Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

google redirect and false pop ups


  • This topic is locked This topic is locked
18 replies to this topic

#1 skater11

skater11

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 20 May 2011 - 09:57 PM

hi,
i was watching a tv show off of mega video and right after i think i was infected. I've been having troubles with my computer since then and I am infected with something.I am running my computer on safe mode with networking I have a Google redirect virus and some sort of other infection.I start my computer and the first few things to load up are alerts, one that says "installation failed" and others that say for example " Jrun has stopped working" then I can choose to close the program or check online for a solution.

I have tried to download and run mcafee stinger, but it says that there is an invalid win32 error with the program. I also tried to install avg but each time it says the installation can not continue there is something causing this.

I have used malwarebytes many times and it has found infected objects and i have deleted them but when i restart my computer, there is no change, the pop ups come back on and the Google redirect virus is back.

I know that there is an infected virus in my temp folder that I have tried to delete called csrss if that helps

hopefully I am doing this right.
I tried to follow preparation guide before requesting help, but had troubles.
I downloaded dds, it downloaded successfully, but when i try to run it, nothing happens. every time I try nothing happens after clicking run

i downloaded Gmer and here is the log

GMER 1.0.15.15627 - http://www.gmer.net
Rootkit scan 2011-05-20 19:41:48
Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort1 ST9120821AS rev.7.24
Running: gmer.exe; Driver: C:\Users\Liam\AppData\Local\Temp\kxldapoc.sys


---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[472] ntdll.dll!NtProtectVirtualMemory 77954B84 5 Bytes JMP 0090000A
.text C:\Program Files\Internet Explorer\iexplore.exe[472] ntdll.dll!NtWriteVirtualMemory 779554C4 5 Bytes JMP 0091000A
.text C:\Program Files\Internet Explorer\iexplore.exe[472] ntdll.dll!KiUserExceptionDispatcher 77955BF8 5 Bytes JMP 008F000A
.text C:\Program Files\Internet Explorer\iexplore.exe[472] USER32.dll!CreateWindowExW 769B1305 5 Bytes JMP 7141DB5C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[472] USER32.dll!DialogBoxParamW 769D10B0 5 Bytes JMP 713454BD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[472] USER32.dll!DialogBoxIndirectParamW 769D2EF5 5 Bytes JMP 71515117 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[472] USER32.dll!DialogBoxParamA 769E8152 5 Bytes JMP 715150B4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[472] USER32.dll!DialogBoxIndirectParamA 769E847D 5 Bytes JMP 7151517A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[472] USER32.dll!MessageBoxIndirectA 769FD4D9 5 Bytes JMP 71515049 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[472] USER32.dll!MessageBoxIndirectW 769FD5D3 5 Bytes JMP 71514FDE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[472] USER32.dll!MessageBoxExA 769FD639 5 Bytes JMP 71514F7C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[472] USER32.dll!MessageBoxExW 769FD65D 5 Bytes JMP 71514F1A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
? C:\Users\Liam\AppData\Local\Temp\csrss.exe[620] number of sections mismatch; time/date stamp mismatch; unknown module: OLEAUT32.dllunknown module: RASAPI32.dllunknown module: WINHTTP.dll
.tls C:\Users\Liam\AppData\Local\Temp\csrss.exe[620] C:\Users\Liam\AppData\Local\Temp\csrss.exe unknown last section [0x0042F000, 0x3D000, 0x40000040]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtCreateFile + 6 7795422A 4 Bytes [28, 00, 06, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtCreateFile + B 7795422F 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtMapViewOfSection + 6 7795497A 1 Byte [28]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtMapViewOfSection + 6 7795497A 4 Bytes [28, 03, 06, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtMapViewOfSection + B 7795497F 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtOpenFile + 6 77954A0A 4 Bytes [68, 00, 06, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtOpenFile + B 77954A0F 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtOpenProcess + 6 77954A8A 4 Bytes [A8, 01, 06, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtOpenProcess + B 77954A8F 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtOpenProcessToken + B 77954A9F 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtOpenProcessTokenEx + 6 77954AAA 4 Bytes [A8, 02, 06, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtOpenProcessTokenEx + B 77954AAF 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtOpenThread + 6 77954AFA 4 Bytes [68, 01, 06, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtOpenThread + B 77954AFF 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtOpenThreadToken + 6 77954B0A 4 Bytes [68, 02, 06, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtOpenThreadToken + B 77954B0F 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtOpenThreadTokenEx + B 77954B1F 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtQueryAttributesFile + 6 77954BAA 4 Bytes [A8, 00, 06, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtQueryAttributesFile + B 77954BAF 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtQueryFullAttributesFile + B 77954C5F 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtSetInformationFile + 6 7795513A 4 Bytes [28, 01, 06, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtSetInformationFile + B 7795513F 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtSetInformationThread + 6 7795518A 4 Bytes [28, 02, 06, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtSetInformationThread + B 7795518F 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtUnmapViewOfSection + 6 7795542A 1 Byte [68]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtUnmapViewOfSection + 6 7795542A 4 Bytes [68, 03, 06, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[708] ntdll.dll!NtUnmapViewOfSection + B 7795542F 1 Byte [E2]
.text C:\Program Files\Internet Explorer\iexplore.exe[1324] ntdll.dll!NtProtectVirtualMemory 77954B84 5 Bytes JMP 010F000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1324] ntdll.dll!NtWriteVirtualMemory 779554C4 5 Bytes JMP 0110000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1324] ntdll.dll!KiUserExceptionDispatcher 77955BF8 5 Bytes JMP 00EA000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1324] USER32.dll!SetWindowsHookExW 769A87AD 5 Bytes JMP 71419B01 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1324] USER32.dll!CallNextHookEx 769A8E3B 5 Bytes JMP 7140D125 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1324] USER32.dll!UnhookWindowsHookEx 769A98DB 5 Bytes JMP 71384664 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1324] USER32.dll!CreateWindowExW 769B1305 5 Bytes JMP 7141DB5C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1324] USER32.dll!DialogBoxParamW 769D10B0 5 Bytes JMP 713454BD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1324] USER32.dll!DialogBoxIndirectParamW 769D2EF5 5 Bytes JMP 71515117 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1324] USER32.dll!DialogBoxParamA 769E8152 5 Bytes JMP 715150B4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1324] USER32.dll!DialogBoxIndirectParamA 769E847D 5 Bytes JMP 7151517A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1324] USER32.dll!MessageBoxIndirectA 769FD4D9 5 Bytes JMP 71515049 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1324] USER32.dll!MessageBoxIndirectW 769FD5D3 5 Bytes JMP 71514FDE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1324] USER32.dll!MessageBoxExA 769FD639 5 Bytes JMP 71514F7C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1324] USER32.dll!MessageBoxExW 769FD65D 5 Bytes JMP 71514F1A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1324] ole32.dll!OleLoadFromStream 76331E80 5 Bytes JMP 7151547F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1324] ole32.dll!CoCreateInstance 76369F3E 5 Bytes JMP 7141DBB8 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtCreateFile + 6 7795422A 4 Bytes [28, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtCreateFile + B 7795422F 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtMapViewOfSection + 6 7795497A 1 Byte [28]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtMapViewOfSection + 6 7795497A 4 Bytes [28, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtMapViewOfSection + B 7795497F 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtOpenFile + 6 77954A0A 4 Bytes [68, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtOpenFile + B 77954A0F 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtOpenProcess + 6 77954A8A 4 Bytes [A8, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtOpenProcess + B 77954A8F 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtOpenProcessToken + B 77954A9F 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtOpenProcessTokenEx + 6 77954AAA 4 Bytes [A8, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtOpenProcessTokenEx + B 77954AAF 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtOpenThread + 6 77954AFA 4 Bytes [68, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtOpenThread + B 77954AFF 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtOpenThreadToken + 6 77954B0A 4 Bytes [68, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtOpenThreadToken + B 77954B0F 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtOpenThreadTokenEx + B 77954B1F 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtQueryAttributesFile + 6 77954BAA 4 Bytes [A8, 00, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtQueryAttributesFile + B 77954BAF 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtQueryFullAttributesFile + B 77954C5F 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtSetInformationFile + 6 7795513A 4 Bytes [28, 01, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtSetInformationFile + B 7795513F 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtSetInformationThread + 6 7795518A 4 Bytes [28, 02, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtSetInformationThread + B 7795518F 1 Byte [E2]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtUnmapViewOfSection + 6 7795542A 1 Byte [68]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtUnmapViewOfSection + 6 7795542A 4 Bytes [68, 03, 16, 00]
.text C:\Program Files\Google\Chrome\Application\chrome.exe[1748] ntdll.dll!NtUnmapViewOfSection + B 7795542F 1 Byte [E2]
.text C:\Windows\Explorer.EXE[1936] ntdll.dll!NtProtectVirtualMemory 77954B84 5 Bytes JMP 004E000A
.text C:\Windows\Explorer.EXE[1936] ntdll.dll!NtWriteVirtualMemory 779554C4 5 Bytes JMP 0185000A
.text C:\Windows\Explorer.EXE[1936] ntdll.dll!KiUserExceptionDispatcher 77955BF8 5 Bytes JMP 004D000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1968] ntdll.dll!NtProtectVirtualMemory 77954B84 5 Bytes JMP 00E8000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1968] ntdll.dll!NtWriteVirtualMemory 779554C4 5 Bytes JMP 00E9000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1968] ntdll.dll!KiUserExceptionDispatcher 77955BF8 5 Bytes JMP 00E7000A
.text C:\Program Files\Internet Explorer\iexplore.exe[1968] USER32.dll!SetWindowsHookExW 769A87AD 5 Bytes JMP 71419B01 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1968] USER32.dll!CallNextHookEx 769A8E3B 5 Bytes JMP 7140D125 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1968] USER32.dll!UnhookWindowsHookEx 769A98DB 5 Bytes JMP 71384664 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1968] USER32.dll!CreateWindowExW 769B1305 5 Bytes JMP 7141DB5C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1968] USER32.dll!DialogBoxParamW 769D10B0 5 Bytes JMP 713454BD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1968] USER32.dll!DialogBoxIndirectParamW 769D2EF5 5 Bytes JMP 71515117 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1968] USER32.dll!DialogBoxParamA 769E8152 5 Bytes JMP 715150B4 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1968] USER32.dll!DialogBoxIndirectParamA 769E847D 5 Bytes JMP 7151517A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1968] USER32.dll!MessageBoxIndirectA 769FD4D9 5 Bytes JMP 71515049 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1968] USER32.dll!MessageBoxIndirectW 769FD5D3 5 Bytes JMP 71514FDE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1968] USER32.dll!MessageBoxExA 769FD639 5 Bytes JMP 71514F7C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1968] USER32.dll!MessageBoxExW 769FD65D 5 Bytes JMP 71514F1A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1968] ole32.dll!OleLoadFromStream 76331E80 5 Bytes JMP 7151547F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1968] ole32.dll!CoCreateInstance 76369F3E 5 Bytes JMP 7141DBB8 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

