Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with something & Google keeps redirecting


  • This topic is locked This topic is locked
10 replies to this topic

#1 aries44475

aries44475

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 19 May 2011 - 10:53 AM

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by MAIN at 11:38:38.37 on Thu 05/19/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.761 [GMT -4:00]
.
AV: Symantec AntiVirus Corporate Edition *Enabled/Updated* {FB06448E-52B8-493A-90F3-E43226D3305C}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Avaya\Avaya one-X Communicator\QosServM.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Syslogd\Syslogd_Service.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ICW\bin\cygrunsrv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\rpcnet.exe
C:\Program Files\ICW\bin\sshd.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\DellTPad\Apoint.exe
C:\Program Files\Sling Media\SlingAgent\SlingAgentService.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\DellTPad\ApMsgFwd.exe
C:\Program Files\DellTPad\HidFind.exe
C:\Program Files\DellTPad\Apntex.exe
C:\Program Files\VMware\VMware Player\hqtray.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\HP\HP UT\bin\hppusg.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\Program Files\Plantronics\PlantronicsURE\PlantronicsURE.exe
C:\Program Files\Plantronics\PlantronicsURE\PlantronicsBatteryStatus.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\MAIN\Desktop\dds.scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: AvayaIEHlprObj Class: {e6df0b46-7d6f-407a-a6a2-62d17a021a9a} - c:\program files\avaya\avaya one-x communicator\AvayaIEHelper.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: FrostWire Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AdaptecDirectCD] "c:\program files\roxio\easy cd creator 5\directcd\DirectCD.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [Apoint] c:\program files\delltpad\Apoint.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [ddoctorv2] "c:\program files\comcast\desktop doctor\bin\sprtcmd.exe" /P ddoctorv2
mRun: [VMware hqtray] "c:\program files\vmware\vmware player\hqtray.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HPUsageTracking] "c:\program files\hp\hp ut\bin\hppusg.exe" "c:\program files\hp\hp ut\"
mRun: [DivXUpdate] "c:\program files\divx\divx update\DivXUpdate.exe" /CHECKNOW
mRun: [PlantronicsURE.exe] c:\program files\plantronics\plantronicsure\PlantronicsURE.exe
mRun: [PlantronicsBatteryStatus.exe] c:\program files\plantronics\plantronicsure\PlantronicsBatteryStatus.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
StartupFolder: c:\docume~1\main\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBC} - c:\program files\java\jre6\bin\jp2iexp.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\vmware\vmware player\vsocklib.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1233699031716
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://emeetings.webex.com/client/T26L10NSP49EP12-emeetings/webex/ieatgpc.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://anywhereny.nbcuni.com/dana-cached/setup/JuniperSetupSP1.cab
DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} - hxxps://anywhereec.nbcuni.com/CACHE/sdesktop/install/binaries/instweb.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\main\applic~1\mozilla\firefox\profiles\w3544nrf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 59717
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\main\application data\move networks\plugins\npqmp071503000010.dll
FF - plugin: c:\documents and settings\main\application data\move networks\plugins\npqmp071701000002.dll
FF - plugin: c:\program files\divx\divx ovs helper\npovshelper.dll
FF - plugin: c:\program files\divx\divx plus web player\npdivx32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\veetle\player\npvlc.dll
FF - plugin: c:\program files\veetle\plugins\npVeetle.dll
FF - plugin: c:\program files\veetle\vlcbroadcast\npvbp.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
---- FIREFOX POLICIES ----
FF - user.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=
FF - user.js: keyword.enabled - 1
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-5 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2005-12-19 337592]
R1 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2005-12-19 54968]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2006-3-24 192160]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2006-3-24 169632]
R2 CipcCdp;Cisco IP Communicator driver for CDP;c:\windows\system32\drivers\CipcCdp.sys [2010-7-21 24000]
R2 Kiwi Syslog Server;Kiwi Syslog Server;c:\program files\syslogd\Syslogd_Service.exe [2010-2-14 2248704]
R2 OpenSSHServer;Openssh SSHD;c:\program files\icw\bin\cygrunsrv.exe [2009-5-13 68096]
R2 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2006-6-15 115952]
R2 SlingAgentService;SlingAgentService;c:\program files\sling media\slingagent\SlingAgentService.exe [2009-9-25 93960]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2006-6-15 1805552]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-9-5 24652]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [2010-9-21 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\common files\vmware\usb\vmware-usbarbitrator.exe [2010-9-21 539184]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\cisco\cisco anyconnect vpn client\vpnagent.exe [2010-5-5 583360]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2011-5-16 105592]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20110516.002\naveng.sys [2011-5-16 86136]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20110516.002\navex15.sys [2011-5-16 1393144]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2010-6-25 35088]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-22 136176]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2010-2-4 1352832]
S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [2010-9-23 829152]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-8-22 136176]
S3 SolarWinds TFTP Server;SolarWinds TFTP Server;c:\program files\solarwinds\tftpserver\SolarWinds TFTP Server.exe [2009-10-20 54272]
.
=============== Created Last 30 ================
.
2011-05-19 15:28:36 -------- d-----w- c:\docume~1\main\applic~1\Wireshark
2011-05-19 15:26:51 -------- d-----w- c:\program files\WinPcap
2011-05-19 15:26:08 -------- d-----w- c:\program files\Wireshark
2011-05-19 15:25:41 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-05-19 15:25:39 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-05-19 15:25:39 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-05-19 15:25:39 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-05-19 15:25:39 1974616 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-05-19 15:25:39 1892184 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-05-19 15:25:39 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-05-19 15:25:39 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-05-17 11:32:37 -------- d-----w- c:\docume~1\main\applic~1\SUPERAntiSpyware.com
2011-05-17 11:32:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
2011-05-17 11:32:28 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-17 04:50:26 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-17 04:50:20 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-17 04:39:47 388096 ----a-r- c:\docume~1\main\applic~1\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-05-17 04:39:45 -------- d-----w- c:\program files\Trend Micro
2011-05-17 03:58:56 13160 ----a-w- c:\windows\system32\Upgrd.exe
2011-05-17 00:18:31 -------- d-----w- c:\windows\system32\wbem\repository\FS
2011-05-17 00:18:31 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-16 22:35:57 -------- d-----w- C:\Combo-Fix27247C
2011-05-16 01:47:34 -------- d-----w- C:\Combo-Fix18749C
2011-05-15 15:10:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\Norton
2011-05-15 14:28:16 90112 ----a-w- c:\windows\DUMP5459.tmp
2011-05-15 14:12:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\mK06511IjGiE06511
2011-05-13 03:30:08 -------- d-----w- c:\docume~1\main\applic~1\Mp3Tube Toolbar(2)
2011-05-13 03:24:55 -------- d-----w- c:\program files\VideoLAN
2011-04-26 21:22:56 -------- d-----w- c:\program files\iPod
2011-04-26 21:22:51 -------- d-----w- c:\program files\iTunes
2011-04-26 21:16:48 -------- d-----w- c:\program files\Bonjour
2011-04-26 02:09:47 -------- d-----w- c:\docume~1\main\applic~1\FLEXnet
2011-04-26 02:09:25 -------- d-----w- c:\docume~1\main\locals~1\applic~1\Plantronics
2011-04-26 02:09:01 -------- d-----w- c:\docume~1\alluse~1\applic~1\Plantronics
2011-04-26 02:09:00 -------- d-----w- c:\program files\Plantronics
.
==================== Find3M ====================
.
2011-05-19 15:18:44 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2011-05-19 15:18:41 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-05-17 12:24:30 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2011-05-17 03:58:55 58288 ------w- c:\windows\system32\rpcnet.exe
2011-05-15 14:14:46 0 ----a-w- c:\windows\Dkabocefuw.bin
2011-04-06 20:20:16 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20:16 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33:50 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37:06 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21:11 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06:29 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06:29 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06:29 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41:59 385024 ----a-w- c:\windows\system32\html.iec
2011-02-18 20:36:58 4184352 ----a-w- c:\windows\system32\usbaaplrc.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD1200BEVS-00UST0 rev.01.01A01 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AC574D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8ac5d7f0]; MOV EAX, [0x8ac5d86c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8ABD5AB8]
3 CLASSPNP[0xBA108FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\0000009c[0x8AC7EF18]
5 ACPI[0xB9F7F620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8AC6AD98]
\Driver\atapi[0x8AC66910] -> IRP_MJ_CREATE -> 0x8AC574D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV SI, 0x7be; MOV CL, 0x4; CMP [SI], CH; JL 0x2d; JNZ 0x3b; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8AC5731B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 11:42:22.70 ===============

