Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Redirecting, hijacking browser; many times Google but not always.


  • This topic is locked This topic is locked
37 replies to this topic

#1 TTFN41460

TTFN41460

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 17 September 2011 - 01:09 AM

Besides redirecting, also can't update Malware or MS Security Essentials keep closing or Norton won't run properly. I have no idea what the problem is but assume some type of virus or malware. I was also getting the blue screen shutdown quite often but that seems to have slowed.

dds:

.
DDS (Ver_2011-08-26.01) - FAT32x86
Internet Explorer: 8.0.6001.18702
Run by Crissey Rasmussen at 22:29:16 on 2011-09-16
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.61 [GMT -7:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Acer\Empowering Technology\admServ.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\Program Files\Google\Quick Search Box\GoogleQuickSearchBox.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\DOCUME~1\CRISSE~1\LOCALS~1\Temp\RtkBtMnt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Documents and Settings\Crissey Rasmussen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Documents and Settings\Crissey Rasmussen\Application Data\Microsoft\MicrosoftUpdate\Microsoftupdt32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Crissey Rasmussen\Local Settings\Temporary Internet Files\Content.IE5\UHX7L57U\Defogger[1].exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://seattle.craigslist.org/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: {030452bc-cb72-4bce-a1b9-17989d9dc6fc} - c:\docume~1\crisse~1\locals~1\temp\w7e16.tmp.exe
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: PE_IE_Helper Class: {0941c58f-e461-4e03-bd7d-44c27392ade1} - c:\program files\ibm\lotus forms\viewer\3.0\PEhelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [cdloader] "c:\documents and settings\crissey rasmussen\application data\mjusbsp\cdloader2.exe" MAGICJACK
uRun: [ICS5R7Y0OS] c:\windows\Rjymyb.exe
uRun: [R8388QA8U8] c:\docume~1\crisse~1\locals~1\temp\Rhh.exe
uRun: [Google Update] "c:\documents and settings\crissey rasmussen\local settings\application data\google\update\GoogleUpdate.exe" /c
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [MicrosoftUpdate] c:\documents and settings\crissey rasmussen\application data\microsoft\microsoftupdate\Microsoftupdt32.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [LaunchApp] Alaunch
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SkyTel] SkyTel.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [ADMTray.exe] "c:\acer\empowering technology\admtray.exe"
mRun: [ePower_DMC] c:\acer\empowering technology\epower\ePower_DMC.exe
mRun: [Acer ePower Management] c:\acer\empowering technology\epower\Acer ePower Management.exe boot
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [eRecoveryService] c:\acer\empowering technology\erecovery\Monitor.exe
mRun: [eDataSecurity Loader] c:\acer\empowering technology\edatasecurity\eDSloader.exe
mRun: [Google Quick Search Box] "c:\program files\google\quick search box\GoogleQuickSearchBox.exe" /autorun
mRun: [masqform.exe] c:\program files\ibm\lotus forms\viewer\3.0\masqform.exe -RunOnce"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam\Quickcam.exe" /hide
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRun: [MicrosoftUpdate] c:\documents and settings\crissey rasmussen\application data\microsoft\microsoftupdate\Microsoftupdt32.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
Trusted Zone: isgn.com\orders
DPF: AuthenticBrowserEdition - hxxps://vendors.isgn.com/Komodo/common/forms/cab/AuthenticBrowserEdition.cab
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {28B66320-9687-4B13-8757-36F901887AB5} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/canvasx.cab
DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/jordan.cab
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://photo1.walgreens.com/WalgreensActivia.cab
DPF: {5D637FAD-E202-48D1-8F18-5B9C459BD1E3} - hxxps://valuemanager.iasreo.com/BPO/ImageUploader5.cab
DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} - file:///C:/DOCUME~1/CRISSE~1/LOCALS~1/Temp/IXP000.TMP/setup.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxps://valuemanager.iasreo.com/BPO/ImageUploader6.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {C7DEDA04-2FFF-4B81-AE66-0A0E0EF4AD2F} - hxxp://bartelldrugs.lifepics.com/net/Uploader/LPUploader57.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E4BBF5F2-453C-4D24-8547-A717DD7592B9} - hxxps://valuemanager.iasreo.com/BPO/ImageUploader6.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx1.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} - hxxps://www.assetlinklp.com/AssetLinkPortal/XUpload.ocx
DPF: {EDFCB7CB-942C-4822-AF14-F0B687409848} - hxxps://web04.farvv.com/sn/ImageUploader4.cab
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{FB031B9E-2395-4286-AFEC-B9518038F9BC} : DhcpNameServer = 192.168.1.1
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-11-17 64288]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl1103c40f;MpKsl1103c40f;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4312c66d-290f-4973-9569-a08695d2976b}\MpKsl1103c40f.sys [2011-9-16 28752]
R1 MpKsldf3ab055;MpKsldf3ab055;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4312c66d-290f-4973-9569-a08695d2976b}\MpKsldf3ab055.sys [2011-9-16 28752]
R1 MpKslffec9825;MpKslffec9825;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4312c66d-290f-4973-9569-a08695d2976b}\MpKslffec9825.sys [2011-9-14 28752]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-8-31 22712]
S1 MpKsl74df1d77;MpKsl74df1d77;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3d235954-6bcf-451c-98ed-ead792584e76}\mpksl74df1d77.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3d235954-6bcf-451c-98ed-ead792584e76}\MpKsl74df1d77.sys [?]
S1 MpKsldf9fc2ed;MpKsldf9fc2ed;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{12b53aeb-3cc4-4206-b673-00accab85ebb}\mpksldf9fc2ed.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{12b53aeb-3cc4-4206-b673-00accab85ebb}\MpKsldf9fc2ed.sys [?]
S1 MpKslf02311a7;MpKslf02311a7;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{607679c2-d509-4a08-8946-44fd9370979d}\mpkslf02311a7.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{607679c2-d509-4a08-8946-44fd9370979d}\MpKslf02311a7.sys [?]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
.
=============== Created Last 30 ================
.
2011-09-17 04:25:59 -------- d-----w- c:\windows\pss
2011-09-16 17:49:19 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4312c66d-290f-4973-9569-a08695d2976b}\MpKsldf3ab055.sys
2011-09-16 16:56:10 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4312c66d-290f-4973-9569-a08695d2976b}\MpKsl1103c40f.sys
2011-09-14 17:25:31 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4312c66d-290f-4973-9569-a08695d2976b}\MpKslffec9825.sys
2011-09-14 17:22:42 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{4312c66d-290f-4973-9569-a08695d2976b}\mpengine.dll
2011-09-14 07:04:33 99328 ----a-w- c:\documents and settings\crissey rasmussen\application data\microsoft\microsoftupdate\Microsoftupdt32.exe
2011-09-14 07:04:28 155136 ----a-w- c:\documents and settings\crissey rasmussen\application data\microsoft\microsoftupdate\Microsoftupdt32.dll
2011-09-12 16:37:03 0 ---ha-w- c:\documents and settings\crissey rasmussen\eohaggeozn.tmp
2011-09-08 17:26:55 0 ----a-w- c:\documents and settings\crissey rasmussen\local settings\application data\dekp.exe
2011-09-08 17:26:55 0 ----a-w- c:\documents and settings\all users\application data\jihe.exe
2011-09-08 17:26:53 0 ----a-w- c:\documents and settings\crissey rasmussen\local settings\application data\vyav.exe
2011-09-08 17:26:53 0 ----a-w- c:\documents and settings\all users\application data\txig.exe
2011-09-08 17:26:50 0 ----a-w- c:\documents and settings\all users\application data\jjra.exe
2011-09-08 17:26:49 0 ----a-w- c:\documents and settings\crissey rasmussen\local settings\application data\pvsy.exe
2011-09-08 17:26:46 0 ----a-w- c:\documents and settings\all users\application data\oksq.exe
2011-09-08 17:26:44 0 ----a-w- c:\documents and settings\crissey rasmussen\local settings\application data\umtc.exe
2011-09-03 10:17:37 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
2011-09-01 02:58:01 7152464 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-08-31 21:47:09 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-31 21:47:02 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 21:47:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-31 01:12:19 354 ----a-w- c:\windows\system32\drivers\xdrkiuvt.dat
2011-08-31 01:04:21 354 ----a-w- c:\windows\system32\drivers\hwjkdick.dat
2011-08-31 01:00:09 532 ----a-w- c:\windows\system32\drivers\bzncemug.dat
2011-08-31 00:41:18 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-08-31 00:20:38 -------- d-----w- c:\program files\Microsoft Security Client
2011-08-31 00:17:35 -------- d-----w- c:\documents and settings\crissey rasmussen\application data\Malwarebytes
2011-08-31 00:17:28 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-08-30 17:22:52 -------- d-sh--w- C:\FOUND.031
2011-08-29 17:33:13 -------- d-----w- c:\documents and settings\all users\application data\Symantec
2011-08-29 17:04:49 -------- d-----w- c:\documents and settings\crissey rasmussen\local settings\application data\{6048AAA6-4697-4255-8B31-4B39351EC38A}
2011-08-26 14:49:24 -------- d-sh--w- C:\FOUND.030
2011-08-25 17:04:38 -------- d-sh--w- C:\FOUND.029
2011-08-24 01:41:32 -------- d-sh--w- C:\FOUND.028
2011-08-19 17:56:32 -------- d-sh--w- C:\FOUND.027
.
==================== Find3M ====================
.
2011-09-03 10:17:38 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-26 18:51:08 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-26 18:51:06 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-20 20:21:36 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29:32 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-13 21:52:54 71072 ----a-w- c:\windows\CouponPrinter.ocx
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-29 18:37:04 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-24 04:47:38 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:14 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HTS541060G9AT00 rev.MB3OA60A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82F904C0]<< >>UNKNOWN [0x83283781]<<
_asm { INT 3 ; INC ESP; AND AL, 0x4; MOV ECX, [0x82f978a4]; PUSH ESI; MOV ESI, [ESP+0xc]; PUSH EDI; MOV EDI, [ESI+0x60]; CMP EAX, [0x82f97730]; JNZ 0x1f; MOV [ESP+0xc], ECX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x83336478]
3 CLASSPNP[0xF86D5FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\000000ad[0x83390490]
5 ACPI[0xF84CC620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8330CB58]
\Driver\atapi[0x830634D8] -> IRP_MJ_CREATE -> 0x82F904C0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV DI, 0x5; XOR AX, AX; MOV DL, 0x80; INT 0x13; JAE 0x2d; DEC DI; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x82F902E0
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendHandler -> 0x832412c0
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 22:32:28.14 ===============