Attached Files

  • Attached File  ark.txt   18.87KB   1 downloads

Edited by skater11, 20 May 2011 - 10:03 PM.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:46 AM

Posted 20 May 2011 - 10:03 PM

Hi, :)

:welcome:

You may be infected with a backdoor trojan. I would suggest you backup your important documents before proceeding.

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.


    Posted Image

  • If an infected file is detected, the default action will be Cure, click on Continue.


    Posted Image

  • If a suspicious file is detected, the default action will be Skip, click on Continue.


    Posted Image

  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.


    Posted Image

  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 skater11

skater11
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 20 May 2011 - 10:14 PM

I clicked restore because there was no cure selection. is that the same thing?

2011/05/20 20:06:26.0743 TDSS rootkit removing tool 2.4.4.0 Oct 4 2010 09:06:59
2011/05/20 20:06:26.0743 ================================================================================
2011/05/20 20:06:26.0743 SystemInfo:
2011/05/20 20:06:26.0743
2011/05/20 20:06:26.0743 OS Version: 6.0.6002 ServicePack: 2.0
2011/05/20 20:06:26.0743 Product type: Workstation
2011/05/20 20:06:26.0743 ComputerName: LIAM-PC
2011/05/20 20:06:26.0743 UserName: Liam
2011/05/20 20:06:26.0743 Windows directory: C:\Windows
2011/05/20 20:06:26.0743 System windows directory: C:\Windows
2011/05/20 20:06:26.0743 Processor architecture: Intel x86
2011/05/20 20:06:26.0743 Number of processors: 1
2011/05/20 20:06:26.0743 Page size: 0x1000
2011/05/20 20:06:26.0743 Boot type: Safe boot with network
2011/05/20 20:06:26.0743 ================================================================================
2011/05/20 20:06:27.0163 Initialize success
2011/05/20 20:06:30.0261 ================================================================================
2011/05/20 20:06:30.0261 Scan started
2011/05/20 20:06:30.0261 Mode: Manual;
2011/05/20 20:06:30.0261 ================================================================================
2011/05/20 20:06:33.0435 ACPI (82b296ae1892fe3dbee00c9cf92f8ac7) C:\Windows\system32\drivers\acpi.sys
2011/05/20 20:06:33.0554 adp94xx (2edc5bbac6c651ece337bde8ed97c9fb) C:\Windows\system32\drivers\adp94xx.sys
2011/05/20 20:06:33.0614 adpahci (b84088ca3cdca97da44a984c6ce1ccad) C:\Windows\system32\drivers\adpahci.sys
2011/05/20 20:06:33.0664 adpu160m (7880c67bccc27c86fd05aa2afb5ea469) C:\Windows\system32\drivers\adpu160m.sys
2011/05/20 20:06:33.0705 adpu320 (9ae713f8e30efc2abccd84904333df4d) C:\Windows\system32\drivers\adpu320.sys
2011/05/20 20:06:33.0846 AFD (a201207363aa900abf1a388468688570) C:\Windows\system32\drivers\afd.sys
2011/05/20 20:06:33.0933 agp440 (ef23439cdd587f64c2c1b8825cead7d8) C:\Windows\system32\drivers\agp440.sys
2011/05/20 20:06:33.0979 aic78xx (ae1fdf7bf7bb6c6a70f67699d880592a) C:\Windows\system32\drivers\djsvs.sys
2011/05/20 20:06:34.0023 aliide (90395b64600ebb4552e26e178c94b2e4) C:\Windows\system32\drivers\aliide.sys
2011/05/20 20:06:34.0072 amdagp (2b13e304c9dfdfa5eb582f6a149fa2c7) C:\Windows\system32\drivers\amdagp.sys
2011/05/20 20:06:34.0112 amdide (0577df1d323fe75a739c787893d300ea) C:\Windows\system32\drivers\amdide.sys
2011/05/20 20:06:34.0142 AmdK7 (dc487885bcef9f28eece6fac0e5ddfc5) C:\Windows\system32\drivers\amdk7.sys
2011/05/20 20:06:34.0184 AmdK8 (0ca0071da4315b00fc1328ca86b425da) C:\Windows\system32\drivers\amdk8.sys
2011/05/20 20:06:34.0334 arc (5f673180268bb1fdb69c99b6619fe379) C:\Windows\system32\drivers\arc.sys
2011/05/20 20:06:34.0419 arcsas (957f7540b5e7f602e44648c7de5a1c05) C:\Windows\system32\drivers\arcsas.sys
2011/05/20 20:06:34.0484 AsyncMac (53b202abee6455406254444303e87be1) C:\Windows\system32\DRIVERS\asyncmac.sys
2011/05/20 20:06:34.0531 atapi (1f05b78ab91c9075565a9d8a4b880bc4) C:\Windows\system32\drivers\atapi.sys
2011/05/20 20:06:34.0715 avipbb (bdb37b3b217f5181a5bc129c50844f98) C:\Windows\system32\DRIVERS\avipbb.sys
2011/05/20 20:06:34.0805 BCM43XV (746f59822a5187510471fc46889b8cc9) C:\Windows\system32\DRIVERS\bcmwl6.sys
2011/05/20 20:06:34.0857 BCM43XX (746f59822a5187510471fc46889b8cc9) C:\Windows\system32\DRIVERS\bcmwl6.sys
2011/05/20 20:06:34.0991 Beep (67e506b75bd5326a3ec7b70bd014dfb6) C:\Windows\system32\drivers\Beep.sys
2011/05/20 20:06:35.0106 bowser (35f376253f687bde63976ccb3f2108ca) C:\Windows\system32\DRIVERS\bowser.sys
2011/05/20 20:06:35.0168 BrFiltLo (9f9acc7f7ccde8a15c282d3f88b43309) C:\Windows\system32\drivers\brfiltlo.sys
2011/05/20 20:06:35.0214 BrFiltUp (56801ad62213a41f6497f96dee83755a) C:\Windows\system32\drivers\brfiltup.sys
2011/05/20 20:06:35.0252 Brserid (b304e75cff293029eddf094246747113) C:\Windows\system32\drivers\brserid.sys
2011/05/20 20:06:35.0290 BrSerWdm (203f0b1e73adadbbb7b7b1fabd901f6b) C:\Windows\system32\drivers\brserwdm.sys
2011/05/20 20:06:35.0333 BrUsbMdm (bd456606156ba17e60a04e18016ae54b) C:\Windows\system32\drivers\brusbmdm.sys
2011/05/20 20:06:35.0364 BrUsbSer (af72ed54503f717a43268b3cc5faec2e) C:\Windows\system32\drivers\brusbser.sys
2011/05/20 20:06:35.0409 BTHMODEM (ad07c1ec6665b8b35741ab91200c6b68) C:\Windows\system32\drivers\bthmodem.sys
2011/05/20 20:06:35.0470 cdfs (7add03e75beb9e6dd102c3081d29840a) C:\Windows\system32\DRIVERS\cdfs.sys
2011/05/20 20:06:35.0540 cdrom (6b4bffb9becd728097024276430db314) C:\Windows\system32\DRIVERS\cdrom.sys
2011/05/20 20:06:35.0581 circlass (da8e0afc7baa226c538ef53ac2f90897) C:\Windows\system32\drivers\circlass.sys
2011/05/20 20:06:35.0654 CLFS (d7659d3b5b92c31e84e53c1431f35132) C:\Windows\system32\CLFS.sys
2011/05/20 20:06:35.0842 CmBatt (99afc3795b58cc478fbbbcdc658fcb56) C:\Windows\system32\DRIVERS\CmBatt.sys
2011/05/20 20:06:35.0885 cmdide (45201046c776ffdaf3fc8a0029c581c8) C:\Windows\system32\drivers\cmdide.sys
2011/05/20 20:06:35.0958 Compbatt (6afef0b60fa25de07c0968983ee4f60a) C:\Windows\system32\DRIVERS\compbatt.sys
2011/05/20 20:06:35.0987 crcdisk (2a213ae086bbec5e937553c7d9a2b22c) C:\Windows\system32\drivers\crcdisk.sys
2011/05/20 20:06:36.0033 Crusoe (22a7f883508176489f559ee745b5bf5d) C:\Windows\system32\drivers\crusoe.sys
2011/05/20 20:06:36.0118 DfsC (218d8ae46c88e82014f5d73d0236d9b2) C:\Windows\system32\Drivers\dfsc.sys
2011/05/20 20:06:36.0238 disk (5d4aefc3386920236a548271f8f1af6a) C:\Windows\system32\drivers\disk.sys
2011/05/20 20:06:36.0311 drmkaud (97fef831ab90bee128c9af390e243f80) C:\Windows\system32\drivers\drmkaud.sys
2011/05/20 20:06:36.0381 DXGKrnl (c68ac676b0ef30cfbb1080adce49eb1f) C:\Windows\System32\drivers\dxgkrnl.sys
2011/05/20 20:06:36.0460 E100B (d00eeae1cacd77a1a8396bbc19140bba) C:\Windows\system32\DRIVERS\e100b325.sys
2011/05/20 20:06:36.0558 E1G60 (f88fb26547fd2ce6d0a5af2985892c48) C:\Windows\system32\DRIVERS\E1G60I32.sys
2011/05/20 20:06:36.0628 eabfiltr (e88b0cfcecf745211bba87f44f85d0dd) C:\Windows\system32\DRIVERS\eabfiltr.sys
2011/05/20 20:06:36.0734 Ecache (7f64ea048dcfac7acf8b4d7b4e6fe371) C:\Windows\system32\drivers\ecache.sys