Also want to add that after I close firefox or IE I can't open them again until I reboot. Not sure its related tot eh google redirects I get when searching but thought I would mention it.

EDIT: Posts merged ~Budapest

Attached Files


Edited by Budapest, 19 May 2011 - 04:45 PM.


BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 19 May 2011 - 10:10 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image P2P - I see you have P2P software (Frostwire) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to malware infections. Please see this post for more information. I recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs. If you choose to keep these applications, please do not use them until our fixes at BC are complete.

Posted Image Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Post that log, please.
Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • TDSSKiller log
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 aries44475

aries44475
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 20 May 2011 - 09:56 AM

First off thanks for helping me with this. :thumbsup:

----------------------------------------------------------------------------------------------------------------

2011/05/20 09:53:48.0140 5364 TDSS rootkit removing tool 2.5.1.0 May 13 2011 13:20:29
2011/05/20 09:53:49.0296 5364 ================================================================================
2011/05/20 09:53:49.0296 5364 SystemInfo:
2011/05/20 09:53:49.0296 5364
2011/05/20 09:53:49.0296 5364 OS Version: 5.1.2600 ServicePack: 3.0
2011/05/20 09:53:49.0296 5364 Product type: Workstation
2011/05/20 09:53:49.0296 5364 ComputerName: D820
2011/05/20 09:53:49.0343 5364 UserName: MAIN
2011/05/20 09:53:49.0343 5364 Windows directory: C:\WINDOWS
2011/05/20 09:53:49.0343 5364 System windows directory: C:\WINDOWS
2011/05/20 09:53:49.0343 5364 Processor architecture: Intel x86
2011/05/20 09:53:49.0343 5364 Number of processors: 2
2011/05/20 09:53:49.0343 5364 Page size: 0x1000
2011/05/20 09:53:49.0343 5364 Boot type: Normal boot
2011/05/20 09:53:49.0343 5364 ================================================================================
2011/05/20 09:53:50.0765 5364 Initialize success
2011/05/20 09:54:04.0656 4272 ================================================================================
2011/05/20 09:54:04.0656 4272 Scan started
2011/05/20 09:54:04.0656 4272 Mode: Manual;
2011/05/20 09:54:04.0656 4272 ================================================================================
2011/05/20 09:54:11.0703 4272 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/05/20 09:54:12.0546 4272 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/05/20 09:54:14.0515 4272 AE1000 (861fda9771c4eb75f17aec4cd171c9b6) C:\WINDOWS\system32\DRIVERS\AE1000XP.sys
2011/05/20 09:54:16.0109 4272 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/05/20 09:54:17.0671 4272 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
2011/05/20 09:54:24.0875 4272 ApfiltrService (350f19eb5fe4ec37a2414df56cde1aa8) C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
2011/05/20 09:54:26.0125 4272 APPDRV (ec94e05b76d033b74394e7b2175103cf) C:\WINDOWS\SYSTEM32\DRIVERS\APPDRV.SYS
2011/05/20 09:54:28.0250 4272 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/05/20 09:54:34.0500 4272 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/05/20 09:54:35.0375 4272 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/05/20 09:54:37.0375 4272 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/05/20 09:54:39.0203 4272 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/05/20 09:54:41.0140 4272 b57w2k (c0acd392ece55784884cc208aafa06ce) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2011/05/20 09:54:42.0312 4272 BCM43XX (9208c78bd9283f79a30252ad954c77a2) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2011/05/20 09:54:44.0671 4272 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/05/20 09:54:48.0796 4272 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/05/20 09:54:50.0531 4272 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/05/20 09:54:53.0750 4272 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/05/20 09:54:54.0500 4272 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/05/20 09:54:55.0515 4272 Cdr4_xp (837eef65af62d4e8a37c41d3879f7274) C:\WINDOWS\system32\drivers\Cdr4_xp.sys
2011/05/20 09:54:56.0578 4272 Cdralw2k (579da2f9f5401f55dae2cf8779d61dfc) C:\WINDOWS\system32\drivers\Cdralw2k.sys
2011/05/20 09:54:57.0593 4272 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/05/20 09:54:58.0859 4272 cdudf_xp (cfd81f2140193fc7f1812e6d6eaf6795) C:\WINDOWS\system32\drivers\cdudf_xp.sys
2011/05/20 09:55:00.0875 4272 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2011/05/20 09:55:03.0125 4272 CipcCdp (d58bb5a787678086c217de8796c9c682) C:\WINDOWS\system32\DRIVERS\CipcCdp.sys
2011/05/20 09:55:05.0406 4272 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/05/20 09:55:08.0109 4272 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/05/20 09:55:13.0312 4272 CSRBC (8e1945984e147562f9f08e1d344a69cc) C:\WINDOWS\system32\Drivers\csrbcxp.sys
2011/05/20 09:55:17.0843 4272 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/05/20 09:55:18.0968 4272 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/05/20 09:55:20.0312 4272 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/05/20 09:55:21.0468 4272 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/05/20 09:55:22.0671 4272 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/05/20 09:55:24.0531 4272 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/05/20 09:55:25.0656 4272 dsNcAdpt (4823163c246868863d41a2f5ee06a21e) C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
2011/05/20 09:55:27.0218 4272 DSproct (2ac2372ffad9adc85672cc8e8ae14be9) C:\Program Files\Dell Support\GTAction\triggers\DSproct.sys
2011/05/20 09:55:28.0359 4272 dvd_2K (677829f7010768eeeed8d0083e510dab) C:\WINDOWS\system32\drivers\dvd_2K.sys
2011/05/20 09:55:30.0578 4272 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/05/20 09:55:32.0078 4272 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/05/20 09:55:33.0171 4272 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/05/20 09:55:34.0843 4272 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/05/20 09:55:36.0703 4272 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/05/20 09:55:38.0109 4272 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/05/20 09:55:39.0281 4272 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/05/20 09:55:40.0218 4272 GearAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/05/20 09:55:41.0468 4272 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/05/20 09:55:43.0109 4272 guardian2 (c0bdab85f3e8b2138c513255e2bcc4d8) C:\WINDOWS\system32\Drivers\oz776.sys
