Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Slow computer and google redirect


  • This topic is locked This topic is locked
10 replies to this topic

#1 crojj42

crojj42

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 29 September 2011 - 06:49 PM

Hello. So my problem started about 2 weeks ago. I posted a message at that time but haven't had time to act upon it.

So I have some type of virus or malware that is constantly redirecting google and making a lot of anti-malware programs nonfunctional or uninstallable. I finally managed to run a new version of adaware and removed 4 hits, but I've had no change in function. Computer is also super slow. I'm currently in safe mode. I'm also getting a weird system error popup message stating something about having "the maximum number of secrets set by the United States Department of blah blah has been exceeded."

Here is my DDS log:

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_07
Run by Heba at 19:32:27 on 2011-09-29
Microsoft Windows XP Professional 5.1.2600.3.1256.966.1033.18.502.202 [GMT -4:00]
.
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
============== Running Processes ===============
.
C:\WINDOWS\4019470262:1237347088.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\WINDOWS\explorer.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.optonline.com/
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = hxxp://www.google.com/ig/dell?hl=en
uSearch Bar = hxxp://www.google.com/ie
mDefault_Page_URL = hxxp://www.dell.com
mDefault_Search_URL = hxxp://www.google.com/ie
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: SnapFlash Class: {a44cbb0b-c77d-4bf5-87cc-b4ee79ad1b7e} - c:\program files\common files\justdo\Jd2002.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\googleafe\GoogleAE.dll
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: {4E7BD74F-2B8D-469E-D0FC-E57AF4D5FA7D} - No File
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_1_0
uRun: [DellSupport] "c:\program files\dellsupport\DSAgnt.exe" /startup
uRun: [SalaatTime] c:\program files\salaat time\SalaatTime.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [Weather] c:\program files\aws\weatherbug\Weather.exe 1
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [MimBoot] c:\progra~1\musicm~1\musicm~3\mimboot.exe
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [BigDogPath] c:\windows\VM_STI.EXE Ezonics VGA camera
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [AOLDialer] c:\program files\common files\aol\acs\AOLDial.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [KidzMouse] c:\progra~1\kidzmo~1\KidzSetup.exe
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe
mRun: [InstaLAN] "c:\program files\belkin\router setup and monitor\BelkinRouterMonitor.exe" startup
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd2.exe
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [volmgr] c:\documents and settings\heba\application data\volmgr.exe
dRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\americ~1.lnk - c:\program files\america online 9.0\aoltray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\Hotsync.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\prayer~1.lnk - c:\had\PTW.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office10\EXCEL.EXE/3000
IE: Save Flash with Flash Catcher - c:\program files\common files\justdo\IECatcher.DLL/FlashCatcher.htm
IE: {90BAE0EF-F4BF-4FAC-B2EC-2C725C34AF12} - res://c:\program files\common files\justdo\IECatcher.DLL/FlashCatcher.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
LSP: mswsock.dll
Trusted Zone: musicmatch.com\online
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0008-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_08-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: Interfaces\{C5969C69-ADB3-4BA4-88F9-F49251721D5D} : NameServer = 167.206.254.1,167.206.254.2
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,
Hosts: 95.64.61.153 www.google.com
Hosts: 95.64.61.154 www.bing.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\heba\application data\mozilla\firefox\profiles\jxcs0yxa.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\documents and settings\heba\application data\mozilla\firefox\profiles\jxcs0yxa.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPcol305.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPUploader.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
.