The heading said to send DDS & GMER but no reference to including GMER (ark.txt) in the instructions so just including it here:

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-09-16 22:55:21
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 HTS541060G9AT00 rev.MB3OA60A
Running: gmer.exe; Driver: C:\DOCUME~1\CRISSE~1\LOCALS~1\Temp\fwrdypow.sys


---- System - GMER 1.0.15 ----

SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xF86E587E]
SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xF86E5BFE]

---- Kernel code sections - GMER 1.0.15 ----

? C:\DOCUME~1\CRISSE~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[740] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[740] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB3C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[740] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5337 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[740] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5269 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[740] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[740] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E513A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[740] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E519C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[740] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E539A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[740] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51FE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1864] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1864] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1864] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1864] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB3C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1864] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2546A6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1864] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5337 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1864] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5269 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1864] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1864] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E513A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1864] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E519C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1864] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E539A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1864] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51FE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1864] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB98 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[1864] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E569F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB3C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2546A6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5337 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5269 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E513A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E519C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E539A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51FE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB98 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3040] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E569F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Documents and Settings\Crissey Rasmussen\Application Data\Microsoft\MicrosoftUpdate\Microsoftupdt32.exe[3196] wininet.dll!InternetReadFile 3D94654B 5 Bytes JMP 009EE310
.text C:\Documents and Settings\Crissey Rasmussen\Application Data\Microsoft\MicrosoftUpdate\Microsoftupdt32.exe[3196] wininet.dll!HttpQueryInfoA 3D94878D 5 Bytes JMP 009EF8E8
.text C:\Documents and Settings\Crissey Rasmussen\Application Data\Microsoft\MicrosoftUpdate\Microsoftupdt32.exe[3196] wininet.dll!InternetCloseHandle 3D949088 5 Bytes JMP 009EEA58
.text C:\Documents and Settings\Crissey Rasmussen\Application Data\Microsoft\MicrosoftUpdate\Microsoftupdt32.exe[3196] wininet.dll!HttpAddRequestHeadersA 3D94CF4E 5 Bytes JMP 009ECD38
.text C:\Documents and Settings\Crissey Rasmussen\Application Data\Microsoft\MicrosoftUpdate\Microsoftupdt32.exe[3196] wininet.dll!HttpOpenRequestA 3D94D508 5 Bytes JMP 009EBEA8
.text C:\Documents and Settings\Crissey Rasmussen\Application Data\Microsoft\MicrosoftUpdate\Microsoftupdt32.exe[3196] wininet.dll!InternetConnectA 3D94DEAE 5 Bytes JMP 009EB760
.text C:\Documents and Settings\Crissey Rasmussen\Application Data\Microsoft\MicrosoftUpdate\Microsoftupdt32.exe[3196] wininet.dll!HttpSendRequestW 3D94FABE 5 Bytes JMP 009EDBC8
.text C:\Documents and Settings\Crissey Rasmussen\Application Data\Microsoft\MicrosoftUpdate\Microsoftupdt32.exe[3196] wininet.dll!InternetOpenA 3D95D698 5 Bytes JMP 009EB018
.text C:\Documents and Settings\Crissey Rasmussen\Application Data\Microsoft\MicrosoftUpdate\Microsoftupdt32.exe[3196] wininet.dll!HttpSendRequestA 3D95EE91 5 Bytes JMP 009ED480
.text C:\Documents and Settings\Crissey Rasmussen\Application Data\Microsoft\MicrosoftUpdate\Microsoftupdt32.exe[3196] wininet.dll!InternetReadFileExA 3D963261 5 Bytes JMP 009EC5F0
.text C:\Documents and Settings\Crissey Rasmussen\Application Data\Microsoft\MicrosoftUpdate\Microsoftupdt32.exe[3196] wininet.dll!InternetErrorDlg 3D9CA7A3 5 Bytes JMP 009EF1A0
.text C:\Program Files\Internet Explorer\iexplore.exe[3224] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E215505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3224] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3224] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3224] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB3C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3224] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E2546A6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3224] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E5337 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3224] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E5269 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3224] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E52D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3224] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E513A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3224] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E519C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3224] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E539A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3224] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E51FE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3224] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 3E2EDB98 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3224] ole32.dll!OleLoadFromStream 7752981B 5 Bytes JMP 3E3E569F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device \Driver\Cdrom \Device\CdRom0 OsaFsLoc.sys (Filesystem Lock driver/OSA Technologies)
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 82F902E0

---- Threads - GMER 1.0.15 ----

Thread System [4:136] 832A80F9
Thread System [4:504] 82EEEB90

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0014a4fde349 (not active ControlSet)
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0014a4fde349
Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\0014a4fde349 (not active ControlSet)

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----



Thank you for your help!!!!!!!

Attached Files



BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:56 PM

Posted 17 September 2011 - 05:11 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 TTFN41460

TTFN41460
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 17 September 2011 - 07:40 PM

I downloaded ComboFix and the needed Recovery Console; ran through stage 5 (at least that was the last time I looked at the screen) Net time I looked - blue screen and has already counted down and 52% through scanning discs for errors. Once it finished I had no log to provide. I right clicked on ComboFix icon and clicked on open - didn't know it would run it - was trying to find a log - but it ran and this time went all the way through, rebooted and created this log:

ComboFix 11-09-17.03 - Crissey Rasmussen 09/17/2011 17:05:38.2.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.324 [GMT -7:00]
Running from: c:\documents and settings\Crissey Rasmussen\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\CRISSE~1\LOCALS~1\Temp\w7e16.tmp.exe
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\MCInstaller.exe.77f8e728.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\RegAsm.exe.ca35bcc8.ini
c:\documents and settings\Administrator\Local Settings\Application Data\ApplicationHistory\SLAE.tmp.53d8bc2d.ini
c:\documents and settings\All Users\Application Data\jihe.exe
c:\documents and settings\All Users\Application Data\jjra.exe
c:\documents and settings\All Users\Application Data\oksq.exe
c:\documents and settings\All Users\Application Data\txig.exe
c:\documents and settings\Crissey Rasmussen\eohaggeozn.tmp
c:\documents and settings\Crissey Rasmussen\Local Settings\Application Data\ApplicationHistory
c:\documents and settings\Crissey Rasmussen\Local Settings\Application Data\ApplicationHistory\CC_Install.exe.a765243e.ini
c:\documents and settings\Crissey Rasmussen\Local Settings\Application Data\ApplicationHistory\ClearEvent.exe.2c2b43e5.ini
c:\documents and settings\Crissey Rasmussen\Local Settings\Application Data\ApplicationHistory\ePower_DMC.exe.3ca0acde.ini
c:\documents and settings\Crissey Rasmussen\Local Settings\Application Data\ApplicationHistory\ePower_DMC.exe.3ca0acde.ini.inuse
c:\documents and settings\Crissey Rasmussen\Local Settings\Application Data\ApplicationHistory\MCInstaller.exe.77f8e728.ini
c:\documents and settings\Crissey Rasmussen\Local Settings\Application Data\ApplicationHistory\ngen.exe.2c05686e.ini
c:\documents and settings\Crissey Rasmussen\Local Settings\Application Data\ApplicationHistory\RegAsm.exe.ca35bcc8.ini
c:\documents and settings\Crissey Rasmussen\Local Settings\Application Data\ApplicationHistory\SLAE.tmp.53d8bc2d.ini
c:\documents and settings\Crissey Rasmussen\Local Settings\Application Data\ApplicationHistory\WarReg_PopUp.exe.aeb2bf69.ini
c:\documents and settings\Crissey Rasmussen\Local Settings\Application Data\dekp.exe
c:\documents and settings\Crissey Rasmussen\Local Settings\Application Data\pvsy.exe
c:\documents and settings\Crissey Rasmussen\Local Settings\Application Data\umtc.exe
c:\documents and settings\Crissey Rasmussen\Local Settings\Application Data\vyav.exe
c:\documents and settings\Crissey Rasmussen\Local Settings\Temp\w7e16.tmp.exe
c:\documents and settings\Crissey Rasmussen\Templates\axcq.exe
c:\documents and settings\Crissey Rasmussen\Templates\lcsx.exe
c:\documents and settings\Crissey Rasmussen\Templates\slhq.exe
c:\documents and settings\Crissey Rasmussen\Templates\tuhi.exe
c:\program files\Internet Explorer\SET1046.tmp
c:\program files\Internet Explorer\SETFFD.tmp
c:\windows\FaxSetup.log
c:\windows\kb913800.exe
c:\windows\system32\lvci11701196.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\tsoc.log
c:\windows\WindowsUpdate.log
.
.
((((((((((((((((((((((((( Files Created from 2011-08-18 to 2011-09-18 )))))))))))))))))))))))))))))))
.
.
2011-09-17 23:45 . 2011-09-17 23:45 -------- d-----w- C:\FOUND.032
2011-09-14 17:22 . 2011-08-12 02:44 7152464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{4312C66D-290F-4973-9569-A08695D2976B}\mpengine.dll
2011-09-14 07:04 . 2011-09-14 07:04 99328 ----a-w- c:\documents and settings\Crissey Rasmussen\Application Data\Microsoft\MicrosoftUpdate\Microsoftupdt32.exe
2011-09-14 07:04 . 2011-09-14 07:04 155136 ----a-w- c:\documents and settings\Crissey Rasmussen\Application Data\Microsoft\MicrosoftUpdate\Microsoftupdt32.dll
2011-09-03 10:17 . 2011-09-03 10:17 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
2011-09-01 02:58 . 2011-08-12 02:44 7152464 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-08-31 21:47 . 2011-07-07 02:52 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-08-31 21:47 . 2011-07-07 02:52 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-08-31 21:47 . 2011-08-31 21:47 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-08-31 01:12 . 2011-08-31 01:12 354 ----a-w- c:\windows\system32\drivers\xdrkiuvt.dat
2011-08-31 01:04 . 2011-08-31 01:04 354 ----a-w- c:\windows\system32\drivers\hwjkdick.dat
2011-08-31 01:00 . 2011-08-31 01:00 532 ----a-w- c:\windows\system32\drivers\bzncemug.dat
2011-08-31 00:41 . 2011-05-25 02:14 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-08-31 00:21 . 2011-08-31 00:21 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2011-08-31 00:20 . 2011-08-31 00:20 -------- d-----w- c:\program files\Microsoft Security Client
2011-08-31 00:17 . 2011-08-31 00:17 -------- d-----w- c:\documents and settings\Crissey Rasmussen\Application Data\Malwarebytes
2011-08-31 00:17 . 2011-08-31 00:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-08-30 17:22 . 2011-08-30 17:22 -------- d-----w- C:\FOUND.031
2011-08-29 17:33 . 2011-08-29 17:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2011-08-29 17:04 . 2011-08-29 17:04 -------- d-----w- c:\documents and settings\Crissey Rasmussen\Local Settings\Application Data\{6048AAA6-4697-4255-8B31-4B39351EC38A}
2011-08-26 14:49 . 2011-08-26 14:49 -------- d-----w- C:\FOUND.030
2011-08-25 17:04 . 2011-08-25 17:04 -------- d-----w- C:\FOUND.029
2011-08-24 01:41 . 2011-08-24 01:41 -------- d-----w- C:\FOUND.028
2011-08-19 17:56 . 2011-08-19 17:56 -------- d-----w- C:\FOUND.027
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-03 10:17 . 2004-08-11 03:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-26 18:51 . 2011-07-26 18:51 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-07-26 18:51 . 2011-05-05 16:44 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-07-20 20:21 . 2011-07-20 20:21 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2004-08-11 03:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-13 21:52 . 2011-02-14 22:05 71072 ----a-w- c:\windows\CouponPrinter.ocx
2011-07-08 14:02 . 2004-08-11 03:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-06-29 18:37 . 2010-11-17 18:25 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-06-24 14:10 . 2004-08-11 03:00 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-24 04:47 . 2010-11-21 17:48 20552 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-06-23 18:36 . 2006-01-09 18:02 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-08-11 03:00 43520 ------w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2004-08-11 03:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-11 03:00 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-11 03:00 293376 ----a-w- c:\windows\system32\winsrv.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-09-03 39408]
"cdloader"="c:\documents and settings\Crissey Rasmussen\Application Data\mjusbsp\cdloader2.exe" [2010-12-03 50592]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LaunchApp"="Alaunch" [X]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 16248320]