2011/05/20 09:55:45.0890 4272 hcmon (6934d249d27aab3a0d86e4da9c3ae006) C:\WINDOWS\system32\drivers\hcmon.sys
2011/05/20 09:55:47.0046 4272 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/05/20 09:55:49.0546 4272 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/05/20 09:55:51.0578 4272 HPFXBULK (299683d4c8aaa3f6f5d5d226a1782a6e) C:\WINDOWS\system32\drivers\hpfxbulk.sys
2011/05/20 09:55:53.0625 4272 HSFHWAZL (b1526810210980bed9d22315946c919d) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2011/05/20 09:55:55.0171 4272 HSF_DPV (e8ec1767ea315a39a0dd8989952ca0e9) C:\WINDOWS\system32\DRIVERS\HSX_DPV.sys
2011/05/20 09:55:56.0093 4272 HSXHWAZL (61478fa42ee04562e7f11f4dca87e9c8) C:\WINDOWS\system32\DRIVERS\HSXHWAZL.sys
2011/05/20 09:55:57.0515 4272 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/05/20 09:56:02.0562 4272 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/05/20 09:56:04.0328 4272 ialm (e8c7cc369c2fb657e0792af70df529e6) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/05/20 09:56:07.0156 4272 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/05/20 09:56:14.0640 4272 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/05/20 09:56:15.0984 4272 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/05/20 09:56:16.0984 4272 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/05/20 09:56:19.0062 4272 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/05/20 09:56:21.0578 4272 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/05/20 09:56:24.0484 4272 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/05/20 09:56:25.0734 4272 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/05/20 09:56:27.0562 4272 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/05/20 09:56:28.0921 4272 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/05/20 09:56:30.0640 4272 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/05/20 09:56:32.0515 4272 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/05/20 09:56:33.0937 4272 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/05/20 09:56:37.0031 4272 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2011/05/20 09:56:43.0640 4272 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/05/20 09:56:46.0515 4272 mmc_2K (9b90303a9c9405a6ce1466ff4aa20fdd) C:\WINDOWS\system32\drivers\mmc_2K.sys
2011/05/20 09:56:48.0718 4272 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/05/20 09:56:51.0718 4272 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/05/20 09:56:53.0531 4272 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/05/20 09:56:55.0515 4272 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/05/20 09:56:57.0531 4272 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/05/20 09:57:00.0046 4272 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/05/20 09:57:01.0640 4272 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/05/20 09:57:04.0171 4272 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/05/20 09:57:06.0812 4272 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/05/20 09:57:09.0453 4272 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/05/20 09:57:11.0750 4272 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/05/20 09:57:13.0765 4272 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/05/20 09:57:15.0703 4272 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/05/20 09:57:18.0187 4272 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/05/20 09:57:20.0484 4272 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/05/20 09:57:23.0171 4272 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/05/20 09:57:25.0140 4272 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/05/20 09:57:27.0093 4272 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/05/20 09:57:28.0546 4272 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/05/20 09:57:30.0062 4272 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/05/20 09:57:32.0328 4272 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/05/20 09:57:34.0703 4272 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/05/20 09:57:36.0375 4272 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/05/20 09:57:40.0375 4272 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/05/20 09:57:43.0546 4272 NPF (b48dc6abcd3aeff8618350ccbdc6b09a) C:\WINDOWS\system32\drivers\npf.sys
2011/05/20 09:57:45.0281 4272 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/05/20 09:57:47.0968 4272 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/05/20 09:57:51.0765 4272 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/05/20 09:57:54.0218 4272 nv (77f427e51479c66c09f967d15b639b37) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/05/20 09:57:56.0921 4272 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/05/20 09:57:59.0140 4272 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/05/20 09:58:01.0406 4272 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/05/20 09:58:05.0562 4272 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/05/20 09:58:07.0796 4272 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/05/20 09:58:09.0546 4272 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/05/20 09:58:10.0968 4272 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/05/20 09:58:14.0703 4272 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/05/20 09:58:16.0031 4272 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/05/20 09:58:29.0671 4272 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/05/20 09:58:31.0640 4272 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/05/20 09:58:33.0046 4272 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/05/20 09:58:34.0921 4272 pwd_2k (d8b90616a8bd53de281dbdb664c0984a) C:\WINDOWS\system32\drivers\pwd_2k.sys
2011/05/20 09:58:36.0109 4272 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/05/20 09:58:47.0000 4272 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/05/20 09:58:49.0296 4272 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/05/20 09:58:51.0937 4272 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/05/20 09:58:53.0687 4272 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/05/20 09:58:55.0906 4272 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/05/20 09:58:57.0875 4272 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/05/20 09:59:00.0250 4272 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/05/20 09:59:03.0140 4272 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/05/20 09:59:05.0781 4272 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/05/20 09:59:12.0875 4272 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/05/20 09:59:14.0625 4272 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/05/20 09:59:16.0484 4272 SAVOnAccessControl (e8fa00e75ef670122a25ee361b1075e0) C:\WINDOWS\system32\DRIVERS\savonaccesscontrol.sys