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2011-9-28 64512]
S0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-8-17 28544]
S1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2008-5-28 8944]
S1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2008-5-28 55024]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2011-8-18 2151640]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2007-4-29 24652]
S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [2001-8-17 20160]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\drivers\bw2ndis5.sys --> c:\windows\system32\drivers\BW2NDIS5.sys [?]
S3 KDZfiltr;KidzMouse filter driver;c:\windows\system32\drivers\KDZfiltr.sys [2008-4-22 4864]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\program files\lavasoft\ad-aware\kernexplorer.sys [2011-8-18 15232]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2008-5-28 7408]
.
=============== Created Last 30 ================
.
2011-09-29 13:46:59 71168 --sh--w- c:\documents and settings\heba\application data\volmgr.exe
2011-09-29 13:46:59 71168 --sh--w- c:\documents and settings\heba\application data\volmgr.dll
2011-09-29 13:46:50 91136 ----a-w- c:\program files\mozilla firefox\0.16380819069316344.exe
2011-09-29 04:29:22 848 ---ha-w- C:\aaw7boot.cmd
2011-09-29 01:00:35 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-09-29 00:56:29 64512 ----a-w- c:\windows\system32\drivers\Lbd.sys
2011-09-19 03:17:05 -------- d-----w- c:\documents and settings\all users\application data\eM20302AoHfB20302
2011-09-19 02:25:23 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-09-19 02:25:22 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-09-16 02:58:46 -------- d-----w- c:\documents and settings\all users\application data\DivX
2011-09-03 10:17:37 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
2011-09-01 04:36:27 -------- d-----w- c:\documents and settings\heba\local settings\application data\HP
2011-09-01 04:35:10 278016 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\hpzpp5mu.dll
2011-09-01 04:35:10 118272 ----a-w- c:\windows\system32\hpz3l5mu.dll
2011-09-01 04:30:42 -------- d-----w- c:\program files\common files\HP
2011-09-01 04:29:59 271704 ----a-w- c:\windows\system32\hpzids01.dll
2011-09-01 04:29:46 729088 ----a-w- c:\windows\system32\hpwwiax4.dll
2011-09-01 04:29:46 364544 ----a-w- c:\windows\system32\hppldcoi.dll
2011-09-01 04:29:46 294912 ----a-w- c:\windows\system32\hpovst11.dll
2011-09-01 04:29:45 593920 ----a-w- c:\windows\system32\hpwtscl3.dll
2011-09-01 04:29:45 309760 ----a-w- c:\windows\system32\difxapi.dll
2011-09-01 04:29:40 1373528 ----a-w- c:\windows\hpzshl01.exe
2011-09-01 04:29:39 1140056 ----a-w- c:\windows\hpzmsi01.exe
2011-09-01 04:29:37 -------- d-----w- c:\windows\yellowtail
2011-09-01 04:11:34 -------- d-----w- c:\documents and settings\heba\application data\HpUpdate
2011-09-01 04:11:19 -------- d-----w- c:\windows\Hewlett-Packard
2011-09-01 03:45:47 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-01 03:32:04 -------- d-----w- c:\windows\hpoj4500g510n-z
.
==================== Find3M ====================
.
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2007-10-22 08:31:06 76808 ----a-w- c:\program files\DSETUP.dll
2007-10-22 08:31:06 502792 ----a-w- c:\program files\DXSETUP.exe
2007-10-22 08:31:06 1673224 ----a-w- c:\program files\dsetup32.dll
2006-10-12 03:09:39 94208 --sha-w- c:\windows\system32\SalaatTime.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160828AS rev.8.03 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xF8228E90]<<
_asm { MOV EAX, [ESP+0x4]; MOV ECX, [EAX+0x28]; PUSH EBP; MOV EBP, [ECX+0x4]; PUSH ESI; MOV ESI, [ESP+0x10]; PUSH EDI; MOV EDI, [ESI+0x60]; MOV AL, [EDI]; CMP AL, 0x16; JNZ 0x36; PUSH ESI; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x82FD3030]
3 CLASSPNP[0xF8544FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x82ED5F08]
\Driver\00000494[0x82EC87C8] -> IRP_MJ_CREATE -> 0xF8228E90
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { MOV AX, 0x0; MOV SS, AX; MOV SP, 0x7c00; MOV DS, AX; CLD ; MOV CX, 0x80; MOV SI, SP; MOV DI, 0x600; MOV ES, AX; REP MOVSD ; JMP FAR 0x0:0x62d; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x82F0331B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 19:33:44.87 ===============



I did everything stated for the gmer program, and everything goes fineup until the scan. It starts scanning and then disappears in the middle of the scan.