"SkyTel"="SkyTel.EXE" [2006-05-17 2879488]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"ntiMUI"="c:\program files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2006-05-15 45056]
"ADMTray.exe"="c:\acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"ePower_DMC"="c:\acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-11 352256]
"Acer ePower Management"="c:\acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 3080704]
"LManager"="c:\progra~1\LAUNCH~1\LManager.exe" [2006-07-21 593920]
"eRecoveryService"="c:\acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-25 397312]
"eDataSecurity Loader"="c:\acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"Google Quick Search Box"="c:\program files\Google\Quick Search Box\GoogleQuickSearchBox.exe" [2009-09-03 122368]
"masqform.exe"="c:\program files\IBM\Lotus Forms\Viewer\3.0\masqform.exe" [2008-01-17 991232]
"hpqSRMon"="c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe" [2007-08-22 80896]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-12 417792]
"LogitechQuickCamRibbon"="c:\program files\Logitech\QuickCam\Quickcam.exe" [2008-12-20 2656528]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-11 59392]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-11 208952]
"AzMixerSel"="c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 53248]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-11 455168]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
"MicrosoftUpdate"="c:\documents and settings\Crissey Rasmussen\Application Data\Microsoft\MicrosoftUpdate\Microsoftupdt32.exe" [2011-09-14 99328]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Documents and Settings\\Crissey Rasmussen\\Application Data\\mjusbsp\\magicJack.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"443:TCP"= 443:TCP:*:Disabled:ooVoo TCP port 443
"443:UDP"= 443:UDP:*:Disabled:ooVoo UDP port 443
"37674:TCP"= 37674:TCP:*:Disabled:ooVoo TCP port 37674
"37674:UDP"= 37674:UDP:*:Disabled:ooVoo UDP port 37674
"37675:UDP"= 37675:UDP:*:Disabled:ooVoo UDP port 37675
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [11/17/2010 11:25 AM 64288]
S1 MpKsl74df1d77;MpKsl74df1d77;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D235954-6BCF-451C-98ED-EAD792584E76}\MpKsl74df1d77.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{3D235954-6BCF-451C-98ED-EAD792584E76}\MpKsl74df1d77.sys [?]
S1 MpKsldf9fc2ed;MpKsldf9fc2ed;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{12B53AEB-3CC4-4206-B673-00ACCAB85EBB}\MpKsldf9fc2ed.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{12B53AEB-3CC4-4206-B673-00ACCAB85EBB}\MpKsldf9fc2ed.sys [?]
S1 MpKslf02311a7;MpKslf02311a7;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{607679C2-D509-4A08-8946-44FD9370979D}\MpKslf02311a7.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{607679C2-D509-4A08-8946-44FD9370979D}\MpKslf02311a7.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 1:23 PM 135664]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;"c:\program files\Lavasoft\Ad-Aware\AAWService.exe" --> c:\program files\Lavasoft\Ad-Aware\AAWService.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/31/2010 1:23 PM 135664]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [8/31/2011 2:47 PM 22712]
S3 McComponentHostService;McAfee Security Scan Component Host Service;"c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe" --> c:\program files\McAfee Security Scan\2.0.181\McCHSvc.exe [?]
S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [8/31/2011 2:47 PM 366640]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - INT15.SYS
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-17 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-749279974-1355739817-567388894-1005Core1cc6e9f4176cf24.job
- c:\documents and settings\Crissey Rasmussen\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-20 17:58]
.
2011-09-18 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 20:23]
.
2011-09-18 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-01-31 20:23]
.
2011-09-17 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 22:39]
.
2011-09-18 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 22:39]
.
2011-09-18 c:\windows\Tasks\User_Feed_Synchronization-{9A8F9F9B-16DE-4EF1-9665-E4EF1BD6E7B2}.job
- c:\windows\system32\msfeedssync.exe [2007-08-14 11:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://seattle.craigslist.org/
uDefault_Search_URL = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_950DF09FAB501E03.dll/cmsidewiki.html
IE: RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
Trusted Zone: isgn.com\orders
TCP: DhcpNameServer = 192.168.1.1
DPF: AuthenticBrowserEdition - hxxps://vendors.isgn.com/Komodo/common/forms/cab/AuthenticBrowserEdition.cab
DPF: {34DC6011-88B5-4EA9-BA7A-DC7B4F4437FE} - hxxp://www.seehere.com/ips-opdata/layout/fujius02/objects/jordan.cab
DPF: {62BC5DB2-0044-4040-B366-D628F3CFD551} - file:///C:/DOCUME~1/CRISSE~1/LOCALS~1/Temp/IXP000.TMP/setup.cab
DPF: {83A4D5A6-E2C1-4EDD-AD48-1A1C50BD06EF} - hxxps://valuemanager.iasreo.com/BPO/ImageUploader6.cab
DPF: {E4BBF5F2-453C-4D24-8547-A717DD7592B9} - hxxps://valuemanager.iasreo.com/BPO/ImageUploader6.cab
DPF: {F375116A-793C-11D2-BFE1-444553540001} - hxxp://realist2.firstamres.com/mapviewer/mapviewer.cab
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{030452BC-CB72-4BCE-A1B9-17989D9DC6Fc} - c:\docume~1\CRISSE~1\LOCALS~1\Temp\w7e16.tmp.exe
HKCU-Run-ICS5R7Y0OS - c:\windows\Rjymyb.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-17 17:26
Windows 5.1.2600 Service Pack 3 FAT NTAPI
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HTS541060G9AT00 rev.MB3OA60A -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x831BA2E0
NDIS: Broadcom 440x 10/100 Integrated Controller -> SendHandler -> 0x82c421d8
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4900)
c:\windows\system32\WININET.dll
c:\windows\TEMP\logishrd\LVPrcInj01.dll
c:\windows\system32\MSNChatHook.dll
c:\windows\system32\sysenv.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\acer\Empowering Technology\ePower\SysHook.dll
c:\program files\Siber Systems\AI RoboForm\roboform.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\acer\Empowering Technology\admServ.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\RTHDCPL.EXE
c:\windows\eHome\ehmsas.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
c:\windows\system32\rundll32.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Common Files\Logishrd\LQCVFX\COCIManager.exe
c:\docume~1\CRISSE~1\LOCALS~1\Temp\RtkBtMnt.exe
c:\windows\system32\wbem\wmiapsrv.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2011-09-17 17:33:16 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-18 00:33
.
Pre-Run: 3,867,000,832 bytes free
Post-Run: 4,943,937,536 bytes free
.
- - End Of File - - E8160B4E51D88C929EA5BDF06FD8128F