2011/05/20 20:06:36.0865 elxstor (e8f3f21a71720c84bcf423b80028359f) C:\Windows\system32\drivers\elxstor.sys
2011/05/20 20:06:36.0986 exfat (22b408651f9123527bcee54b4f6c5cae) C:\Windows\system32\drivers\exfat.sys
2011/05/20 20:06:37.0034 fastfat (1e9b9a70d332103c52995e957dc09ef8) C:\Windows\system32\drivers\fastfat.sys
2011/05/20 20:06:37.0151 fdc (63bdada84951b9c03e641800e176898a) C:\Windows\system32\DRIVERS\fdc.sys
2011/05/20 20:06:37.0257 FileInfo (a8c0139a884861e3aae9cfe73b208a9f) C:\Windows\system32\drivers\fileinfo.sys
2011/05/20 20:06:37.0312 Filetrace (0ae429a696aecbc5970e3cf2c62635ae) C:\Windows\system32\drivers\filetrace.sys
2011/05/20 20:06:37.0360 flpydisk (6603957eff5ec62d25075ea8ac27de68) C:\Windows\system32\DRIVERS\flpydisk.sys
2011/05/20 20:06:37.0422 FltMgr (01334f9ea68e6877c4ef05d3ea8abb05) C:\Windows\system32\drivers\fltmgr.sys
2011/05/20 20:06:37.0552 Fs_Rec (65ea8b77b5851854f0c55c43fa51a198) C:\Windows\system32\drivers\Fs_Rec.sys
2011/05/20 20:06:37.0594 gagp30kx (4e1cd0a45c50a8882616cae5bf82f3c5) C:\Windows\system32\drivers\gagp30kx.sys
2011/05/20 20:06:37.0648 GEARAspiWDM (ab8a6a87d9d7255c3884d5b9541a6e80) C:\Windows\system32\Drivers\GEARAspiWDM.sys
2011/05/20 20:06:37.0790 HBtnKey (de15777902a5d9121857d155873a1d1b) C:\Windows\system32\DRIVERS\cpqbttn.sys
2011/05/20 20:06:37.0852 HdAudAddService (07eee11d6e2b78122e17db3878b4c687) C:\Windows\system32\drivers\CHDART.sys
2011/05/20 20:06:37.0927 HDAudBus (062452b7ffd68c8c042a6261fe8dff4a) C:\Windows\system32\DRIVERS\HDAudBus.sys
2011/05/20 20:06:37.0986 HidBth (1338520e78d90154ed6be8f84de5fceb) C:\Windows\system32\drivers\hidbth.sys
2011/05/20 20:06:38.0021 HidIr (ff3160c3a2445128c5a6d9b076da519e) C:\Windows\system32\drivers\hidir.sys
2011/05/20 20:06:38.0078 HidUsb (cca4b519b17e23a00b826c55716809cc) C:\Windows\system32\DRIVERS\hidusb.sys
2011/05/20 20:06:38.0121 HpCISSs (df353b401001246853763c4b7aaa6f50) C:\Windows\system32\drivers\hpcisss.sys
2011/05/20 20:06:38.0190 HSFHWAZL (46d67209550973257601a533e2ac5785) C:\Windows\system32\DRIVERS\VSTAZL3.SYS
2011/05/20 20:06:38.0277 HSF_DPV (ec36f1d542ed4252390d446bf6d4dfd0) C:\Windows\system32\DRIVERS\VSTDPV3.SYS
2011/05/20 20:06:38.0513 HTTP (f870aa3e254628ebeafe754108d664de) C:\Windows\system32\drivers\HTTP.sys
2011/05/20 20:06:38.0565 i2omp (324c2152ff2c61abae92d09f3cca4d63) C:\Windows\system32\drivers\i2omp.sys
2011/05/20 20:06:38.0630 i8042prt (22d56c8184586b7a1f6fa60be5f5a2bd) C:\Windows\system32\DRIVERS\i8042prt.sys
2011/05/20 20:06:38.0740 ialm (dbb0588936e43c5f16b643f90f53c06d) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/05/20 20:06:38.0854 iaStorV (c957bf4b5d80b46c5017bf0101e6c906) C:\Windows\system32\drivers\iastorv.sys
2011/05/20 20:06:39.0029 igfx (dbb0588936e43c5f16b643f90f53c06d) C:\Windows\system32\DRIVERS\igdkmd32.sys
2011/05/20 20:06:39.0100 iirsp (2d077bf86e843f901d8db709c95b49a5) C:\Windows\system32\drivers\iirsp.sys
2011/05/20 20:06:39.0233 intelide (83aa759f3189e6370c30de5dc5590718) C:\Windows\system32\drivers\intelide.sys
2011/05/20 20:06:39.0304 intelppm (224191001e78c89dfa78924c3ea595ff) C:\Windows\system32\DRIVERS\intelppm.sys
2011/05/20 20:06:39.0373 IpFilterDriver (62c265c38769b864cb25b4bcf62df6c3) C:\Windows\system32\DRIVERS\ipfltdrv.sys
2011/05/20 20:06:39.0481 IPMIDRV (40f34f8aba2a015d780e4b09138b6c17) C:\Windows\system32\drivers\ipmidrv.sys
2011/05/20 20:06:39.0539 IPNAT (8793643a67b42cec66490b2a0cf92d68) C:\Windows\system32\DRIVERS\ipnat.sys
2011/05/20 20:06:39.0596 IRENUM (109c0dfb82c3632fbd11949b73aeeac9) C:\Windows\system32\drivers\irenum.sys
2011/05/20 20:06:39.0652 isapnp (350fca7e73cf65bcef43fae1e4e91293) C:\Windows\system32\drivers\isapnp.sys
2011/05/20 20:06:39.0707 iScsiPrt (232fa340531d940aac623b121a595034) C:\Windows\system32\DRIVERS\msiscsi.sys
2011/05/20 20:06:39.0752 iteatapi (bced60d16156e428f8df8cf27b0df150) C:\Windows\system32\drivers\iteatapi.sys
2011/05/20 20:06:39.0782 iteraid (06fa654504a498c30adca8bec4e87e7e) C:\Windows\system32\drivers\iteraid.sys
2011/05/20 20:06:39.0854 kbdclass (37605e0a8cf00cbba538e753e4344c6e) C:\Windows\system32\DRIVERS\kbdclass.sys
2011/05/20 20:06:39.0919 kbdhid (ede59ec70e25c24581add1fbec7325f7) C:\Windows\system32\DRIVERS\kbdhid.sys
2011/05/20 20:06:39.0989 KSecDD (86165728af9bf72d6442a894fdfb4f8b) C:\Windows\system32\Drivers\ksecdd.sys
2011/05/20 20:06:40.0108 lltdio (d1c5883087a0c3f1344d9d55a44901f6) C:\Windows\system32\DRIVERS\lltdio.sys
2011/05/20 20:06:40.0213 LSI_FC (a2262fb9f28935e862b4db46438c80d2) C:\Windows\system32\drivers\lsi_fc.sys
2011/05/20 20:06:40.0253 LSI_SAS (30d73327d390f72a62f32c103daf1d6d) C:\Windows\system32\drivers\lsi_sas.sys
2011/05/20 20:06:40.0329 LSI_SCSI (e1e36fefd45849a95f1ab81de0159fe3) C:\Windows\system32\drivers\lsi_scsi.sys
2011/05/20 20:06:40.0382 luafv (8f5c7426567798e62a3b3614965d62cc) C:\Windows\system32\drivers\luafv.sys
2011/05/20 20:06:40.0467 MCSTRM (5bb01b9f582259d1fb7653c5c1da3653) C:\Windows\system32\drivers\MCSTRM.sys
2011/05/20 20:06:40.0545 megasas (d153b14fc6598eae8422a2037553adce) C:\Windows\system32\drivers\megasas.sys
2011/05/20 20:06:40.0615 Modem (e13b5ea0f51ba5b1512ec671393d09ba) C:\Windows\system32\drivers\modem.sys
2011/05/20 20:06:40.0671 monitor (0a9bb33b56e294f686abb7c1e4e2d8a8) C:\Windows\system32\DRIVERS\monitor.sys
2011/05/20 20:06:40.0725 mouclass (5bf6a1326a335c5298477754a506d263) C:\Windows\system32\DRIVERS\mouclass.sys
2011/05/20 20:06:40.0756 mouhid (93b8d4869e12cfbe663915502900876f) C:\Windows\system32\DRIVERS\mouhid.sys
2011/05/20 20:06:40.0806 MountMgr (bdafc88aa6b92f7842416ea6a48e1600) C:\Windows\system32\drivers\mountmgr.sys
2011/05/20 20:06:40.0896 mpio (583a41f26278d9e0ea548163d6139397) C:\Windows\system32\drivers\mpio.sys
2011/05/20 20:06:40.0941 mpsdrv (22241feba9b2defa669c8cb0a8dd7d2e) C:\Windows\system32\drivers\mpsdrv.sys
2011/05/20 20:06:40.0986 Mraid35x (4fbbb70d30fd20ec51f80061703b001e) C:\Windows\system32\drivers\mraid35x.sys
2011/05/20 20:06:41.0029 MRxDAV (82cea0395524aacfeb58ba1448e8325c) C:\Windows\system32\drivers\mrxdav.sys
2011/05/20 20:06:41.0081 mrxsmb (5fe5cf325f5b02ebc60832d3440cb414) C:\Windows\system32\DRIVERS\mrxsmb.sys
2011/05/20 20:06:41.0113 mrxsmb10 (30b9c769446af379a2afb72b0392604d) C:\Windows\system32\DRIVERS\mrxsmb10.sys
2011/05/20 20:06:41.0139 mrxsmb20 (fea239b3ec4877e2b7e23204af589ddf) C:\Windows\system32\DRIVERS\mrxsmb20.sys
2011/05/20 20:06:41.0261 msahci (5457dcfa7c0da43522f4d9d4049c1472) C:\Windows\system32\drivers\msahci.sys
2011/05/20 20:06:41.0305 msdsm (3fc82a2ae4cc149165a94699183d3028) C:\Windows\system32\drivers\msdsm.sys
2011/05/20 20:06:41.0377 Msfs (a9927f4a46b816c92f461acb90cf8515) C:\Windows\system32\drivers\Msfs.sys
2011/05/20 20:06:41.0431 msisadrv (0f400e306f385c56317357d6dea56f62) C:\Windows\system32\drivers\msisadrv.sys
2011/05/20 20:06:41.0541 MSKSSRV (d8c63d34d9c9e56c059e24ec7185cc07) C:\Windows\system32\drivers\MSKSSRV.sys
2011/05/20 20:06:41.0576 MSPCLOCK (1d373c90d62ddb641d50e55b9e78d65e) C:\Windows\system32\drivers\MSPCLOCK.sys
2011/05/20 20:06:41.0612 MSPQM (b572da05bf4e098d4bba3a4734fb505b) C:\Windows\system32\drivers\MSPQM.sys