2011/05/20 09:59:18.0328 4272 SAVOnAccessFilter (184d53b4dc51808d7cceda51bf0f5440) C:\WINDOWS\system32\DRIVERS\savonaccessfilter.sys
2011/05/20 09:59:23.0578 4272 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/05/20 09:59:27.0187 4272 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/05/20 09:59:29.0671 4272 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/05/20 09:59:33.0046 4272 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/05/20 09:59:40.0031 4272 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/05/20 09:59:44.0625 4272 SophosBootDriver (3bdf94e0827d13e44249a646f6c0eb7c) C:\WINDOWS\system32\DRIVERS\SophosBootDriver.sys
2011/05/20 09:59:48.0781 4272 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/05/20 09:59:51.0796 4272 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/05/20 09:59:54.0562 4272 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/05/20 09:59:57.0921 4272 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys
2011/05/20 10:00:01.0703 4272 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/05/20 10:00:03.0546 4272 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/05/20 10:00:05.0703 4272 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/05/20 10:00:14.0625 4272 symsnap (c9273531eac75ee225e3170fb6107fa3) C:\WINDOWS\system32\DRIVERS\symsnap.sys
2011/05/20 10:00:23.0671 4272 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/05/20 10:00:27.0328 4272 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/05/20 10:00:29.0203 4272 TcUsb (5ca437a08509fb7ecf843480fc1232e2) C:\WINDOWS\system32\Drivers\tcusb.sys
2011/05/20 10:00:30.0562 4272 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/05/20 10:00:32.0703 4272 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/05/20 10:00:34.0171 4272 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/05/20 10:00:40.0890 4272 tosporte (8d624d3bd1f2d78bd1c01a2d4e954b4e) C:\WINDOWS\system32\DRIVERS\tosporte.sys
2011/05/20 10:00:43.0328 4272 tosrfbd (399c5e4db7bdd5a83a7d26c96389b85a) C:\WINDOWS\system32\DRIVERS\tosrfbd.sys
2011/05/20 10:00:44.0828 4272 tosrfbnp (181e217a7a326817d97946d045b3cb46) C:\WINDOWS\system32\Drivers\tosrfbnp.sys
2011/05/20 10:00:46.0390 4272 Tosrfcom (e90ace3b4fa7a85f992bc21eb779c407) C:\WINDOWS\system32\Drivers\tosrfcom.sys
2011/05/20 10:00:48.0484 4272 Tosrfhid (efc95c0dc6f96b228f58319776006548) C:\WINDOWS\system32\DRIVERS\Tosrfhid.sys
2011/05/20 10:00:50.0640 4272 tosrfnds (c52fd27b9adf3a1f22cb90e6bcf9b0cb) C:\WINDOWS\system32\DRIVERS\tosrfnds.sys
2011/05/20 10:00:52.0156 4272 Tosrfusb (98c04a6432ce9c2ad328f57b9384d348) C:\WINDOWS\system32\DRIVERS\tosrfusb.sys
2011/05/20 10:00:55.0515 4272 UdfReadr_xp (4e75005b74be901c30f2636df40b0c15) C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
2011/05/20 10:00:57.0984 4272 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/05/20 10:01:05.0953 4272 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/05/20 10:01:10.0562 4272 USBAAPL (d4fb6ecc60a428564ba8768b0e23c0fc) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/05/20 10:01:12.0531 4272 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/05/20 10:01:15.0046 4272 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/05/20 10:01:17.0187 4272 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/05/20 10:01:19.0109 4272 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/05/20 10:01:21.0375 4272 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/05/20 10:01:23.0718 4272 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/05/20 10:01:26.0296 4272 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/05/20 10:01:28.0437 4272 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/05/20 10:01:30.0656 4272 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/05/20 10:01:33.0359 4272 v2imount (b4d63048d6358e7c6ab61b98b8cff263) C:\WINDOWS\system32\DRIVERS\v2imount.sys
2011/05/20 10:01:35.0359 4272 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/05/20 10:01:40.0218 4272 vmci (c560b5363ad494541deda5da539fb870) C:\WINDOWS\system32\Drivers\vmci.sys
2011/05/20 10:01:42.0578 4272 vmkbd (45e341e59f14cd88a64fdbe74ed0dd13) C:\WINDOWS\system32\drivers\VMkbd.sys
2011/05/20 10:01:43.0859 4272 VMnetAdapter (e41704d8149992107b333cc7a52c07cc) C:\WINDOWS\system32\DRIVERS\vmnetadapter.sys
2011/05/20 10:01:45.0609 4272 VMnetBridge (b9eee650712243ab3b2a94f029d877c4) C:\WINDOWS\system32\DRIVERS\vmnetbridge.sys
2011/05/20 10:01:47.0937 4272 VMnetuserif (c4172c1661789d50f27e222288132a72) C:\WINDOWS\system32\drivers\vmnetuserif.sys
2011/05/20 10:01:49.0890 4272 vmusb (afb10ad9aa91d2f70c9f0e6bda0d119b) C:\WINDOWS\system32\Drivers\vmusb.sys
2011/05/20 10:01:54.0421 4272 vmx86 (2177f7269c6cc6a5657f1779eaa6c460) C:\WINDOWS\system32\Drivers\vmx86.sys
2011/05/20 10:01:56.0640 4272 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/05/20 10:01:59.0312 4272 vpnva (1b7c80c66742dafaa31f98af4c3a5bc2) C:\WINDOWS\system32\DRIVERS\vpnva.sys
2011/05/20 10:02:02.0312 4272 vstor2-ws60 (98929c5c5314c4c048e2f60492c26723) C:\Program Files\VMware\VMware Player\vstor2-ws60.sys
2011/05/20 10:02:05.0546 4272 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/05/20 10:02:07.0171 4272 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/05/20 10:02:11.0531 4272 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/05/20 10:02:14.0843 4272 winachsf (ba6b6fb242a6ba4068c8b763063beb63) C:\WINDOWS\system32\DRIVERS\HSX_CNXT.sys
2011/05/20 10:02:21.0750 4272 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/05/20 10:02:26.0625 4272 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/05/20 10:02:29.0796 4272 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/05/20 10:02:32.0250 4272 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/05/20 10:02:34.0828 4272 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/05/20 10:02:53.0250 4272 \HardDisk1 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/05/20 10:02:56.0015 4272 ================================================================================
2011/05/20 10:02:56.0015 4272 Scan finished
2011/05/20 10:02:56.0015 4272 ================================================================================
2011/05/20 10:03:01.0046 3128 Detected object count: 1
2011/05/20 10:03:54.0625 3128 \HardDisk1 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/05/20 10:03:54.0625 3128 \HardDisk1 - ok
2011/05/20 10:03:54.0625 3128 Rootkit.Win32.TDSS.tdl4(\HardDisk1) - User select action: Cure
2011/05/20 10:05:09.0015 6108 Deinitialize success

