustMyAlias
  • Topic Starter

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:ATL
  • Local time:07:55 AM

Posted 02 May 2011 - 03:18 PM

.......... (string of potty words...)
spoke too soon
getting re-directs again
Tazinga!

Edited by JustMyAlias, 02 May 2011 - 03:18 PM.


#12 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:55 AM

Posted 02 May 2011 - 03:21 PM

OK, do you have a flashdrive of 128 Mb or greater that you can wipe clean for a little tool to try and fix this thing?

So long, and thanks for all the fish.

 

 


#13 JustMyAlias

JustMyAlias
  • Topic Starter

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:ATL
  • Local time:07:55 AM

Posted 02 May 2011 - 03:22 PM

and lost one of my posts...
first re-boot got hung up
then re-booted ok but got 3 errors (in a row) that Windows recovered from a serious error
then IE opened
I was allowed to perform about 7-8 Google searches
then the re-directs startd occurring again

#14 Noviciate

Noviciate

  • Malware Response Team
  • 5,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Numpty HQ
  • Local time:11:55 AM

Posted 02 May 2011 - 03:24 PM

And the flashdrive?

So long, and thanks for all the fish.

 

 


#15 JustMyAlias

JustMyAlias
  • Topic Starter

  • Members
  • 204 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:ATL
  • Local time:07:55 AM

Posted 02 May 2011 - 03:25 PM

yes, I have one - should I re-boot again in safe mode, or no?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users