Thanks for the help.

-crojj

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:04 PM

Posted 30 September 2011 - 11:52 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image P2P - I see you have P2P software (uTorrent) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to malware infections. Please see this post for more information. I recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs. If you choose to keep these applications, please do not use them until our fixes at BC are complete.

Posted Image Please download Rootkit Unhooker and save it on your desktop.
  • Disable your security programs
  • Double click RKUnhookerLE.exe to run it
  • Click the Report tab, then click Scan
  • Check Drivers, Stealth Code, Files, and Code Hooks
  • Uncheck the rest, then click OK
  • When prompted to Select Disks for Scan, make sure C:\ is checked and click OK
  • Wait till the scanner has finished then go File > Save Report
  • Save the report somewhere you can find it. Click Close
  • Copy the entire contents of the report and paste it in your next reply.
Note - You may get this warning it is ok, just ignore it:

"Rootkit Unhooker has detected a parasite inside itself!
It is recommended to remove parasite, okay?"

Please include the following in your next post:
  • RootkitUnhooker log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 crojj42

crojj42
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 02 October 2011 - 11:44 AM

Hello. As far as utorrent is concerned, I haven't actually used that in a couple of years.

Now, I downloaded the RKUnhooker program and must have ran it several times. After it gets through scanning all the files and gets to the next step (I think codes), it suddenly disappears, and then when I try to run the program again, I get "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." This happens before I can even generate a log. I then redownload the program and start all over again.

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:04 PM

Posted 02 October 2011 - 11:51 AM

crojj42:

Please do this next:

Posted Image Please download DummyCreator.zip and unzip it.
  • Run the tool.
  • Copy and paste the following into the edit box:

    C:\WINDOWS\4019470262
  • Press Create button and post the content of the Result.txt.

    Posted Image Download ComboFix from one of the following locations:
    Link 1
    Link 2

    VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

    * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Important: Restart the computer.Please include the following in your next post:
  • Dummy Creator log
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 crojj42

crojj42
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 02 October 2011 - 02:24 PM

Hi. The link you posted for dummy creator didn't work, so I searched and downloaded it from cnet. It didn't really "work" until after I ran combofix (kept getting an error message). Worked afterward but I didn't see any result file.

Attached is the combofix log. During the scan it told me I had a rootkit infection. It had to reboot twice.