----------------------------------------------------------------------------------------------------------------------

ComboFix 11-05-19.01 - MAIN 05/20/2011 10:33:38.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1253 [GMT -4:00]
Running from: c:\documents and settings\MAIN\Desktop\ComboFix.exe
AV: Sophos Anti-Virus *Disabled/Outdated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\MAIN\2gweorjqjutp92vjy9gake
.
.
((((((((((((((((((((((((( Files Created from 2011-04-20 to 2011-05-20 )))))))))))))))))))))))))))))))
.
.
2011-05-20 13:45 . 2008-11-24 13:42 130104 ----a-w- c:\windows\system32\sdccoinstaller.dll
2011-05-20 13:43 . 2008-11-24 13:42 23552 ----a-w- c:\windows\system32\sophosboottasks.exe
2011-05-20 13:43 . 2011-05-20 13:47 -------- d-----w- c:\program files\Sophos
2011-05-20 13:43 . 2011-05-20 13:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2011-05-20 13:42 . 2009-02-26 11:45 38528 ----a-w- c:\windows\system32\drivers\savonaccessfilter.sys
2011-05-20 13:42 . 2009-02-26 11:45 110848 ----a-w- c:\windows\system32\drivers\savonaccesscontrol.sys
2011-05-20 13:42 . 2008-11-24 13:42 14976 ----a-w- c:\windows\system32\drivers\SophosBootDriver.sys
2011-05-19 15:28 . 2011-05-19 15:28 -------- d-----w- c:\documents and settings\MAIN\Application Data\Wireshark
2011-05-19 15:26 . 2011-05-19 15:26 -------- d-----w- c:\program files\WinPcap
2011-05-19 15:26 . 2011-05-19 15:27 -------- d-----w- c:\program files\Wireshark
2011-05-19 15:25 . 2011-04-14 16:26 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-05-19 15:25 . 2011-04-14 16:25 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-19 15:25 . 2011-04-14 16:25 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-19 15:25 . 2011-04-14 16:25 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-19 15:25 . 2011-04-14 16:25 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-19 15:25 . 2011-04-14 16:25 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-19 15:25 . 2010-01-01 08:00 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-19 15:25 . 2010-01-01 08:00 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-17 12:56 . 2011-05-17 12:56 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2011-05-17 12:51 . 2011-05-17 12:56 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2011-05-17 11:32 . 2011-05-17 11:32 -------- d-----w- c:\documents and settings\MAIN\Application Data\SUPERAntiSpyware.com
2011-05-17 11:32 . 2011-05-17 11:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-17 11:32 . 2011-05-17 12:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-17 04:50 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-17 04:50 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-17 04:39 . 2011-05-17 04:39 388096 ----a-r- c:\documents and settings\MAIN\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-17 04:39 . 2011-05-17 04:39 -------- d-----w- c:\program files\Trend Micro
2011-05-17 03:58 . 2011-05-17 03:58 13160 ----a-w- c:\windows\system32\Upgrd.exe
2011-05-17 00:18 . 2011-05-17 00:18 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-16 22:35 . 2011-05-17 00:14 -------- d-----w- C:\Combo-Fix27247C
2011-05-16 01:47 . 2011-05-17 00:16 -------- d-----w- C:\Combo-Fix18749C
2011-05-15 15:10 . 2011-05-17 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-05-15 15:10 . 2011-05-15 15:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\NPE
2011-05-15 15:08 . 2011-05-15 15:08 -------- d-----w- c:\documents and settings\LocalService\PrivacIE
2011-05-15 15:08 . 2011-05-15 15:08 -------- d-----w- c:\documents and settings\LocalService\IECompatCache
2011-05-15 14:28 . 2011-05-17 11:42 90112 ----a-w- c:\windows\DUMP5459.tmp
2011-05-15 14:12 . 2011-05-17 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\mK06511IjGiE06511
2011-05-13 03:30 . 2011-05-14 14:20 -------- d-----w- c:\documents and settings\MAIN\Application Data\Mp3Tube Toolbar(2)
2011-05-13 03:26 . 2011-05-17 00:17 -------- d-----w- c:\documents and settings\MAIN\Application Data\vlc
2011-05-13 03:24 . 2011-05-13 03:24 -------- d-----w- c:\program files\VideoLAN
2011-04-26 21:22 . 2011-04-26 21:22 -------- d-----w- c:\program files\iPod
2011-04-26 21:22 . 2011-04-26 21:24 -------- d-----w- c:\program files\iTunes
2011-04-26 21:16 . 2011-04-26 21:16 -------- d-----w- c:\program files\Bonjour
2011-04-26 02:09 . 2011-04-26 02:09 -------- d-----w- c:\documents and settings\MAIN\Application Data\FLEXnet
2011-04-26 02:09 . 2011-05-20 14:27 -------- d-----w- c:\documents and settings\MAIN\Local Settings\Application Data\Plantronics
2011-04-26 02:09 . 2011-04-26 02:09 -------- d-----w- c:\program files\Common Files\Skype
2011-04-26 02:09 . 2011-04-26 02:09 -------- d-----w- c:\program files\Winamp
2011-04-26 02:09 . 2011-04-26 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Plantronics
2011-04-26 02:09 . 2011-04-26 02:09 -------- d-----w- c:\program files\Plantronics
2011-04-26 02:09 . 2011-04-26 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-20 14:43 . 2009-08-10 13:46 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2011-05-20 14:43 . 2009-08-10 13:48 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-05-19 23:29 . 2009-08-10 13:46 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2011-05-17 03:58 . 2009-08-10 13:48 58288 ------w- c:\windows\system32\rpcnet.exe
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33 . 2008-04-05 04:13 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-12-03 03:10 . 2010-12-03 03:10 28472 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-12-03 03:10 . 2010-12-03 03:10 185224 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-12-03 03:10 . 2010-12-03 03:10 46392 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2010-09-14 13:12 . 2010-09-14 13:12 101760 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2011-04-14 16:26 . 2011-05-19 15:25 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-02-01 23:17 1487240 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-01 1487240]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-01 1487240]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"NVHotkey"="nvHotkey.dll" [2007-11-17 86016]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-24 2220032]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"nwiz"="nwiz.exe" [2007-11-17 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2010-09-21 64048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [BU]
"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2007-05-08 36864]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"PlantronicsURE.exe"="c:\program files\Plantronics\PlantronicsURE\PlantronicsURE.exe" [2011-02-01 625608]
"PlantronicsBatteryStatus.exe"="c:\program files\Plantronics\PlantronicsURE\PlantronicsBatteryStatus.exe" [2011-02-01 346880]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
.
c:\documents and settings\MAIN\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
AutoUpdate Monitor.lnk - c:\program files\Sophos\AutoUpdate\ALMon.exe [2009-7-1 245760]
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-2-22 2938184]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SAVService]
@="service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Packet Tracer 5.2\\bin\\PacketTracer5.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Avaya\\Avaya one-X Communicator\\SparkEmulator.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Syslogd\\Syslogd_Service.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\Program Files\\Sling Media\\SlingPlayer\\SlingPlayer.exe"=
"c:\\Program Files\\Cisco Systems\\Cisco IP Communicator\\AudioTuningWizard.exe"=
"c:\\Program Files\\Cisco Systems\\Cisco IP Communicator\\communicatork9.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/5/2010 12:19 AM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [5/20/2011 9:42 AM 110848]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [5/20/2011 9:42 AM 38528]
R2 CipcCdp;Cisco IP Communicator driver for CDP;c:\windows\system32\drivers\CipcCdp.sys [7/21/2010 8:58 PM 24000]
R2 Kiwi Syslog Server;Kiwi Syslog Server;c:\program files\Syslogd\Syslogd_Service.exe [2/14/2010 4:54 PM 2248704]
R2 OpenSSHServer;Openssh SSHD;c:\program files\ICW\bin\cygrunsrv.exe [5/13/2009 8:22 PM 68096]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [10/29/2009 7:45 AM 80936]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [11/24/2008 9:42 AM 98304]
R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [9/25/2009 2:16 PM 93960]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/5/2009 1:13 PM 24652]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [9/21/2010 2:42 AM 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [9/21/2010 1:42 AM 539184]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [5/5/2010 9:59 PM 583360]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 1:07 PM 35088]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/22/2010 8:55 PM 136176]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1352832]
S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [9/23/2010 11:09 PM 829152]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/22/2010 8:55 PM 136176]
S3 SolarWinds TFTP Server;SolarWinds TFTP Server;c:\program files\SolarWinds\TFTPServer\SolarWinds TFTP Server.exe [10/20/2009 10:52 PM 54272]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [5/20/2011 9:42 AM 14976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-17 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 04:19]
.
2011-05-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-23 00:54]
.
2011-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-23 00:54]
.
2011-05-20 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-02-01 23:17]
.
2011-05-20 c:\windows\Tasks\SophosScan(Mon,Wed,Sun @ 12PM).job
- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2009-02-26 11:45]
.
2011-05-20 c:\windows\Tasks\User_Feed_Synchronization-{E80B23F8-BD86-4A39-80F1-80A61BC70761}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} - hxxps://anywhereec.nbcuni.com/CACHE/sdesktop/install/binaries/instweb.cab
FF - ProfilePath - c:\documents and settings\MAIN\Application Data\Mozilla\Firefox\Profiles\w3544nrf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 59717
FF - prefs.js: network.proxy.type - 0
FF - user.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=
FF - user.js: keyword.enabled - 1
.
- - - - ORPHANS REMOVED - - - -
.
Notify-NavLogon - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-20 10:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\system32\autochk(12).exe:BAK 22528 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(952)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(1012)
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(2380)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Avaya\Avaya one-X Communicator\QosServM.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rpcnet.exe
c:\program files\ICW\bin\sshd.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Plantronics\PlantronicsURE\PlantronicsUpdtMgr.exe
.
**************************************************************************
.
Completion time: 2011-05-20 10:52:47 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-20 14:52
ComboFix2.txt 2011-05-17 02:58
ComboFix3.txt 2011-05-16 03:13
ComboFix4.txt 2010-08-25 23:32
ComboFix5.txt 2011-05-20 14:30
.
Pre-Run: 80,498,454,528 bytes free
Post-Run: 82,197,307,392 bytes free
.
- - End Of File - - 81EC74C71723A286503B5C4D748790DE