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:56 PM

Posted 17 September 2011 - 08:31 PM

Hi

Please run the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT



  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.
  • They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
Copy/paste the text inside the Codebox below into notepad:

Here's how to do that:
Click Start > Run type Notepad click OK.
This will open an empty notepad file:

Copy all the text inside of the code box - Press Ctrl+C (or right click on the highlighted section and choose 'copy')

http://www.bleepingcomputer.com/forums/topic419291.html/page__pid__2411489#entry2411489

Collect::
c:\windows\system32\drivers\xdrkiuvt.dat
c:\windows\system32\drivers\hwjkdick.dat
c:\windows\system32\drivers\bzncemug.dat

Folder::
c:\documents and settings\Crissey Rasmussen\Local Settings\Application Data\{6048AAA6-4697-4255-8B31-4B39351EC38A}

Now paste the copied text into the open notepad - press CTRL+V (or right click and choose 'paste')

Save this file to your desktop, Save this as "CFScript"


Here's how to do that:

1.Click File;
2.Click Save As... Change the directory to your desktop;
3.Change the Save as type to "All Files";
4.Type in the file name: CFScript
5.Click Save ...

Posted Image
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix may request an update; please allow it.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you.
  • Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 TTFN41460

TTFN41460
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 17 September 2011 - 09:34 PM

I ran both but when attempting to run CF with CF Script I had saved it started out fine but once the initial box was done (black with green lettering) when the next box opened, after a minute or two a pop-up opened saying CFScript is "incorrectly spelt". I saved it as CF Script. The pop up said CFScript but there is no spelling error. When I clicked ok, everything closed and I was at my desktop. Should I try again???