2011/05/20 20:06:41.0661 MsRPC (b49456d70555de905c311bcda6ec6adb) C:\Windows\system32\drivers\MsRPC.sys
2011/05/20 20:06:41.0722 mssmbios (e384487cb84be41d09711c30ca79646c) C:\Windows\system32\DRIVERS\mssmbios.sys
2011/05/20 20:06:41.0768 MSTEE (7199c1eec1e4993caf96b8c0a26bd58a) C:\Windows\system32\drivers\MSTEE.sys
2011/05/20 20:06:41.0816 Mup (6a57b5733d4cb702c8ea4542e836b96c) C:\Windows\system32\Drivers\mup.sys
2011/05/20 20:06:41.0883 NativeWifiP (85c44fdff9cf7e72a40dcb7ec06a4416) C:\Windows\system32\DRIVERS\nwifi.sys
2011/05/20 20:06:42.0009 NDIS (1357274d1883f68300aeadd15d7bbb42) C:\Windows\system32\drivers\ndis.sys
2011/05/20 20:06:42.0117 NdisTapi (0e186e90404980569fb449ba7519ae61) C:\Windows\system32\DRIVERS\ndistapi.sys
2011/05/20 20:06:42.0172 Ndisuio (d6973aa34c4d5d76c0430b181c3cd389) C:\Windows\system32\DRIVERS\ndisuio.sys
2011/05/20 20:06:42.0230 NdisWan (818f648618ae34f729fdb47ec68345c3) C:\Windows\system32\DRIVERS\ndiswan.sys
2011/05/20 20:06:42.0274 NDProxy (71dab552b41936358f3b541ae5997fb3) C:\Windows\system32\drivers\NDProxy.sys
2011/05/20 20:06:42.0333 NetBIOS (bcd093a5a6777cf626434568dc7dba78) C:\Windows\system32\DRIVERS\netbios.sys
2011/05/20 20:06:42.0386 netbt (ecd64230a59cbd93c85f1cd1cab9f3f6) C:\Windows\system32\DRIVERS\netbt.sys
2011/05/20 20:06:42.0530 NETw3v32 (ea30bd026a7d1b745a37516880c4ac1b) C:\Windows\system32\DRIVERS\NETw3v32.sys
2011/05/20 20:06:42.0641 nfrd960 (2e7fb731d4790a1bc6270accefacb36e) C:\Windows\system32\drivers\nfrd960.sys
2011/05/20 20:06:42.0696 Npfs (d36f239d7cce1931598e8fb90a0dbc26) C:\Windows\system32\drivers\Npfs.sys
2011/05/20 20:06:42.0761 nsiproxy (609773e344a97410ce4ebf74a8914fcf) C:\Windows\system32\drivers\nsiproxy.sys
2011/05/20 20:06:42.0851 Ntfs (6a4a98cee84cf9e99564510dda4baa47) C:\Windows\system32\drivers\Ntfs.sys
2011/05/20 20:06:42.0932 ntrigdigi (e875c093aec0c978a90f30c9e0dfbb72) C:\Windows\system32\drivers\ntrigdigi.sys
2011/05/20 20:06:42.0984 Null (c5dbbcda07d780bda9b685df333bb41e) C:\Windows\system32\drivers\Null.sys
2011/05/20 20:06:43.0023 nvraid (e69e946f80c1c31c53003bfbf50cbb7c) C:\Windows\system32\drivers\nvraid.sys
2011/05/20 20:06:43.0062 nvstor (9e0ba19a28c498a6d323d065db76dffc) C:\Windows\system32\drivers\nvstor.sys
2011/05/20 20:06:43.0105 nv_agp (07c186427eb8fcc3d8d7927187f260f7) C:\Windows\system32\drivers\nv_agp.sys
2011/05/20 20:06:43.0227 ohci1394 (6f310e890d46e246e0e261a63d9b36b4) C:\Windows\system32\DRIVERS\ohci1394.sys
2011/05/20 20:06:43.0305 Parport (0fa9b5055484649d63c303fe404e5f4d) C:\Windows\system32\drivers\parport.sys
2011/05/20 20:06:43.0360 partmgr (57389fa59a36d96b3eb09d0cb91e9cdc) C:\Windows\system32\drivers\partmgr.sys
2011/05/20 20:06:43.0400 Parvdm (4f9a6a8a31413180d0fcb279ad5d8112) C:\Windows\system32\drivers\parvdm.sys
2011/05/20 20:06:43.0458 pci (941dc1d19e7e8620f40bbc206981efdb) C:\Windows\system32\drivers\pci.sys
2011/05/20 20:06:43.0496 pciide (3b1901e401473e03eb8c874271e50c26) C:\Windows\system32\drivers\pciide.sys
2011/05/20 20:06:43.0537 pcmcia (e6f3fb1b86aa519e7698ad05e58b04e5) C:\Windows\system32\drivers\pcmcia.sys
2011/05/20 20:06:43.0634 PEAUTH (6349f6ed9c623b44b52ea3c63c831a92) C:\Windows\system32\drivers\peauth.sys
2011/05/20 20:06:43.0818 PptpMiniport (ecfffaec0c1ecd8dbc77f39070ea1db1) C:\Windows\system32\DRIVERS\raspptp.sys
2011/05/20 20:06:43.0894 Processor (0e3cef5d28b40cf273281d620c50700a) C:\Windows\system32\drivers\processr.sys
2011/05/20 20:06:43.0961 PSched (99514faa8df93d34b5589187db3aa0ba) C:\Windows\system32\DRIVERS\pacer.sys
2011/05/20 20:06:44.0026 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\Windows\system32\Drivers\PxHelp20.sys
2011/05/20 20:06:44.0134 ql2300 (ccdac889326317792480c0a67156a1ec) C:\Windows\system32\drivers\ql2300.sys
2011/05/20 20:06:44.0256 ql40xx (81a7e5c076e59995d54bc1ed3a16e60b) C:\Windows\system32\drivers\ql40xx.sys
2011/05/20 20:06:44.0324 QWAVEdrv (9f5e0e1926014d17486901c88eca2db7) C:\Windows\system32\drivers\qwavedrv.sys
2011/05/20 20:06:44.0393 RasAcd (147d7f9c556d259924351feb0de606c3) C:\Windows\system32\DRIVERS\rasacd.sys
2011/05/20 20:06:44.0471 Rasl2tp (a214adbaf4cb47dd2728859ef31f26b0) C:\Windows\system32\DRIVERS\rasl2tp.sys
2011/05/20 20:06:44.0540 RasPppoe (509a98dd18af4375e1fc40bc175f1def) C:\Windows\system32\DRIVERS\raspppoe.sys
2011/05/20 20:06:44.0580 RasSstp (2005f4a1e05fa09389ac85840f0a9e4d) C:\Windows\system32\DRIVERS\rassstp.sys
2011/05/20 20:06:44.0650 rdbss (b14c9d5b9add2f84f70570bbbfaa7935) C:\Windows\system32\DRIVERS\rdbss.sys
2011/05/20 20:06:44.0715 RDPCDD (89e59be9a564262a3fb6c4f4f1cd9899) C:\Windows\system32\DRIVERS\RDPCDD.sys
2011/05/20 20:06:44.0800 rdpdr (e8bd98d46f2ed77132ba927fccb47d8b) C:\Windows\system32\drivers\rdpdr.sys
2011/05/20 20:06:44.0864 RDPENCDD (9d91fe5286f748862ecffa05f8a0710c) C:\Windows\system32\drivers\rdpencdd.sys
2011/05/20 20:06:44.0946 RDPWD (30bfbdfb7f95559ede971f9ddb9a00ba) C:\Windows\system32\drivers\RDPWD.sys
2011/05/20 20:06:45.0031 rimmptsk (d85e3fa9f5b1f29bb4ed185c450d1470) C:\Windows\system32\DRIVERS\rimmptsk.sys
2011/05/20 20:06:45.0066 rimsptsk (db8eb01c58c9fada00c70b1775278ae0) C:\Windows\system32\DRIVERS\rimsptsk.sys
2011/05/20 20:06:45.0149 RimUsb (f17713d108aca124a139fde877eef68a) C:\Windows\system32\Drivers\RimUsb.sys
2011/05/20 20:06:45.0230 RimVSerPort (d9b34325ee5df78b8f28a3de9f577c7d) C:\Windows\system32\DRIVERS\RimSerial.sys
2011/05/20 20:06:45.0302 rismxdp (6c1f93c0760c9f79a1869d07233df39d) C:\Windows\system32\DRIVERS\rixdptsk.sys
2011/05/20 20:06:45.0445 ROOTMODEM (75e8a6bfa7374aba833ae92bf41ae4e6) C:\Windows\system32\Drivers\RootMdm.sys
2011/05/20 20:06:45.0600 rspndr (9c508f4074a39e8b4b31d27198146fad) C:\Windows\system32\DRIVERS\rspndr.sys
2011/05/20 20:06:45.0689 sbp2port (3ce8f073a557e172b330109436984e30) C:\Windows\system32\drivers\sbp2port.sys
2011/05/20 20:06:45.0817 sdbus (8f36b54688c31eed4580129040c6a3d3) C:\Windows\system32\DRIVERS\sdbus.sys
2011/05/20 20:06:45.0884 secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\drivers\secdrv.sys
2011/05/20 20:06:45.0958 Serenum (68e44e331d46f0fb38f0863a84cd1a31) C:\Windows\system32\drivers\serenum.sys
2011/05/20 20:06:46.0017 Serial (c70d69a918b178d3c3b06339b40c2e1b) C:\Windows\system32\drivers\serial.sys
2011/05/20 20:06:46.0086 sermouse (8af3d28a879bf75db53a0ee7a4289624) C:\Windows\system32\drivers\sermouse.sys
2011/05/20 20:06:46.0203 sffdisk (3efa810bdca87f6ecc24f9832243fe86) C:\Windows\system32\DRIVERS\sffdisk.sys
2011/05/20 20:06:46.0272 sffp_mmc (8fd08a310645fe872eeec6e08c6bf3ee) C:\Windows\system32\drivers\sffp_mmc.sys
2011/05/20 20:06:46.0329 sffp_sd (9f66a46c55d6f1ccabc79bb7afccc545) C:\Windows\system32\DRIVERS\sffp_sd.sys
2011/05/20 20:06:46.0378 sfloppy (46ed8e91793b2e6f848015445a0ac188) C:\Windows\system32\drivers\sfloppy.sys
2011/05/20 20:06:46.0451 sisagp (d2a595d6eebeeaf4334f8e50efbc9931) C:\Windows\system32\drivers\sisagp.sys
2011/05/20 20:06:46.0504 SiSRaid2 (cedd6f4e7d84e9f98b34b3fe988373aa) C:\Windows\system32\drivers\sisraid2.sys
2011/05/20 20:06:46.0554 SiSRaid4 (df843c528c4f69d12ce41ce462e973a7) C:\Windows\system32\drivers\sisraid4.sys