ComboFix 11-10-02.01 - Heba 10/02/2011 14:53:45.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1256.966.1033.18.502.263 [GMT -4:00]
Running from: c:\documents and settings\Heba\Desktop\ComboFix.exe
AV: Lavasoft Ad-Watch Live! Anti-Virus *Enabled/Updated* {A1C4F2E0-7FDE-4917-AFAE-013EFC3EDE33}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Heba\Application Data\Aten
c:\documents and settings\Heba\Application Data\Aten\jyajo.exe
c:\documents and settings\Heba\Application Data\rhcplhj0e1f1
c:\documents and settings\Heba\Application Data\volmgr.dll
c:\documents and settings\Heba\Application Data\volmgr.exe
c:\documents and settings\Heba\WINDOWS
c:\program files\rhcplhj0e1f1
c:\windows\$NtUninstallKB56623$\3057620207\@
c:\windows\$NtUninstallKB56623$\3057620207\click.tlb
c:\windows\$NtUninstallKB56623$\3057620207\L\pdmzmplg
c:\windows\$NtUninstallKB56623$\3057620207\loader.tlb
c:\windows\$NtUninstallKB56623$\3057620207\U\@00000001
c:\windows\$NtUninstallKB56623$\3057620207\U\@000000c0
c:\windows\$NtUninstallKB56623$\3057620207\U\@000000cb
c:\windows\$NtUninstallKB56623$\3057620207\U\@000000cf
c:\windows\$NtUninstallKB56623$\3057620207\U\@80000000
c:\windows\$NtUninstallKB56623$\3057620207\U\@800000c0
c:\windows\$NtUninstallKB56623$\3057620207\U\@800000cb
c:\windows\$NtUninstallKB56623$\3057620207\U\@800000cf
c:\windows\$NtUninstallKB56623$\681042387
c:\windows\{2521BB91-29B1-4d7e-9137-AC9875D77735}
c:\windows\assembly\GAC_MSIL\desktop.ini
c:\windows\kb913800.exe
c:\windows\system32\
c:\windows\system32\2FAD2CDD.exe
c:\windows\system32\d3d9caps.dat
c:\windows\system32\drivers\etc\lmhosts
c:\windows\system32\drivers\npf.sys
c:\windows\system32\FF05DA0D.dll
c:\windows\system32\pthreadVC.dll
c:\windows\$NtUninstallKB56623$ . . . . Failed to delete
.
Infected copy of c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe was found and disinfected
Restored copy from - c:\system volume information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP316\A0064781.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_b63f94ef
-------\Legacy_2FAD2CDD
-------\Service_2FAD2CDD
.
.
((((((((((((((((((((((((( Files Created from 2011-09-02 to 2011-10-02 )))))))))))))))))))))))))))))))
.
.
2011-10-02 18:41 . 2011-10-02 18:51 -------- d-----w- c:\windows\SxsCaPendDel
2011-10-02 18:01 . 2011-10-02 18:01 -------- d-----w- c:\program files\MyNikko.com
2011-10-02 01:43 . 2011-10-02 01:43 35712 ----a-w- c:\windows\system32\drivers\BlackBox.sys
2011-10-02 01:36 . 2011-10-02 01:44 -------- d-----w- c:\documents and settings\Heba\Application Data\Syheo
2011-10-02 01:36 . 2011-10-02 01:36 179712 ----a-w- c:\program files\Mozilla Firefox\0.33517406090843715.exe
2011-09-30 13:36 . 2011-09-30 13:36 -------- d-----w- C:\29bff35bbd3f11055987
2011-09-29 13:46 . 2011-09-29 13:46 91136 ----a-w- c:\program files\Mozilla Firefox\0.16380819069316344.exe
2011-09-29 04:29 . 2011-09-29 04:29 848 ---ha-w- C:\aaw7boot.cmd
2011-09-29 01:04 . 2011-09-29 01:04 -------- d-s---w- c:\documents and settings\NetworkService\UserData
2011-09-29 01:00 . 2011-09-29 01:00 101720 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-09-29 00:56 . 2011-10-02 18:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-09-20 02:50 . 2011-09-20 02:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-09-20 02:50 . 2011-09-20 02:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-09-20 02:41 . 2011-09-20 02:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lavasoft
2011-09-19 03:17 . 2011-09-29 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\eM20302AoHfB20302
2011-09-19 02:50 . 2011-09-19 02:53 -------- d-----w- c:\documents and settings\Heba\Application Data\HPAppData