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 20 May 2011 - 10:44 PM

aries44475:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

Firefox::
FF - ProfilePath - c:\documents and settings\MAIN\Application Data\Mozilla\Firefox\Profiles\w3544nrf.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 59717

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • ComboFix log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 aries44475

aries44475
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 22 May 2011 - 09:40 AM

ComboFix 11-05-21.03 - MAIN 05/22/2011 10:16:53.5.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1158 [GMT -4:00]
Running from: c:\documents and settings\MAIN\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\MAIN\Desktop\CFScript.txt
AV: Sophos Anti-Virus *Disabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.
.
((((((((((((((((((((((((( Files Created from 2011-04-22 to 2011-05-22 )))))))))))))))))))))))))))))))
.
.
2011-05-20 21:11 . 2011-05-20 21:11 -------- d-----w- c:\documents and settings\MAIN\Local Settings\Application Data\Sophos
2011-05-20 15:57 . 2011-05-20 15:57 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos Web Intelligence
2011-05-20 15:56 . 2011-05-20 15:56 -------- d-----w- c:\program files\Common Files\Cisco Systems
2011-05-20 15:56 . 2010-07-23 17:31 28912 ----a-w- c:\windows\system32\SophosBootTasks.exe
2011-05-20 15:56 . 2011-05-20 15:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Sophos
2011-05-20 15:20 . 2011-05-20 15:20 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2011-05-20 13:43 . 2011-05-20 13:47 -------- d-----w- c:\program files\Sophos
2011-05-20 13:42 . 2010-10-08 14:14 24064 ----a-w- c:\windows\system32\drivers\savonaccessfilter.sys
2011-05-20 13:42 . 2010-10-08 14:14 153344 ----a-w- c:\windows\system32\drivers\savonaccesscontrol.sys
2011-05-20 13:42 . 2008-05-23 07:38 14976 ----a-w- c:\windows\system32\drivers\SophosBootDriver.sys
2011-05-19 15:28 . 2011-05-19 15:28 -------- d-----w- c:\documents and settings\MAIN\Application Data\Wireshark
2011-05-19 15:26 . 2011-05-19 15:26 -------- d-----w- c:\program files\WinPcap
2011-05-19 15:26 . 2011-05-19 15:27 -------- d-----w- c:\program files\Wireshark
2011-05-19 15:25 . 2011-04-14 16:26 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-05-19 15:25 . 2011-04-14 16:25 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-05-19 15:25 . 2011-04-14 16:25 1874904 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-05-19 15:25 . 2011-04-14 16:25 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-05-19 15:25 . 2011-04-14 16:25 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-05-19 15:25 . 2011-04-14 16:25 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-05-19 15:25 . 2010-01-01 08:00 1974616 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_42.dll
2011-05-19 15:25 . 2010-01-01 08:00 1892184 ----a-w- c:\program files\Mozilla Firefox\d3dx9_42.dll
2011-05-17 12:56 . 2011-05-17 12:56 -------- d-----w- c:\documents and settings\Default User\Application Data\Apple Computer
2011-05-17 12:51 . 2011-05-17 12:56 -------- d-----w- c:\documents and settings\Default User\Local Settings\Application Data\Apple Computer
2011-05-17 11:32 . 2011-05-17 11:32 -------- d-----w- c:\documents and settings\MAIN\Application Data\SUPERAntiSpyware.com
2011-05-17 11:32 . 2011-05-17 11:32 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-05-17 11:32 . 2011-05-17 12:00 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-05-17 04:50 . 2010-12-20 22:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-05-17 04:50 . 2010-12-20 22:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-05-17 04:39 . 2011-05-17 04:39 388096 ----a-r- c:\documents and settings\MAIN\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-17 04:39 . 2011-05-17 04:39 -------- d-----w- c:\program files\Trend Micro
2011-05-17 03:58 . 2011-05-17 03:58 13160 ----a-w- c:\windows\system32\Upgrd.exe
2011-05-17 00:18 . 2011-05-17 00:18 -------- d-----w- c:\windows\system32\wbem\Repository
2011-05-16 22:35 . 2011-05-17 00:14 -------- d-----w- C:\Combo-Fix27247C
2011-05-16 01:47 . 2011-05-17 00:16 -------- d-----w- C:\Combo-Fix18749C
2011-05-15 15:10 . 2011-05-17 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2011-05-15 15:10 . 2011-05-15 15:19 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\NPE
2011-05-15 15:08 . 2011-05-15 15:08 -------- d-----w- c:\documents and settings\LocalService\PrivacIE
2011-05-15 15:08 . 2011-05-15 15:08 -------- d-----w- c:\documents and settings\LocalService\IECompatCache
2011-05-15 14:28 . 2011-05-17 11:42 90112 ----a-w- c:\windows\DUMP5459.tmp
2011-05-15 14:12 . 2011-05-17 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\mK06511IjGiE06511
2011-05-13 03:30 . 2011-05-14 14:20 -------- d-----w- c:\documents and settings\MAIN\Application Data\Mp3Tube Toolbar(2)
2011-05-13 03:26 . 2011-05-17 00:17 -------- d-----w- c:\documents and settings\MAIN\Application Data\vlc
2011-05-13 03:24 . 2011-05-13 03:24 -------- d-----w- c:\program files\VideoLAN
2011-04-26 21:22 . 2011-04-26 21:22 -------- d-----w- c:\program files\iPod
2011-04-26 21:22 . 2011-04-26 21:24 -------- d-----w- c:\program files\iTunes
2011-04-26 21:16 . 2011-04-26 21:16 -------- d-----w- c:\program files\Bonjour
2011-04-26 02:09 . 2011-04-26 02:09 -------- d-----w- c:\documents and settings\MAIN\Application Data\FLEXnet
2011-04-26 02:09 . 2011-05-20 14:27 -------- d-----w- c:\documents and settings\MAIN\Local Settings\Application Data\Plantronics
2011-04-26 02:09 . 2011-04-26 02:09 -------- d-----w- c:\program files\Common Files\Skype
2011-04-26 02:09 . 2011-04-26 02:09 -------- d-----w- c:\program files\Winamp
2011-04-26 02:09 . 2011-04-26 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\Plantronics
2011-04-26 02:09 . 2011-04-26 02:09 -------- d-----w- c:\program files\Plantronics
2011-04-26 02:09 . 2011-04-26 02:09 -------- d-----w- c:\documents and settings\All Users\Application Data\FLEXnet
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-22 14:25 . 2009-08-10 13:46 17408 ----a-w- c:\windows\system32\rpcnetp.exe
2011-05-22 14:25 . 2009-08-10 13:48 58288 ----a-w- c:\windows\system32\rpcnet.dll
2011-05-19 23:29 . 2009-08-10 13:46 17408 ----a-w- c:\windows\system32\rpcnetp.dll
2011-05-17 03:58 . 2009-08-10 13:48 58288 ------w- c:\windows\system32\rpcnet.exe
2011-04-06 20:20 . 2011-04-06 20:20 91424 ----a-w- c:\windows\system32\dnssd.dll
2011-04-06 20:20 . 2011-04-06 20:20 107808 ----a-w- c:\windows\system32\dns-sd.exe
2011-03-07 05:33 . 2008-04-05 04:13 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-04 06:37 . 2004-08-04 12:00 420864 ----a-w- c:\windows\system32\vbscript.dll
2011-03-03 13:21 . 2004-08-04 12:00 1857920 ----a-w- c:\windows\system32\win32k.sys
2011-02-22 23:06 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 23:06 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 23:06 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-02-22 11:41 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2010-12-03 03:10 . 2010-12-03 03:10 28472 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2010-12-03 03:10 . 2010-12-03 03:10 185224 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2010-12-03 03:10 . 2010-12-03 03:10 46392 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2010-09-14 13:12 . 2010-09-14 13:12 101760 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2011-04-14 16:26 . 2011-05-19 15:25 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
2011-02-01 23:17 1487240 ----a-w- c:\program files\Ask.com\GenericAskToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-01 1487240]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{D4027C7F-154A-4066-A1AD-4243D8127440}"= "c:\program files\Ask.com\GenericAskToolbar.dll" [2011-02-01 1487240]
.
[HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
[HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
[HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-08-29 395776]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="c:\program files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 684032]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 53248]
"ITSecMng"="c:\program files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe" [2007-09-28 75136]
"NVHotkey"="nvHotkey.dll" [2007-11-17 86016]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-30 138008]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2007-07-02 159744]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-10-24 2220032]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-17 8495104]
"nwiz"="nwiz.exe" [2007-11-17 1626112]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-17 81920]
"ddoctorv2"="c:\program files\Comcast\Desktop Doctor\bin\sprtcmd.exe" [2008-04-24 202560]
"VMware hqtray"="c:\program files\VMware\VMware Player\hqtray.exe" [2010-09-21 64048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-30 421888]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [BU]
"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2007-05-08 36864]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"PlantronicsURE.exe"="c:\program files\Plantronics\PlantronicsURE\PlantronicsURE.exe" [2011-02-01 625608]
"PlantronicsBatteryStatus.exe"="c:\program files\Plantronics\PlantronicsURE\PlantronicsBatteryStatus.exe" [2011-02-01 346880]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-04-14 421160]
"Sophos AutoUpdate Monitor"="c:\program files\Sophos\AutoUpdate\almon.exe" [2010-09-21 439536]
.
c:\documents and settings\MAIN\Start Menu\Programs\Startup\
OpenOffice.org 3.0.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2008-12-15 384000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2008-2-22 2938184]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Packet Tracer 5.2\\bin\\PacketTracer5.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Avaya\\Avaya one-X Communicator\\SparkEmulator.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Syslogd\\Syslogd_Service.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\VMware\\VMware Player\\vmware-authd.exe"=
"c:\\Program Files\\Sling Media\\SlingPlayer\\SlingPlayer.exe"=
"c:\\Program Files\\Cisco Systems\\Cisco IP Communicator\\AudioTuningWizard.exe"=
"c:\\Program Files\\Cisco Systems\\Cisco IP Communicator\\communicatork9.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/5/2010 12:19 AM 64288]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\drivers\savonaccesscontrol.sys [5/20/2011 9:42 AM 153344]
R1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\drivers\savonaccessfilter.sys [5/20/2011 9:42 AM 24064]
R2 CipcCdp;Cisco IP Communicator driver for CDP;c:\windows\system32\drivers\CipcCdp.sys [7/21/2010 8:58 PM 24000]
R2 Kiwi Syslog Server;Kiwi Syslog Server;c:\program files\Syslogd\Syslogd_Service.exe [2/14/2010 4:54 PM 2248704]
R2 OpenSSHServer;Openssh SSHD;c:\program files\ICW\bin\cygrunsrv.exe [5/13/2009 8:22 PM 68096]
R2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [10/8/2010 10:15 AM 163056]
R2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [6/4/2010 6:23 AM 97520]
R2 SlingAgentService;SlingAgentService;c:\program files\Sling Media\SlingAgent\SlingAgentService.exe [9/25/2009 2:16 PM 93960]
R2 swi_service;Sophos Web Intelligence Service;c:\program files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [10/8/2010 10:15 AM 1541360]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [9/5/2009 1:13 PM 24652]
R2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [9/21/2010 2:42 AM 70704]
R2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [9/21/2010 1:42 AM 539184]
R2 vpnagent;Cisco AnyConnect VPN Agent;c:\program files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe [5/5/2010 9:59 PM 583360]
R3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [6/25/2010 1:07 PM 35088]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/22/2010 8:55 PM 136176]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2/4/2010 11:52 AM 1352832]
S3 AE1000;Linksys AE1000 Driver;c:\windows\system32\drivers\AE1000XP.sys [9/23/2010 11:09 PM 829152]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/22/2010 8:55 PM 136176]
S3 SolarWinds TFTP Server;SolarWinds TFTP Server;c:\program files\SolarWinds\TFTPServer\SolarWinds TFTP Server.exe [10/20/2009 10:52 PM 54272]
S4 SophosBootDriver;SophosBootDriver;c:\windows\system32\drivers\SophosBootDriver.sys [5/20/2011 9:42 AM 14976]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-21 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2010-02-04 04:19]
.
2011-05-10 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
.
2011-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-23 00:54]
.
2011-05-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-08-23 00:54]
.
2011-05-22 c:\windows\Tasks\Scheduled Update for Ask Toolbar.job
- c:\program files\Ask.com\UpdateTask.exe [2011-02-01 23:17]
.
2011-05-20 c:\windows\Tasks\SophosScan(Mon,Wed,Sun @ 12PM).job
- c:\program files\Sophos\Sophos Anti-Virus\BackgroundScanClient.exe [2010-06-04 10:23]
.
2011-05-22 c:\windows\Tasks\User_Feed_Synchronization-{E80B23F8-BD86-4A39-80F1-80A61BC70761}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 08:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
mStart Page = hxxp://www.comcast.net/
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
LSP: c:\program files\VMware\VMware Player\vsocklib.dll
DPF: {F8FC1530-0608-11DF-2008-0800200C9A66} - hxxps://anywhereec.nbcuni.com/CACHE/sdesktop/install/binaries/instweb.cab
FF - ProfilePath - c:\documents and settings\MAIN\Application Data\Mozilla\Firefox\Profiles\w3544nrf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=
FF - prefs.js: network.proxy.type - 0
FF - user.js: keyword.URL - hxxp://mp3tubetoolbar.com/?tmp=nemo_results_removelink2&q=
FF - user.js: keyword.enabled - 1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-22 10:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
c:\windows\system32\autochk(12).exe:BAK 22528 bytes executable
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(948)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\System32\BCMLogon.dll
c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.762_x-ww_3bf8fa05\MFC80.DLL
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
.
- - - - - - - > 'lsass.exe'(1008)
c:\windows\System32\BCMLogon.dll
.
- - - - - - - > 'explorer.exe'(2816)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\windows\System32\SCardSvr.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Juniper Networks\Common Files\dsNcService.exe
c:\program files\Avaya\Avaya one-X Communicator\QosServM.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\rpcnet.exe
c:\program files\ICW\bin\sshd.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\program files\Comcast\Desktop Doctor\bin\sprtsvc.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\vmnat.exe
c:\windows\system32\vmnetdhcp.exe
c:\program files\VMware\VMware Player\vmware-authd.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\DellTPad\ApMsgFwd.exe
c:\program files\DellTPad\HidFind.exe
c:\program files\DellTPad\Apntex.exe
c:\program files\OpenOffice.org 3\program\soffice.exe
c:\program files\OpenOffice.org 3\program\soffice.bin
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\Plantronics\PlantronicsURE\PlantronicsUpdtMgr.exe
.
**************************************************************************
.
Completion time: 2011-05-22 10:33:00 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-22 14:32
ComboFix2.txt 2011-05-20 14:52
ComboFix3.txt 2011-05-17 02:58
ComboFix4.txt 2011-05-16 03:13
ComboFix5.txt 2011-05-22 14:13
.
Pre-Run: 81,868,910,592 bytes free
Post-Run: 81,851,252,736 bytes free
.
- - End Of File - - 1D0BE84E872F8A1BE8DE10DF030F55FB