2011/05/20 20:06:46.0719 Smb (7b75299a4d201d6a6533603d6914ab04) C:\Windows\system32\DRIVERS\smb.sys
2011/05/20 20:06:46.0955 SNP2UVC (5140166bbcafe1393d4669353a1f8c0a) C:\Windows\system32\DRIVERS\snp2uvc.sys
2011/05/20 20:06:47.0206 spldr (7aebdeef071fe28b0eef2cdd69102bff) C:\Windows\system32\drivers\spldr.sys
2011/05/20 20:06:47.0269 srenum (119b02656ed83b2caa47739c453326df) C:\Windows\system32\DRIVERS\srenum.sys
2011/05/20 20:06:47.0344 srv (41987f9fc0e61adf54f581e15029ad91) C:\Windows\system32\DRIVERS\srv.sys
2011/05/20 20:06:47.0416 srv2 (a5940ca32ed206f90be9fabdf6e92de4) C:\Windows\system32\DRIVERS\srv2.sys
2011/05/20 20:06:47.0462 srvnet (37aa1d560d5fa486c4b11c2f276ada61) C:\Windows\system32\DRIVERS\srvnet.sys
2011/05/20 20:06:47.0515 ssmdrv (3d2829fde1c52fc64da5413889ce4dee) C:\Windows\system32\DRIVERS\ssmdrv.sys
2011/05/20 20:06:47.0620 swenum (7ba58ecf0c0a9a69d44b3dca62becf56) C:\Windows\system32\DRIVERS\swenum.sys
2011/05/20 20:06:47.0694 Symc8xx (192aa3ac01df071b541094f251deed10) C:\Windows\system32\drivers\symc8xx.sys
2011/05/20 20:06:47.0749 Sym_hi (8c8eb8c76736ebaf3b13b633b2e64125) C:\Windows\system32\drivers\sym_hi.sys
2011/05/20 20:06:47.0819 Sym_u3 (8072af52b5fd103bbba387a1e49f62cb) C:\Windows\system32\drivers\sym_u3.sys
2011/05/20 20:06:47.0940 SynTP (8327106d1c93e9a7b98e63b9fcc24bb7) C:\Windows\system32\DRIVERS\SynTP.sys
2011/05/20 20:06:48.0106 Tcpip (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\drivers\tcpip.sys
2011/05/20 20:06:48.0217 Tcpip6 (a474879afa4a596b3a531f3e69730dbf) C:\Windows\system32\DRIVERS\tcpip.sys
2011/05/20 20:06:48.0295 tcpipreg (608c345a255d82a6289c2d468eb41fd7) C:\Windows\system32\drivers\tcpipreg.sys
2011/05/20 20:06:48.0362 TDPIPE (5dcf5e267be67a1ae926f2df77fbcc56) C:\Windows\system32\drivers\tdpipe.sys
2011/05/20 20:06:48.0415 TDTCP (389c63e32b3cefed425b61ed92d3f021) C:\Windows\system32\drivers\tdtcp.sys
2011/05/20 20:06:48.0483 tdx (76b06eb8a01fc8624d699e7045303e54) C:\Windows\system32\DRIVERS\tdx.sys
2011/05/20 20:06:48.0559 TermDD (3cad38910468eab9a6479e2f01db43c7) C:\Windows\system32\DRIVERS\termdd.sys
2011/05/20 20:06:48.0669 tssecsrv (dcf0f056a2e4f52287264f5ab29cf206) C:\Windows\system32\DRIVERS\tssecsrv.sys
2011/05/20 20:06:48.0726 tunmp (caecc0120ac49e3d2f758b9169872d38) C:\Windows\system32\DRIVERS\tunmp.sys
2011/05/20 20:06:48.0789 tunnel (300db877ac094feab0be7688c3454a9c) C:\Windows\system32\DRIVERS\tunnel.sys
2011/05/20 20:06:48.0855 uagp35 (c3ade15414120033a36c0f293d4a4121) C:\Windows\system32\drivers\uagp35.sys
2011/05/20 20:06:48.0927 udfs (d9728af68c4c7693cb100b8441cbdec6) C:\Windows\system32\DRIVERS\udfs.sys
2011/05/20 20:06:49.0008 uliagpkx (75e6890ebfce0841d3291b02e7a8bdb0) C:\Windows\system32\drivers\uliagpkx.sys
2011/05/20 20:06:49.0079 uliahci (3cd4ea35a6221b85dcc25daa46313f8d) C:\Windows\system32\drivers\uliahci.sys
2011/05/20 20:06:49.0211 UlSata (8514d0e5cd0534467c5fc61be94a569f) C:\Windows\system32\drivers\ulsata.sys
2011/05/20 20:06:49.0266 ulsata2 (38c3c6e62b157a6bc46594fada45c62b) C:\Windows\system32\drivers\ulsata2.sys
2011/05/20 20:06:49.0338 umbus (32cff9f809ae9aed85464492bf3e32d2) C:\Windows\system32\DRIVERS\umbus.sys
2011/05/20 20:06:49.0421 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\Windows\system32\Drivers\usbaapl.sys
2011/05/20 20:06:49.0491 usbccgp (caf811ae4c147ffcd5b51750c7f09142) C:\Windows\system32\DRIVERS\usbccgp.sys
2011/05/20 20:06:49.0563 usbcir (e9476e6c486e76bc4898074768fb7131) C:\Windows\system32\drivers\usbcir.sys
2011/05/20 20:06:49.0635 usbehci (79e96c23a97ce7b8f14d310da2db0c9b) C:\Windows\system32\DRIVERS\usbehci.sys
2011/05/20 20:06:49.0696 usbhub (4673bbcb006af60e7abddbe7a130ba42) C:\Windows\system32\DRIVERS\usbhub.sys
2011/05/20 20:06:49.0753 usbohci (38dbc7dd6cc5a72011f187425384388b) C:\Windows\system32\drivers\usbohci.sys
2011/05/20 20:06:49.0814 usbprint (e75c4b5269091d15a2e7dc0b6d35f2f5) C:\Windows\system32\DRIVERS\usbprint.sys
2011/05/20 20:06:49.0870 usbscan (a508c9bd8724980512136b039bba65e9) C:\Windows\system32\DRIVERS\usbscan.sys
2011/05/20 20:06:49.0927 USBSTOR (be3da31c191bc222d9ad503c5224f2ad) C:\Windows\system32\DRIVERS\USBSTOR.SYS
2011/05/20 20:06:50.0061 usbuhci (814d653efc4d48be3b04a307eceff56f) C:\Windows\system32\DRIVERS\usbuhci.sys
2011/05/20 20:06:50.0217 usbvideo (e67998e8f14cb0627a769f6530bcb352) C:\Windows\system32\Drivers\usbvideo.sys
2011/05/20 20:06:50.0320 vga (7d92be0028ecdedec74617009084b5ef) C:\Windows\system32\DRIVERS\vgapnp.sys
2011/05/20 20:06:50.0404 VgaSave (2e93ac0a1d8c79d019db6c51f036636c) C:\Windows\System32\drivers\vga.sys
2011/05/20 20:06:50.0467 viaagp (045d9961e591cf0674a920b6ba3ba5cb) C:\Windows\system32\drivers\viaagp.sys
2011/05/20 20:06:50.0518 ViaC7 (56a4de5f02f2e88182b0981119b4dd98) C:\Windows\system32\drivers\viac7.sys
2011/05/20 20:06:50.0608 viaide (fd2e3175fcada350c7ab4521dca187ec) C:\Windows\system32\drivers\viaide.sys
2011/05/20 20:06:50.0683 volmgr (69503668ac66c77c6cd7af86fbdf8c43) C:\Windows\system32\drivers\volmgr.sys
2011/05/20 20:06:50.0761 volmgrx (23e41b834759917bfd6b9a0d625d0c28) C:\Windows\system32\drivers\volmgrx.sys
2011/05/20 20:06:50.0878 volsnap (147281c01fcb1df9252de2a10d5e7093) C:\Windows\system32\drivers\volsnap.sys
2011/05/20 20:06:50.0979 vsmraid (d984439746d42b30fc65a4c3546c6829) C:\Windows\system32\drivers\vsmraid.sys
2011/05/20 20:06:51.0110 WacomPen (48dfee8f1af7c8235d4e626f0c4fe031) C:\Windows\system32\drivers\wacompen.sys
2011/05/20 20:06:51.0221 Wanarp (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/05/20 20:06:51.0256 Wanarpv6 (55201897378cca7af8b5efd874374a26) C:\Windows\system32\DRIVERS\wanarp.sys
2011/05/20 20:06:51.0339 Wd (afc5ad65b991c1e205cf25cfdbf7a6f4) C:\Windows\system32\drivers\wd.sys
2011/05/20 20:06:51.0428 Wdf01000 (b6f0a7ad6d4bd325fbcd8bac96cd8d96) C:\Windows\system32\drivers\Wdf01000.sys
2011/05/20 20:06:51.0620 winachsf (5c7bdcf5864db00323fe2d90fa26a8a2) C:\Windows\system32\DRIVERS\VSTCNXT3.SYS
2011/05/20 20:06:51.0802 WmiAcpi (2e7255d172df0b8283cdfb7b433b864e) C:\Windows\system32\DRIVERS\wmiacpi.sys
2011/05/20 20:06:51.0918 WpdUsb (de9d36f91a4df3d911626643debf11ea) C:\Windows\system32\DRIVERS\wpdusb.sys
2011/05/20 20:06:52.0026 ws2ifsl (e3a3cb253c0ec2494d4a61f5e43a389c) C:\Windows\system32\drivers\ws2ifsl.sys
2011/05/20 20:06:52.0134 WUDFRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\Windows\system32\DRIVERS\WUDFRd.sys
2011/05/20 20:06:52.0264 xnacc (9eea6d029fef5f3016d089b1a603837d) C:\Windows\system32\DRIVERS\xnacc.sys
2011/05/20 20:06:52.0531 \HardDisk0\MBR - detected Rootkit.Win32.BackBoot.gen (1)
2011/05/20 20:06:52.0538 ================================================================================
2011/05/20 20:06:52.0538 Scan finished
2011/05/20 20:06:52.0538 ================================================================================
2011/05/20 20:06:52.0573 Detected object count: 1
2011/05/20 20:07:26.0405 \HardDisk0\MBR - will be restored after reboot
2011/05/20 20:07:26.0406 Rootkit.Win32.BackBoot.gen(\HardDisk0\MBR) - User select action: Restore
2011/05/20 20:07:39.0723 Deinitialize success