2011-09-19 02:25 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-09-19 02:25 . 2008-04-13 23:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-09-16 02:58 . 2011-09-16 02:58 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2011-09-03 10:17 . 2011-09-09 09:12 599040 ------w- c:\windows\system32\dllcache\crypt32.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2005-08-16 10:18 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-01 03:45 . 2011-09-01 03:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2006-01-29 16:03 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2005-08-16 10:18 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2007-10-22 08:31 . 2007-10-22 08:31 76808 ----a-w- c:\program files\DSETUP.dll
2007-10-22 08:31 . 2007-10-22 08:31 502792 ----a-w- c:\program files\DXSETUP.exe
2007-10-22 08:31 . 2007-10-22 08:31 1673224 ----a-w- c:\program files\dsetup32.dll
2006-10-12 03:09 94208 --sha-w- c:\windows\system32\SalaatTime.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SalaatTime"="c:\program files\Salaat Time\SalaatTime.exe" [2007-08-26 13443072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-27 185896]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-14 172032]
"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2011-02-25 1770400]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-1-29 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Zipeg\\zipeg.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"15832:UDP"= 15832:UDP:UDP 15832
"24673:TCP"= 24673:TCP:TCP 24673
.
R0 BlackBox;BlackBox SR2;c:\windows\system32\drivers\BlackBox.sys [10/1/2011 9:43 PM 35712]
S3 5E559FD9;5E559FD9;c:\windows\system32\5E559FD9.exe --> c:\windows\system32\5E559FD9.exe [?]
S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [8/17/2001 1:11 PM 20160]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 KDZfiltr;KidzMouse filter driver;c:\windows\system32\drivers\KDZfiltr.sys [4/22/2008 11:45 PM 4864]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.optonline.com/
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
IE: Save Flash with Flash Catcher - c:\program files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
TCP: Interfaces\{C5969C69-ADB3-4BA4-88F9-F49251721D5D}: NameServer = 167.206.254.1,167.206.254.2
FF - ProfilePath - c:\documents and settings\Heba\Application Data\Mozilla\Firefox\Profiles\jxcs0yxa.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe
HKCU-Run-{C892EF8A-C6FA-AD7A-5A3B-7E596B4C5D4B} - c:\documents and settings\Heba\Application Data\Aten\jyajo.exe
HKLM-Run-BigDogPath - c:\windows\VM_STI.EXE
HKLM-Run-DellSupportCenter - c:\program files\Dell Support Center\bin\sprtcmd.exe
HKLM-Run-hpqSRMon - c:\program files\HP\Digital Imaging\bin\hpqSRMon.exe
HKLM-Run-volmgr - c:\documents and settings\Heba\Application Data\volmgr.exe
AddRemove-HP Photosmart Essential - c:\program files\HP\Digital Imaging\PhotoSmartEssential\hpzscr01.exe
AddRemove-HP Smart Web Printing - c:\program files\HP\Digital Imaging\Smart Web Printing\hpzscr01.exe
AddRemove-HP Solution Center & Imaging Support Tools - c:\program files\HP\Digital Imaging\eSupport\hpzscr01.exe
AddRemove-HPOCR - c:\program files\HP\Digital Imaging\OCR\hpzscr01.exe
AddRemove-Shop for HP Supplies - c:\program files\HP\Digital Imaging\HPSSupply\hpzscr01.exe
AddRemove-WebCyberCoach_wtrb - c:\program files\WebCyberCoach\b_Dell\WCC_Wipe.exe WebCyberCoach ext\wtrb
AddRemove-{CD0773D5-C18E-495c-B39B-21A96415EDD5} - c:\program files\HP\Digital Imaging\{CD0773D5-C18E-495c-B39B-21A96415EDD5}\setup\hpzscr01.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-02 15:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160828AS rev.8.03 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x82D2031B
user & kernel MBR OK
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\8555a488]
"imagepath"="\??\c:\windows\TEMP\221.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3056)
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\program files\Belkin\Router Setup and Monitor\BelkinSetup.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\fxssvc.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2011-10-02 15:16:42 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-02 19:16
.
Pre-Run: 45,046,005,760 bytes free
Post-Run: 47,405,232,128 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 26EED357BB19DB31681D2823CDB3681