Here is the TDSS log:

2011/09/17 19:11:39.0296 0684 TDSS rootkit removing tool 2.5.22.0 Sep 13 2011 15:55:17
2011/09/17 19:11:39.0828 0684 ================================================================================
2011/09/17 19:11:39.0828 0684 SystemInfo:
2011/09/17 19:11:39.0828 0684
2011/09/17 19:11:39.0828 0684 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/17 19:11:39.0828 0684 Product type: Workstation
2011/09/17 19:11:39.0828 0684 ComputerName: ACER-FCAFBFA90D
2011/09/17 19:11:39.0828 0684 UserName: Crissey Rasmussen
2011/09/17 19:11:39.0828 0684 Windows directory: C:\WINDOWS
2011/09/17 19:11:39.0828 0684 System windows directory: C:\WINDOWS
2011/09/17 19:11:39.0828 0684 Processor architecture: Intel x86
2011/09/17 19:11:39.0828 0684 Number of processors: 1
2011/09/17 19:11:39.0828 0684 Page size: 0x1000
2011/09/17 19:11:39.0828 0684 Boot type: Normal boot
2011/09/17 19:11:39.0828 0684 ================================================================================
2011/09/17 19:11:41.0140 0684 Initialize success
2011/09/17 19:11:50.0281 2700 ================================================================================
2011/09/17 19:11:50.0281 2700 Scan started
2011/09/17 19:11:50.0281 2700 Mode: Manual;
2011/09/17 19:11:50.0281 2700 ================================================================================
2011/09/17 19:11:52.0406 2700 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/09/17 19:11:52.0546 2700 ACPI (d8fb7d1c3f5bfa3f53fe9cc6367e9e99) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/17 19:11:52.0546 2700 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ACPI.sys. Real md5: d8fb7d1c3f5bfa3f53fe9cc6367e9e99, Fake md5: 8fd99680a539792a30e97944fdaecf17
2011/09/17 19:11:52.0562 2700 ACPI - detected Virus.Win32.Rloader.a (0)
2011/09/17 19:11:52.0640 2700 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/09/17 19:11:52.0796 2700 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/09/17 19:11:52.0921 2700 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/17 19:11:53.0031 2700 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/09/17 19:11:53.0187 2700 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/09/17 19:11:53.0328 2700 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/09/17 19:11:53.0468 2700 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/09/17 19:11:53.0609 2700 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/09/17 19:11:53.0843 2700 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/09/17 19:11:53.0968 2700 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/09/17 19:11:54.0140 2700 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/09/17 19:11:54.0234 2700 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/09/17 19:11:54.0375 2700 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/09/17 19:11:54.0468 2700 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2011/09/17 19:11:54.0625 2700 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/09/17 19:11:54.0750 2700 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/09/17 19:11:54.0890 2700 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/09/17 19:11:55.0031 2700 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/17 19:11:55.0140 2700 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/17 19:11:55.0453 2700 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/17 19:11:55.0578 2700 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/17 19:11:55.0750 2700 BCM43XX (30d20fc98bcfd52e1da778cf19b223d4) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2011/09/17 19:11:55.0953 2700 bcm4sbxp (c768c8a463d32c219ce291645a0621a4) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
2011/09/17 19:11:56.0031 2700 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/17 19:11:56.0187 2700 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
2011/09/17 19:11:56.0359 2700 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
2011/09/17 19:11:56.0546 2700 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
2011/09/17 19:11:56.0718 2700 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
2011/09/17 19:11:56.0859 2700 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/09/17 19:11:56.0906 2700 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/17 19:11:57.0109 2700 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/09/17 19:11:57.0296 2700 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/09/17 19:11:57.0343 2700 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/17 19:11:57.0453 2700 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/17 19:11:57.0531 2700 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/17 19:11:57.0859 2700 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/09/17 19:11:58.0015 2700 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/09/17 19:11:58.0109 2700 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/09/17 19:11:58.0281 2700 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/09/17 19:11:58.0453 2700 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/09/17 19:11:58.0609 2700 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/09/17 19:11:58.0718 2700 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/17 19:11:58.0875 2700 DKbFltr (08d30af92c270f2e76787c81589dbad6) C:\WINDOWS\system32\DRIVERS\DKbFltr.sys
2011/09/17 19:11:59.0046 2700 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/17 19:11:59.0234 2700 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/09/17 19:11:59.0296 2700 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/17 19:11:59.0437 2700 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/17 19:11:59.0640 2700 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/09/17 19:11:59.0750 2700 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/17 19:11:59.0906 2700 EMSCR (5aee9eedcfbf2b0f9dec53c27ee722a3) C:\WINDOWS\system32\DRIVERS\EMS7SK.sys
2011/09/17 19:12:00.0046 2700 ESDCR (8e56ab21d10c368029cea57de47d79c2) C:\WINDOWS\system32\DRIVERS\ESD7SK.sys
2011/09/17 19:12:00.0171 2700 ESMCR (0a58fade5e12d3a611427292073362cb) C:\WINDOWS\system32\DRIVERS\ESM7SK.sys
2011/09/17 19:12:00.0281 2700 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/17 19:12:00.0359 2700 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/09/17 19:12:00.0453 2700 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/17 19:12:00.0578 2700 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/09/17 19:12:00.0750 2700 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/09/17 19:12:00.0828 2700 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/17 19:12:00.0984 2700 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/17 19:12:01.0109 2700 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/17 19:12:01.0265 2700 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/09/17 19:12:01.0468 2700 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/09/17 19:12:01.0640 2700 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/09/17 19:12:01.0859 2700 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/09/17 19:12:02.0046 2700 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/09/17 19:12:02.0234 2700 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/09/17 19:12:02.0359 2700 HSFHWAZL (a902a7e76c245210eee9ef5185158e9c) C:\WINDOWS\system32\DRIVERS\HSFHWAZL.sys
2011/09/17 19:12:02.0593 2700 HSF_DPV (c9f4e7da78a02623abf78a4a34ce79b1) C:\WINDOWS\system32\DRIVERS\HSF_DPV.sys
2011/09/17 19:12:02.0843 2700 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/17 19:12:02.0953 2700 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/09/17 19:12:03.0078 2700 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/09/17 19:12:03.0187 2700 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/17 19:12:03.0343 2700 ialm (0f0194c4b635c10c3f785e4fee52d641) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/09/17 19:12:03.0546 2700 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/17 19:12:03.0828 2700 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/09/17 19:12:04.0281 2700 IntcAzAudAddService (909d03b3b7fb7c830b74f74f4d0ea7ce) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/09/17 19:12:04.0546 2700 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/09/17 19:12:04.0703 2700 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/09/17 19:12:04.0796 2700 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/09/17 19:12:04.0859 2700 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/17 19:12:04.0953 2700 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/17 19:12:05.0046 2700 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/17 19:12:05.0187 2700 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/17 19:12:05.0296 2700 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\WINDOWS\system32\DRIVERS\irda.sys
2011/09/17 19:12:05.0390 2700 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/17 19:12:05.0468 2700 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/17 19:12:05.0562 2700 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/17 19:12:05.0671 2700 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/17 19:12:05.0859 2700 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/17 19:12:06.0187 2700 Lbd (b7c19ec8b0dd7efa58ad41ffeb8b8cda) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2011/09/17 19:12:06.0578 2700 LVPr2Mon (f96cfb47903854f228baaf3e2d41a0a3) C:\WINDOWS\system32\Drivers\LVPr2Mon.sys
2011/09/17 19:12:06.0812 2700 LVUSBSta (8b79a50360fc31df6b7b979b686b4aa2) C:\WINDOWS\system32\drivers\LVUSBSta.sys
2011/09/17 19:12:06.0953 2700 MBAMProtector (eca00eed9ab95489007b0ef84c7149de) C:\WINDOWS\system32\drivers\mbam.sys
2011/09/17 19:12:07.0093 2700 mdmxsdk (e246a32c445056996074a397da56e815) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/09/17 19:12:07.0250 2700 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