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:46 AM

Posted 20 May 2011 - 10:21 PM

I clicked restore because there was no cure selection. is that the same thing?


Yes.

Lets try Combofix.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If any of these applications will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. http://www.appremover.com/supported-applications. Do not use AppRemover on Norton

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 skater11

skater11
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 20 May 2011 - 11:08 PM

ComboFix 11-05-17.01 - Liam 20/05/2011 20:34:19.1.1 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.1013.607 [GMT -7:00]
Running from: c:\users\Liam\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\Liam\AppData\Local\cleanhlc.dll
c:\users\Liam\AppData\Local\cleanhlc.exe
c:\users\Liam\AppData\Local\tea.exe
c:\users\Liam\AppData\Roaming\chrtmp
c:\users\Liam\AppData\Roaming\dwm.exe
c:\users\Liam\AppData\Roaming\Microsoft\conhost.exe
c:\users\Liam\AppData\Roaming\Microsoft\Windows\Templates\5lnfw71gfl5222x1d77ctwk735dv1vk6wbh2s67hy78q7
c:\windows\$xntuninstall643$
c:\windows\$xntuninstall643$\apUninstall.exe
c:\windows\$xntuninstall643$\mkvxl.dll
c:\windows\$xntuninstall643$\uolrq.dll
c:\windows\$xntuninstall643$\zrpt.xml
c:\windows\system32\cdwwaeqo.ini
c:\windows\system32\cKRtAJlm.ini
c:\windows\System32\cKRtAJlm.ini2
c:\windows\system32\comsats.sys
c:\windows\system32\delme.bat
c:\windows\system32\dgjasr46w.exe
c:\windows\system32\drivers\srenum.sys
c:\windows\system32\ffMlmnnn.ini
c:\windows\system32\ffMlmnnn.ini2
c:\windows\system32\hQrAHkkj.ini
c:\windows\System32\hQrAHkkj.ini2
c:\windows\system32\jijllUvw.ini
c:\windows\System32\jijllUvw.ini2
c:\windows\System32\KRCIRtAy.ini
c:\windows\system32\KRCIRtAy.ini2
c:\windows\system32\msrun.exe
c:\windows\system32\obolaqmc.ini
c:\windows\system32\WFOrBJjl.ini
c:\windows\system32\WFOrBJjl.ini2
c:\windows\system32\winset.ini
c:\windows\system32\xceqfuuy.ini
c:\windows\system32temp#01.exe
c:\windows\Ymyxea.exe
c:\windows\Ymyxec.exe
c:\windows\Ymyxed.exe
c:\windows\Ymyxee.exe
c:\windows\Ymyxef.exe
c:\windows\Ymyxeg.exe
c:\windows\Ymyxeh.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_Input Manager
-------\Service_MouseDriver
-------\Service_Plug Manager
-------\Service_srenum
.
.
((((((((((((((((((((((((( Files Created from 2011-04-21 to 2011-05-21 )))))))))))))))))))))))))))))))
.
.
2011-05-21 03:43 . 2011-05-21 03:49 -------- d-----w- c:\users\Liam\AppData\Local\temp
2011-05-21 03:43 . 2011-05-21 03:43 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-21 02:06 . 2011-05-21 02:06 100736 ----a-w- C:\kxldapoc.sys
2011-05-19 23:34 . 2011-05-19 23:34 393216 ----a-w- c:\windows\system32\qykx.exe
2011-05-19 04:30 . 2011-05-19 04:30 -------- d-----w- c:\programdata\WSTB
2011-05-19 02:23 . 2011-05-19 02:23 393216 ----a-w- c:\windows\system32\hemff.exe
2011-05-18 01:05 . 2011-05-18 01:05 393216 ----a-w- c:\windows\system32\dryf.exe
2011-05-18 00:54 . 2011-05-18 00:54 135 ----a-w- c:\users\Liam\AppData\Roaming\Microsoft\gb_201537.bat
2011-05-15 23:21 . 2011-05-15 23:21 -------- d-----w- c:\users\Liam\AppData\Roaming\IObit
2011-05-15 22:31 . 2011-05-15 22:31 -------- d--h--w- c:\windows\PIF
2011-05-15 22:12 . 2011-05-15 22:12 385024 ----a-w- c:\windows\system32\twvc.exe
2011-05-15 18:56 . 2011-05-15 17:43 143360 ----a-w- c:\windows\Ymyxeb.exe
2011-05-15 18:19 . 2011-05-15 18:19 385024 ----a-w- c:\windows\system32\oddxh.exe
2011-05-15 00:23 . 2011-05-15 00:23 188416 --sha-r- c:\windows\system32\ieUnatth.dll
2011-05-15 00:23 . 2011-05-15 00:23 188416 --sha-r- c:\windows\system32\C_20002U.dll
2011-05-15 00:19 . 2011-05-15 00:19 385024 ----a-w- c:\windows\system32\btwns.exe
2011-05-13 23:30 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FD2B9157-F574-44CB-B437-087AD63D56B4}\mpengine.dll
2011-05-11 02:59 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-04-28 02:48 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-28 02:48 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-28 02:48 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-10 17:03 . 2011-04-13 17:38 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03 . 2011-04-13 17:38 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42 . 2011-04-13 17:37 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40 . 2011-04-28 02:48 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40 . 2011-04-28 02:48 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40 . 2011-04-28 02:48 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40 . 2011-04-28 02:48 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25 . 2011-04-13 17:37 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44 . 2011-04-13 17:37 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13 . 2011-03-23 02:03 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-23 02:03 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-23 02:03 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-22 13:24 . 2011-04-13 17:38 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-22 13:24 . 2011-04-13 17:38 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-22 13:23 . 2011-04-13 17:38 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-22 13:23 . 2011-04-13 17:38 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-02-22 06:21 . 2011-04-13 17:38 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 06:17 . 2011-04-13 17:38 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 06:16 . 2011-04-13 17:38 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 06:16 . 2011-04-13 17:38 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-02-22 06:16 . 2011-04-13 17:38 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-02-22 05:20 . 2011-04-13 17:38 385024 ----a-w- c:\windows\system32\html.iec
2011-02-22 04:43 . 2011-04-13 17:38 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-02-22 04:42 . 2011-04-13 17:38 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-21 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 133912]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-03-29 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-03-12 50696]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2008-08-02 675840]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2010-9-23 738776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R0 ffwk;ffwk;c:\windows\System32\drivers\lrthus.sys [x]
R0 guicrmr;guicrmr;c:\windows\System32\drivers\tilawew.sys [x]
R0 gxfj;gxfj;c:\windows\System32\drivers\tafnjq.sys [x]
R0 jxgjg;jxgjg;c:\windows\System32\drivers\gekojj.sys [x]
R0 kufoxm;kufoxm;c:\windows\System32\drivers\uvsomgd.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9d58454b7c9a0;Google Update Service (gupdate1c9d58454b7c9a0);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-15 133104]
R2 Local Account Authority Service;Local Account Authority Service;c:\windows\temp\LocalAccountAuthority.bat [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-15 133104]
R3 ndisrd;WinpkFilter Service;c:\windows\system32\DRIVERS\ndisrd.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-15 17:40]
.
2011-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-15 17:40]
.
2011-05-20 c:\windows\Tasks\User_Feed_Synchronization-{38C470B5-A060-4DE0-AE0B-ABFD7ABCD1B6}.job
- c:\windows\system32\msfeedssync.exe [2011-04-13 04:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:49778
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Liam\AppData\Roaming\Mozilla\Firefox\Profiles\v13gxc1p.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 49778
FF - prefs.js: network.proxy.type - 1
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{1DAB052A-0631-4A71-91E2-33D7F4001E32} - c:\windows\$XNTUninstall643$\uolrq.dll
BHO-{CAEB7882-F486-4FF6-8F2B-D14219B4F129} - c:\windows\$XNTUninstall643$\mkvxl.dll
HKCU-Run-5GUTNY6MFK - c:\windows\Ymyxeg.exe
HKLM-Run-cleanhlc - c:\users\Liam\AppData\Local\cleanhlc.exe
HKLM-Run-bipro - c:\windows\$XNTUninstall643$\uolrq.dll
HKLM-Run-conhost - c:\users\Liam\AppData\Roaming\Microsoft\conhost.exe
HKLM-RunOnce-<NO NAME> - (no file)
SafeBoot-klmdb.sys
AddRemove-$XNTUninstall643$ - c:\windows\$XNTUninstall643$\apUninstall.exe
AddRemove-Search Toolbar - c:\program files\Search Toolbar\SearchToolbarUninstall.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-20 20:52
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Local Account Authority Service]
"ImagePath"="%SystemRoot%\temp\LocalAccountAuthority.bat"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-05-20 20:58:30 - machine was rebooted
ComboFix-quarantined-files.txt 2011-05-21 03:58
.
Pre-Run: 38,308,401,152 bytes free
Post-Run: 38,572,326,912 bytes free
.
- - End Of File - - 02827CCE157792DB15BB0AF2B22C21A5