Attached Files


Edited by RPMcMurphy, 02 October 2011 - 07:53 PM.
added log


#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:04 PM

Posted 02 October 2011 - 08:04 PM

crojj42:

Please do this next:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above http://

http://www.bleepingcomputer.com/forums/topic421177.html
Collect::
c:\program files\Mozilla Firefox\0.33517406090843715.exe
c:\program files\Mozilla Firefox\0.16380819069316344.exe
c:\windows\system32\5E559FD9.exe
DirLook::
c:\documents and settings\Heba\Application Data\Syheo
C:\29bff35bbd3f11055987
Driver::
5E559FD9
8555a488

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • ComboFix log
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 crojj42

crojj42
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 05 October 2011 - 01:13 AM

Ok. Here is ComboFix log:

ComboFix 11-10-04.04 - Heba 10/05/2011 0:48.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1256.966.1033.18.502.140 [GMT -4:00]
Running from: c:\documents and settings\Heba\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Heba\Desktop\CFScript.txt
.
file zipped: c:\program files\Mozilla Firefox\0.16380819069316344.exe
file zipped: c:\program files\Mozilla Firefox\0.33517406090843715.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\docume~1\Heba\LOCALS~1\Temp\1.tmp\F_IN_BOX.dll
c:\documents and settings\Heba\Local Settings\Temp\1.tmp\F_IN_BOX.dll
c:\program files\Mozilla Firefox\0.16380819069316344.exe
c:\program files\Mozilla Firefox\0.33517406090843715.exe
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_5E559FD9
-------\Legacy_8555A488
-------\Service_5E559FD9
-------\Service_8555a488
.
.
((((((((((((((((((((((((( Files Created from 2011-09-05 to 2011-10-05 )))))))))))))))))))))))))))))))
.
.
2011-10-02 19:42 . 2011-10-02 20:04 -------- d-----w- c:\program files\TuxPaint
2011-09-20 02:50 . 2011-09-20 02:50 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-09-20 02:50 . 2011-09-20 02:50 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-09-20 02:41 . 2011-09-20 02:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Lavasoft
2011-09-19 03:17 . 2011-09-29 00:51 -------- d-----w- c:\documents and settings\All Users\Application Data\eM20302AoHfB20302
2011-09-19 02:50 . 2011-09-19 02:53 -------- d-----w- c:\documents and settings\Heba\Application Data\HPAppData
2011-09-19 02:25 . 2001-08-18 02:36 5632 ----a-w- c:\windows\system32\ptpusb.dll
2011-09-19 02:25 . 2008-04-13 23:12 159232 ----a-w- c:\windows\system32\ptpusd.dll
2011-09-16 02:58 . 2011-09-16 02:58 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:12 . 2005-08-16 10:18 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-01 03:45 . 2011-09-01 03:45 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-15 13:29 . 2006-01-29 16:03 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2005-08-16 10:18 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2007-10-22 08:31 . 2007-10-22 08:31 76808 ----a-w- c:\program files\DSETUP.dll
2007-10-22 08:31 . 2007-10-22 08:31 502792 ----a-w- c:\program files\DXSETUP.exe
2007-10-22 08:31 . 2007-10-22 08:31 1673224 ----a-w- c:\program files\dsetup32.dll
2006-10-12 03:09 94208 --sha-w- c:\windows\system32\SalaatTime.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
---- Directory of C:\29bff35bbd3f11055987 ----
.
2011-09-30 13:36 . 2011-09-30 13:36 788 ---ha-w- c:\29bff35bbd3f11055987\$shtdwn$.req
2011-09-16 14:47 . 2011-09-16 14:47 854561 ----a-w- c:\29bff35bbd3f11055987\mrt.exe._p
2011-09-16 14:38 . 2011-09-16 14:38 83912 ----a-w- c:\29bff35bbd3f11055987\mrtstub.exe
.
---- Directory of c:\documents and settings\Heba\Application Data\Syheo ----
.
2011-10-02 01:44 . 2011-10-02 17:22 3411 ----a-w- c:\documents and settings\Heba\Application Data\Syheo\pyti.acp
2010-08-26 07:40 . 2011-10-02 01:37 7660 ----a-w- c:\documents and settings\Heba\Application Data\Syheo\pyti.acp.0
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]
"SalaatTime"="c:\program files\Salaat Time\SalaatTime.exe" [2007-08-26 13443072]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-10-15 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-10-15 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-10-15 114688]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-27 185896]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-14 172032]
"InstaLAN"="c:\program files\Belkin\Router Setup and Monitor\BelkinRouterMonitor.exe" [2011-02-25 1770400]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2008-04-14 53760]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-4-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-1-29 24576]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2007-10-14 214360]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Zipeg\\zipeg.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\system32\\msiexec.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8097:TCP"= 8097:TCP:EarthLink UHP Modem Support
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"15832:UDP"= 15832:UDP:UDP 15832
"24673:TCP"= 24673:TCP:TCP 24673
.
R0 BlackBox;BlackBox SR2;c:\windows\system32\drivers\BlackBox.sys [10/1/2011 9:43 PM 35712]
S3 ADM8511;%ADM8511.Service.DispName%;c:\windows\system32\drivers\ADM8511.SYS [8/17/2001 1:11 PM 20160]
S3 BW2NDIS5;BW2NDIS5;c:\windows\system32\Drivers\BW2NDIS5.sys --> c:\windows\system32\Drivers\BW2NDIS5.sys [?]
S3 KDZfiltr;KidzMouse filter driver;c:\windows\system32\drivers\KDZfiltr.sys [4/22/2008 11:45 PM 4864]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.optonline.com/
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyOverride = <local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office10\EXCEL.EXE/3000
IE: Save Flash with Flash Catcher - c:\program files\Common Files\Justdo\IECatcher.DLL/FlashCatcher.htm
TCP: Interfaces\{C5969C69-ADB3-4BA4-88F9-F49251721D5D}: NameServer = 167.206.254.1,167.206.254.2
FF - ProfilePath - c:\documents and settings\Heba\Application Data\Mozilla\Firefox\Profiles\jxcs0yxa.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - Ext: DownloadHelper: {b9db16a4-6edc-47ec-a1f4-b86292ed211d} - %profile%\extensions\{b9db16a4-6edc-47ec-a1f4-b86292ed211d}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - %profile%\extensions\moveplayer@movenetworks.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-05 01:02
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3160828AS rev.8.03 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x82CC531B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3080)
c:\progra~1\WINDOW~3\wmpband.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Belkin\Router Setup and Monitor\BelkinService.exe
c:\windows\eHome\ehRecvr.exe
c:\windows\eHome\ehSched.exe
c:\windows\system32\fxssvc.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Belkin\Router Setup and Monitor\BelkinSetup.exe
c:\windows\system32\dllhost.exe
c:\windows\eHome\ehmsas.exe
c:\program files\Java\jre1.6.0_07\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2011-10-05 01:07:08 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-05 05:07
ComboFix2.txt 2011-10-02 19:16
.
Pre-Run: 47,491,366,912 bytes free
Post-Run: 47,500,840,960 bytes free
.
- - End Of File - - 86040D5E0CBB4880C4E48561E08F51CA
Upload was successful