2011/09/17 19:12:07.0328 2700 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/17 19:12:07.0437 2700 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/17 19:12:07.0531 2700 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/17 19:12:07.0609 2700 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/17 19:12:07.0859 2700 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/09/17 19:12:08.0250 2700 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/09/17 19:12:08.0375 2700 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/17 19:12:08.0515 2700 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/17 19:12:08.0656 2700 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/17 19:12:08.0765 2700 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/17 19:12:09.0140 2700 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/17 19:12:09.0187 2700 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/17 19:12:09.0343 2700 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/17 19:12:09.0546 2700 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/09/17 19:12:09.0640 2700 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/17 19:12:09.0843 2700 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/09/17 19:12:09.0937 2700 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/17 19:12:10.0078 2700 NdisFilt (1f76996253071cbae0a5ab5d8551ef88) C:\WINDOWS\system32\Drivers\NdisFilt.sys
2011/09/17 19:12:10.0281 2700 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/09/17 19:12:10.0484 2700 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/17 19:12:10.0593 2700 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/17 19:12:10.0640 2700 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/17 19:12:10.0796 2700 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/17 19:12:10.0921 2700 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/17 19:12:11.0031 2700 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/17 19:12:11.0203 2700 NETMNT (6a25f27202f3122a44a6b74ee46e7a76) C:\WINDOWS\system32\DRIVERS\NETMNT.sys
2011/09/17 19:12:11.0296 2700 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2011/09/17 19:12:11.0390 2700 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/17 19:12:11.0531 2700 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/17 19:12:11.0703 2700 NTIDrvr (7f1c1f78d709c4a54cbb46ede7e0b48d) C:\WINDOWS\system32\DRIVERS\NTIDrvr.sys
2011/09/17 19:12:11.0765 2700 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/17 19:12:11.0828 2700 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/17 19:12:11.0875 2700 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/17 19:12:11.0968 2700 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2011/09/17 19:12:12.0156 2700 OsaFsLoc (26c4a4b64d1dd8e6fdfb2f4897be029c) C:\WINDOWS\system32\drivers\OsaFsLoc.sys
2011/09/17 19:12:12.0218 2700 osaio (9d1177c2a8de936b33d85ff75e8cbf1a) C:\WINDOWS\system32\drivers\osaio.sys
2011/09/17 19:12:12.0328 2700 osanbm (3245bee5176697faf0744a2e1288dc77) C:\WINDOWS\system32\drivers\osanbm.sys
2011/09/17 19:12:12.0406 2700 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/09/17 19:12:12.0468 2700 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/17 19:12:12.0531 2700 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/17 19:12:12.0593 2700 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/17 19:12:12.0953 2700 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/09/17 19:12:13.0046 2700 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
2011/09/17 19:12:14.0000 2700 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/09/17 19:12:14.0218 2700 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/09/17 19:12:14.0484 2700 PID_PEPI (39c3cdf1f845e8cc14331bbd3799c7cb) C:\WINDOWS\system32\DRIVERS\LV302V32.SYS
2011/09/17 19:12:14.0703 2700 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/17 19:12:14.0812 2700 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/17 19:12:14.0875 2700 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/17 19:12:15.0015 2700 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/09/17 19:12:15.0171 2700 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/09/17 19:12:15.0328 2700 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/09/17 19:12:15.0500 2700 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/09/17 19:12:15.0656 2700 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/09/17 19:12:15.0812 2700 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/09/17 19:12:15.0859 2700 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/17 19:12:15.0984 2700 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2011/09/17 19:12:16.0078 2700 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/17 19:12:16.0203 2700 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/17 19:12:16.0250 2700 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/17 19:12:16.0312 2700 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/17 19:12:16.0375 2700 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/17 19:12:16.0515 2700 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/17 19:12:16.0656 2700 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/17 19:12:16.0750 2700 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/17 19:12:16.0906 2700 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
2011/09/17 19:12:17.0078 2700 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
2011/09/17 19:12:17.0140 2700 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/17 19:12:17.0234 2700 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/09/17 19:12:17.0468 2700 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/17 19:12:17.0859 2700 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/09/17 19:12:17.0968 2700 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/09/17 19:12:18.0093 2700 SMCIRDA (a8eb0aa07632a4c936ff6f8eda5bdead) C:\WINDOWS\system32\DRIVERS\smcirda.sys
2011/09/17 19:12:18.0296 2700 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/09/17 19:12:18.0515 2700 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/17 19:12:18.0765 2700 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/17 19:12:18.0890 2700 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/17 19:12:19.0203 2700 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/09/17 19:12:19.0453 2700 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/17 19:12:19.0656 2700 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/17 19:12:19.0828 2700 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/09/17 19:12:19.0984 2700 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/09/17 19:12:20.0171 2700 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/09/17 19:12:20.0296 2700 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/09/17 19:12:20.0453 2700 SynTP (66f680409fc3bddf62741e3e920a8454) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/09/17 19:12:20.0656 2700 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/17 19:12:20.0875 2700 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/17 19:12:21.0093 2700 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/17 19:12:21.0296 2700 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/17 19:12:21.0515 2700 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/17 19:12:21.0656 2700 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/09/17 19:12:21.0781 2700 UBHelper (e0c67be430c6de490d6ccaecfa071f9e) C:\WINDOWS\system32\drivers\UBHelper.sys
2011/09/17 19:12:21.0984 2700 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/17 19:12:22.0156 2700 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/09/17 19:12:22.0296 2700 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/17 19:12:22.0531 2700 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/09/17 19:12:22.0640 2700 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/09/17 19:12:22.0781 2700 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/17 19:12:22.0984 2700 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/17 19:12:23.0187 2700 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/17 19:12:23.0375 2700 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/09/17 19:12:23.0484 2700 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/17 19:12:23.0703 2700 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/17 19:12:23.0890 2700 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/17 19:12:24.0062 2700 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/09/17 19:12:24.0296 2700 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/09/17 19:12:24.0484 2700 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/17 19:12:24.0687 2700 w39n51 (73395a19fc86461a151d3c330604e8b3) C:\WINDOWS\system32\DRIVERS\w39n51.sys
2011/09/17 19:12:24.0968 2700 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/17 19:12:25.0359 2700 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/17 19:12:25.0484 2700 winachsf (c1d5cbd8aa0d674da1ba1bb189696396) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
2011/09/17 19:12:25.0765 2700 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/09/17 19:12:26.0000 2700 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/09/17 19:12:26.0203 2700 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/09/17 19:12:26.0296 2700 MBR (0x1B8) (e167277f8f402c29d3bf12b2d6fc43ea) \Device\Harddisk0\DR0
2011/09/17 19:12:26.0312 2700 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Pihar.a (0)
2011/09/17 19:12:26.0328 2700 Boot (0x1200) (92934e91939d7c48f5f623835629b437) \Device\Harddisk0\DR0\Partition0
2011/09/17 19:12:26.0359 2700 Boot (0x1200) (793cc327c4bbda3c0490bb340aff6042) \Device\Harddisk0\DR0\Partition1
2011/09/17 19:12:26.0375 2700 ================================================================================
2011/09/17 19:12:26.0375 2700 Scan finished
2011/09/17 19:12:26.0375 2700 ================================================================================
2011/09/17 19:12:26.0390 5692 Detected object count: 2
2011/09/17 19:12:26.0390 5692 Actual detected object count: 2
2011/09/17 19:13:03.0625 5692 ACPI (d8fb7d1c3f5bfa3f53fe9cc6367e9e99) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/17 19:13:03.0640 5692 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ACPI.sys. Real md5: d8fb7d1c3f5bfa3f53fe9cc6367e9e99, Fake md5: 8fd99680a539792a30e97944fdaecf17
2011/09/17 19:13:05.0875 5692 Backup copy found, using it..
2011/09/17 19:13:06.0062 5692 C:\WINDOWS\system32\DRIVERS\ACPI.sys - will be cured after reboot
2011/09/17 19:13:06.0062 5692 Virus.Win32.Rloader.a(ACPI) - User select action: Cure
2011/09/17 19:13:06.0109 5692 \Device\Harddisk0\DR0 (Rootkit.Boot.Pihar.a) - will be cured after reboot
2011/09/17 19:13:06.0109 5692 \Device\Harddisk0\DR0 - ok
2011/09/17 19:13:06.0109 5692 Rootkit.Boot.Pihar.a(\Device\Harddisk0\DR0) - User select action: Cure
2011/09/17 19:13:14.0484 6504 Deinitialize success