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:46 AM

Posted 20 May 2011 - 11:47 PM

Download the enclosed file,

Save this file next to Combofix,

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.

  • Ensure you are connected to the internet and click OK on the message box.

If the automatic upload fails, Combofix created a zipped file in the C:\Qoobox\Quarantine folder labeled in the form of [4]-Submit_Date_Time.zip. Please have this file uploaded to the following location:

http://www.bleepingcomputer.com/submit-malware.php?channel=4

Indicate a link to this address and let me know when ready.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 skater11

skater11
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 21 May 2011 - 12:02 AM

I did not update the combo fix to the newest version on the first one i just did it again here is the log of the updated version.
should i still use the cfScript or should i do something else?

ComboFix 11-05-19.02 - Liam 20/05/2011 21:37:09.2.1 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.1013.642 [GMT -7:00]
Running from: c:\users\Liam\Desktop\ComboFix.exe
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((( Files Created from 2011-04-21 to 2011-05-21 )))))))))))))))))))))))))))))))
.
.
2011-05-21 04:45 . 2011-05-21 04:45 -------- d-----w- c:\users\Liam\AppData\Local\temp
2011-05-21 04:45 . 2011-05-21 04:45 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-21 02:06 . 2011-05-21 02:06 100736 ----a-w- C:\kxldapoc.sys
2011-05-19 23:34 . 2011-05-19 23:34 393216 ----a-w- c:\windows\system32\qykx.exe
2011-05-19 04:30 . 2011-05-19 04:30 -------- d-----w- c:\programdata\WSTB
2011-05-19 02:23 . 2011-05-19 02:23 393216 ----a-w- c:\windows\system32\hemff.exe
2011-05-18 01:05 . 2011-05-18 01:05 393216 ----a-w- c:\windows\system32\dryf.exe
2011-05-18 00:54 . 2011-05-18 00:54 135 ----a-w- c:\users\Liam\AppData\Roaming\Microsoft\gb_201537.bat
2011-05-15 23:21 . 2011-05-15 23:21 -------- d-----w- c:\users\Liam\AppData\Roaming\IObit
2011-05-15 22:31 . 2011-05-15 22:31 -------- d--h--w- c:\windows\PIF
2011-05-15 22:12 . 2011-05-15 22:12 385024 ----a-w- c:\windows\system32\twvc.exe
2011-05-15 18:56 . 2011-05-15 17:43 143360 ----a-w- c:\windows\Ymyxeb.exe
2011-05-15 18:19 . 2011-05-15 18:19 385024 ----a-w- c:\windows\system32\oddxh.exe
2011-05-15 00:23 . 2011-05-15 00:23 188416 --sha-r- c:\windows\system32\ieUnatth.dll
2011-05-15 00:23 . 2011-05-15 00:23 188416 --sha-r- c:\windows\system32\C_20002U.dll
2011-05-15 00:19 . 2011-05-15 00:19 385024 ----a-w- c:\windows\system32\btwns.exe
2011-05-13 23:30 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FD2B9157-F574-44CB-B437-087AD63D56B4}\mpengine.dll
2011-05-11 02:59 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-04-28 02:48 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-28 02:48 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-28 02:48 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-10 17:03 . 2011-04-13 17:38 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03 . 2011-04-13 17:38 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42 . 2011-04-13 17:37 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40 . 2011-04-28 02:48 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40 . 2011-04-28 02:48 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40 . 2011-04-28 02:48 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40 . 2011-04-28 02:48 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25 . 2011-04-13 17:37 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44 . 2011-04-13 17:37 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13 . 2011-03-23 02:03 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-23 02:03 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-23 02:03 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-22 13:24 . 2011-04-13 17:38 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-22 13:24 . 2011-04-13 17:38 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-22 13:23 . 2011-04-13 17:38 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-22 13:23 . 2011-04-13 17:38 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-02-22 06:21 . 2011-04-13 17:38 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 06:17 . 2011-04-13 17:38 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 06:16 . 2011-04-13 17:38 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 06:16 . 2011-04-13 17:38 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-02-22 06:16 . 2011-04-13 17:38 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-02-22 05:20 . 2011-04-13 17:38 385024 ----a-w- c:\windows\system32\html.iec
2011-02-22 04:43 . 2011-04-13 17:38 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-02-22 04:42 . 2011-04-13 17:38 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-21 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 133912]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-03-29 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-03-12 50696]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2008-08-02 675840]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2010-9-23 738776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R0 ffwk;ffwk;c:\windows\System32\drivers\lrthus.sys [x]
R0 guicrmr;guicrmr;c:\windows\System32\drivers\tilawew.sys [x]
R0 gxfj;gxfj;c:\windows\System32\drivers\tafnjq.sys [x]
R0 jxgjg;jxgjg;c:\windows\System32\drivers\gekojj.sys [x]
R0 kufoxm;kufoxm;c:\windows\System32\drivers\uvsomgd.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9d58454b7c9a0;Google Update Service (gupdate1c9d58454b7c9a0);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-15 133104]
R2 Local Account Authority Service;Local Account Authority Service;c:\windows\temp\LocalAccountAuthority.bat [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-15 133104]
R3 ndisrd;WinpkFilter Service;c:\windows\system32\DRIVERS\ndisrd.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-15 17:40]
.
2011-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-15 17:40]
.
2011-05-20 c:\windows\Tasks\User_Feed_Synchronization-{38C470B5-A060-4DE0-AE0B-ABFD7ABCD1B6}.job
- c:\windows\system32\msfeedssync.exe [2011-04-13 04:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:49778
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Liam\AppData\Roaming\Mozilla\Firefox\Profiles\v13gxc1p.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 49778
FF - prefs.js: network.proxy.type - 1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-RunOnce-<NO NAME> - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-20 21:45
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Local Account Authority Service]
"ImagePath"="%SystemRoot%\temp\LocalAccountAuthority.bat"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-05-20 21:50:42
ComboFix-quarantined-files.txt 2011-05-21 04:50
ComboFix2.txt 2011-05-21 03:58
.
Pre-Run: 38,677,098,496 bytes free
Post-Run: 38,433,202,176 bytes free
.
- - End Of File - - 6AF9DDC7F8DCC5FA776E03A258CD0F69

#8 skater11

skater11
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 21 May 2011 - 12:33 AM

hey,
I have submitted the file and I am ready
thanks

#9 skater11

skater11
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 21 May 2011 - 12:48 PM

hi,
today I just opened up interenet explorer and a download link opened to download iexplore.exe and asked me if i want to run or save this, i just exited it. hopefully that is ok.