---------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6640

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/22/2011 10:39:01 AM
mbam-log-2011-05-22 (10-39-01).txt

Scan type: Quick scan
Objects scanned: 177918
Time elapsed: 3 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 22 May 2011 - 11:27 AM

aries44475:

How is your computer running now? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Java™ can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts. If it does not, let me know.

Once the install is complete...

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
    • Trace and Log Files
  • Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.
Posted Image Please run ESET Online Scanner
  • Place a check mark in the box YES, I accept the Terms Of Use
  • Click the Start button.
  • Now click the Install button.
  • Click Start. The scanner engine will initialize and update.
  • Do Not place a check mark in the box beside Remove found threats.
  • Click the Scan button. The scan will now run, please be patient.
  • When the scan finishes copy and paste the results into your next reply.
Please include the following in your next post:
  • How is the computer running?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 aries44475

aries44475
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 22 May 2011 - 01:19 PM

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6427
# api_version=3.0.2
# EOSSerial=4bda028619c1f445a3ade105f47d7fec
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2011-05-22 06:11:23
# local_time=2011-05-22 02:11:23 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=512 16777215 100 0 0 0 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# compatibility_mode=8449 16775141 50 96 0 118424945 0 0
# scanned=85302
# found=0
# cleaned=0
# scan_time=3973

---------------------------------------------------------------
Updated Java to latest.

Computer seems to be running fine....don't get redirects when searching with google.

Does that mean I'm good to go?

James

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 22 May 2011 - 08:29 PM

James:

Your logs look good. Now I have another update and some very important cleanup for you to take care of:

Posted Image Your Adobe reader needs to be updated. Please visit Adobe's site and grab the newest version. Be sure to watch for and uncheck any boxes offering to install other software.

Posted Image Uninstall ComboFix
  • Press the Windows key + R on your keyboard or click Start -> Run. Copy and past the following text into the run box that opens and press OK:
    Combofix /Uninstall
Posted Image

Posted Image Delete the following tools along with any other logs you saved from our work:
  • DDS
  • GMER
  • TDSSKiller
Posted Image Download TFC to your desktop
  • Close any open windows.
  • Double click the TFC icon to run the program
  • TFC will close all open programs itself in order to run,
  • Click the Start button to begin the process.
  • Allow TFC to run uninterrupted.
  • The program should not take long to finish it's job
  • Once its finished it should automatically reboot your machine,
  • if it doesn't, manually reboot to ensure a complete clean
Posted Image Finally, I'd like to make a couple of suggestions to help you stay clean in the future:
  • Restart any anti-malware programs that we disabled while we were cleaning your machine.
  • Keep your antivirus application and MBAM current and updated. Scan with them at least weekly.
  • Please read this post for some helpful information.
Please post once more so I know you are all set and I can mark this thread resolved. Good luck and stay safe!

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 aries44475

aries44475
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:05:12 PM

Posted 24 May 2011 - 07:15 AM

All set and thanks!

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 24 May 2011 - 07:57 AM

You're welcome, James. Take care.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:12 PM

Posted 25 May 2011 - 07:13 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users