#6 TTFN41460

TTFN41460
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 17 September 2011 - 09:36 PM

Also, after TDSS when I went to open browser to come back here and continue I still got an infamous 2nd browser that opened directing me to some unheard of search site. Just FYI

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:56 PM

Posted 17 September 2011 - 09:52 PM

yes, please try it again, there is no space between CF and script

it's CFScript.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 TTFN41460

TTFN41460
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 18 September 2011 - 02:25 AM

I have tried 5 more times after removing the space - it does fine until it tries to run the scan then the computer inevitably freezes - even the clock - after 1 to 8 minutes. I am going to try one more time tonight if it doesn't go I will be back tomorrow.

#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:56 PM

Posted 18 September 2011 - 06:59 AM

Please run it using this command

Press the WinKey +R to open a run box > copy and paste the following into the run box > press OK

"%userprofile%\Desktop\ComboFix.exe" "%userprofile%\Desktop\CFScript.txt"

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 TTFN41460

TTFN41460
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 18 September 2011 - 02:11 PM

Tried the copy and paste - same result. When I tried the last time lastnight while it did the samething but it didn't freeze the system. I left it overnight to see if it just needed a really long time (even though I let it go 90 min. prior to that) and this morning it hadn't moved to Stage 1 but still not frozen.

When I tried your last suggestion, same thing, the last line I get is about "seriously infected machines may easily double the 10 minutes" and "cursor" on the next line just continues to flash.

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:56 PM

Posted 18 September 2011 - 02:44 PM

OK

Please run the following:

  • Please download Junction.zip and save it to your desktop.
  • Unzip it and put junction.exe in the Windows directory (C:\Windows).
  • Now go to Start > Run to open a run box > Copy and paste the following command in the open run box and click OK:

    cmd /c junction -s c:\ >log.txt&log.txt& del log.txt

  • A command window will open and the system will be scanned.
  • Wait until a log file opens.
  • Copy and paste or attach the content of it in your next reply



NEXT



  • Go to Start->Run and type in notepad and hit OK.
  • Then copy and paste the content of the following codebox into Notepad:

    @echo off
    if exist results.txt del results.txt
    FOR %%H IN (
    "c:\windows\system32\drivers\xdrkiuvt.dat"
    "c:\windows\system32\drivers\hwjkdick.dat"
    "c:\windows\system32\drivers\bzncemug.dat"
    ) DO (
    attrib -r -h -s %%H
    del /q /f %%H >> results.txt 2>>&1
    )
    rmdir /S /Q "c:\documents and settings\Crissey Rasmussen\Local Settings\Application Data\{6048AAA6-4697-4255-8B31-4B39351EC38A}"  >> results.txt 2>>&1
    del %0 
    start notepad results.txt
    del %0 
    
  • Save the file to your DESKTOP as "fix.bat". Make sure to save it with the quotes.
  • Once saved, the icon to click should look like this on your desktop:

    Posted Image
  • Double click fix.bat. to run it. A small black box should open and close - this is normal.
  • Please post the content of results.txt

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 TTFN41460

TTFN41460
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 18 September 2011 - 04:14 PM

Here is the log for the first step; when I tried to copy - only paste was an option so I'm attaching instead. As you can see, access was denied so not sure if I am still suppose to move onto step 2 yet?

Attached Files



#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:56 PM

Posted 18 September 2011 - 04:16 PM

Hi

That's fine, please move on to step two,

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 TTFN41460

TTFN41460
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:56 PM

Posted 18 September 2011 - 04:21 PM

OK, did step 2. Results were a blank notepad with no text. Clicked on the icon that was created on my desktop (said fix) and it instantaneously changed to results. When I opened it - it was blank.

#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:07:56 PM

Posted 18 September 2011 - 04:31 PM

Hi,

Please do the following:

  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users