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:46 AM

Posted 21 May 2011 - 01:06 PM

Drag and drop CFScript.txt into Combofix and post its report.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 skater11

skater11
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 21 May 2011 - 03:48 PM

ComboFix 11-05-19.02 - Liam 21/05/2011 11:21:07.4.1 - x86 NETWORK
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.2.1033.18.1013.624 [GMT -7:00]
Running from: c:\users\Liam\Desktop\ComboFix.exe
Command switches used :: c:\users\Liam\Desktop\CFScript.txt
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
file zipped: C:\kxldapoc.sys
file zipped: c:\windows\System32\btwns.exe
file zipped: c:\windows\System32\dryf.exe
file zipped: c:\windows\System32\hemff.exe
file zipped: c:\windows\System32\oddxh.exe
file zipped: c:\windows\System32\twvc.exe
file zipped: c:\windows\Ymyxeb.exe
.
.
((((((((((((((((((((((((( Files Created from 2011-04-21 to 2011-05-21 )))))))))))))))))))))))))))))))
.
.
2011-05-21 18:29 . 2011-05-21 18:30 -------- d-----w- c:\users\Liam\AppData\Local\temp
2011-05-21 18:29 . 2011-05-21 18:29 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-05-21 02:06 . 2011-05-21 02:06 100736 ----a-w- C:\kxldapoc.sys
2011-05-19 23:34 . 2011-05-19 23:34 393216 ----a-w- c:\windows\system32\qykx.exe
2011-05-19 04:30 . 2011-05-19 04:30 -------- d-----w- c:\programdata\WSTB
2011-05-19 02:23 . 2011-05-19 02:23 393216 ----a-w- c:\windows\system32\hemff.exe
2011-05-18 01:05 . 2011-05-18 01:05 393216 ----a-w- c:\windows\system32\dryf.exe
2011-05-18 00:54 . 2011-05-18 00:54 135 ----a-w- c:\users\Liam\AppData\Roaming\Microsoft\gb_201537.bat
2011-05-15 23:21 . 2011-05-15 23:21 -------- d-----w- c:\users\Liam\AppData\Roaming\IObit
2011-05-15 22:31 . 2011-05-15 22:31 -------- d--h--w- c:\windows\PIF
2011-05-15 22:12 . 2011-05-15 22:12 385024 ----a-w- c:\windows\system32\twvc.exe
2011-05-15 18:56 . 2011-05-15 17:43 143360 ----a-w- c:\windows\Ymyxeb.exe
2011-05-15 18:19 . 2011-05-15 18:19 385024 ----a-w- c:\windows\system32\oddxh.exe
2011-05-15 00:23 . 2011-05-15 00:23 188416 --sha-r- c:\windows\system32\ieUnatth.dll
2011-05-15 00:23 . 2011-05-15 00:23 188416 --sha-r- c:\windows\system32\C_20002U.dll
2011-05-15 00:19 . 2011-05-15 00:19 385024 ----a-w- c:\windows\system32\btwns.exe
2011-05-13 23:30 . 2011-04-11 07:04 7071056 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{FD2B9157-F574-44CB-B437-087AD63D56B4}\mpengine.dll
2011-05-11 02:59 . 2011-04-07 12:01 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-04-28 02:48 . 2011-03-03 15:40 28672 ----a-w- c:\windows\system32\Apphlpdm.dll
2011-04-28 02:48 . 2011-03-03 13:35 4240384 ----a-w- c:\windows\system32\GameUXLegacyGDFs.dll
2011-04-28 02:48 . 2011-03-12 21:55 876032 ----a-w- c:\windows\system32\XpsPrint.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-10 17:03 . 2011-04-13 17:38 1162240 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 17:03 . 2011-04-13 17:38 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:42 . 2011-04-13 17:37 739328 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 15:40 . 2011-04-28 02:48 173056 ----a-w- c:\windows\apppatch\AcXtrnal.dll
2011-03-03 15:40 . 2011-04-28 02:48 458752 ----a-w- c:\windows\apppatch\AcSpecfc.dll
2011-03-03 15:40 . 2011-04-28 02:48 542720 ----a-w- c:\windows\apppatch\AcLayers.dll
2011-03-03 15:40 . 2011-04-28 02:48 2159616 ----a-w- c:\windows\apppatch\AcGenral.dll
2011-03-03 13:25 . 2011-04-13 17:37 2041856 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 15:44 . 2011-04-13 17:37 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-22 14:13 . 2011-03-23 02:03 288768 ----a-w- c:\windows\system32\XpsGdiConverter.dll
2011-02-22 13:33 . 2011-03-23 02:03 1068544 ----a-w- c:\windows\system32\DWrite.dll
2011-02-22 13:33 . 2011-03-23 02:03 797696 ----a-w- c:\windows\system32\FntCache.dll
2011-02-22 13:24 . 2011-04-13 17:38 213504 ----a-w- c:\windows\system32\drivers\mrxsmb10.sys
2011-02-22 13:24 . 2011-04-13 17:38 79360 ----a-w- c:\windows\system32\drivers\mrxsmb20.sys
2011-02-22 13:23 . 2011-04-13 17:38 106496 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-02-22 13:23 . 2011-04-13 17:38 69632 ----a-w- c:\windows\system32\drivers\bowser.sys
2011-02-22 06:21 . 2011-04-13 17:38 916480 ----a-w- c:\windows\system32\wininet.dll
2011-02-22 06:17 . 2011-04-13 17:38 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-02-22 06:16 . 2011-04-13 17:38 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-02-22 06:16 . 2011-04-13 17:38 71680 ----a-w- c:\windows\system32\iesetup.dll
2011-02-22 06:16 . 2011-04-13 17:38 109056 ----a-w- c:\windows\system32\iesysprep.dll
2011-02-22 05:20 . 2011-04-13 17:38 385024 ----a-w- c:\windows\system32\html.iec
2011-02-22 04:43 . 2011-04-13 17:38 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2011-02-22 04:42 . 2011-04-13 17:38 1638912 ----a-w- c:\windows\system32\mshtml.tlb
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-19 125952]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2010-04-17 3872080]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-02-21 39408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-01-13 827392]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-02-26 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-02-26 154392]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-02-26 133912]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"QPService"="c:\program files\HP\QuickPlay\QPService.exe" [2007-03-29 176128]
"QlbCtrl"="c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-02-13 159744]
"HP Health Check Scheduler"="c:\program files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe" [2007-03-12 50696]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-03-01 472776]
"WAWifiMessage"="c:\program files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-10 317128]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 132496]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-02 289576]
"snp2uvc"="c:\windows\vsnp2uvc.exe" [2008-08-02 675840]
"CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-11 689488]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-18 1848648]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-03-06 236016]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-09-24 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" [2010-09-16 1164584]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Launcher"="c:\windows\SMINST\launcher.exe" [2006-11-08 44128]
.
c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Adobe Reader Synchronizer.lnk - c:\program files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2010-9-23 738776]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
R0 ffwk;ffwk;c:\windows\System32\drivers\lrthus.sys [x]
R0 guicrmr;guicrmr;c:\windows\System32\drivers\tilawew.sys [x]
R0 gxfj;gxfj;c:\windows\System32\drivers\tafnjq.sys [x]
R0 jxgjg;jxgjg;c:\windows\System32\drivers\gekojj.sys [x]
R0 kufoxm;kufoxm;c:\windows\System32\drivers\uvsomgd.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate1c9d58454b7c9a0;Google Update Service (gupdate1c9d58454b7c9a0);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-15 133104]
R2 Local Account Authority Service;Local Account Authority Service;c:\windows\temp\LocalAccountAuthority.bat [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-05-15 133104]
R3 ndisrd;WinpkFilter Service;c:\windows\system32\DRIVERS\ndisrd.sys [x]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
Contents of the 'Scheduled Tasks' folder
.
2011-05-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-15 17:40]
.
2011-05-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-05-15 17:40]
.
2011-05-20 c:\windows\Tasks\User_Feed_Synchronization-{38C470B5-A060-4DE0-AE0B-ABFD7ABCD1B6}.job
- c:\windows\system32\msfeedssync.exe [2011-04-13 04:43]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_CA&c=73&bd=Pavilion&pf=laptop
uInternet Settings,ProxyOverride = *.local
uInternet Settings,ProxyServer = http=127.0.0.1:49778
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D183CA64F05FDD98.dll/cmsidewiki.html
FF - ProfilePath - c:\users\Liam\AppData\Roaming\Mozilla\Firefox\Profiles\v13gxc1p.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 49778
FF - prefs.js: network.proxy.type - 1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-RunOnce-<NO NAME> - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-05-21 11:30
Windows 6.0.6002 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Local Account Authority Service]
"ImagePath"="%SystemRoot%\temp\LocalAccountAuthority.bat"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-05-21 11:35:00
ComboFix-quarantined-files.txt 2011-05-21 18:34
ComboFix2.txt 2011-05-21 05:25
ComboFix3.txt 2011-05-21 04:50
ComboFix4.txt 2011-05-21 03:58
.
Pre-Run: 38,437,679,104 bytes free
Post-Run: 38,423,724,032 bytes free
.
- - End Of File - - 18DBBD830C0CF1A853B30DFA5FA2074C
Upload was successful

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:46 AM

Posted 21 May 2011 - 04:24 PM

Download the enclosed file,

Save this file next to Combofix,

Posted Image

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

Please perform an online scan at Eset:

http://www.eset.com/us/online-scanner

Let me know the outcome.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 skater11

skater11
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 21 May 2011 - 07:18 PM

35 infected files were found and 35 were cleaned. there is an option to delete quarantined files, should i do this?
thankyou!

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,749 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:05:46 AM

Posted 21 May 2011 - 08:12 PM

Yes. How is the computer doing?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 skater11

skater11
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:04:46 AM

Posted 21 May 2011 - 08:28 PM

I think it is all fixed!! but I will let you know if something happens
thankyou so much!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users