And now MBAM:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7871

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

10/5/2011 1:55:43 AM
mbam-log-2011-10-05 (01-55-43).txt

Scan type: Full scan (C:\|)
Objects scanned: 222346
Time elapsed: 36 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 19

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\rhcplhj0e1f1 (Rogue.AntiVirusXP) -> Value: rhcplhj0e1f1 -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\drivers\cdrom.sys (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\documents and settings\Heba\application data\Sun\Java\deployment\cache\6.0\48\3b6f2c30-23892975 (Trojan.Downloader.adb) -> Quarantined and deleted successfully.
c:\documents and settings\networkservice\application data\Sun\Java\deployment\cache\6.0\57\2bc761f9-2e04811e (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\Qoobox\quarantine\C\documents and settings\Heba\application data\volmgr.dll.vir (Trojan.Downloader.adb) -> Not selected for removal.
c:\Qoobox\quarantine\C\documents and settings\Heba\application data\volmgr.exe.vir (Trojan.Downloader.adb) -> Not selected for removal.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP316\A0065766.sys (Trojan.FakeAlert) -> Not selected for removal.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP317\A0068779.sys (Trojan.FakeAlert) -> Not selected for removal.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP317\A0068794.sys (Trojan.FakeAlert) -> Not selected for removal.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP317\A0068803.sys (Trojan.FakeAlert) -> Not selected for removal.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP317\A0069803.sys (Trojan.FakeAlert) -> Not selected for removal.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP321\A0070803.sys (Trojan.FakeAlert) -> Not selected for removal.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP321\A0070809.sys (Trojan.FakeAlert) -> Not selected for removal.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP331\A0070875.sys (Trojan.FakeAlert) -> Not selected for removal.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP346\A0071744.EXE (Backdoor.IRCBot) -> Not selected for removal.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP363\A0072743.sys (Trojan.FakeAlert) -> Not selected for removal.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP371\A0074043.sys (Trojan.FakeAlert) -> Not selected for removal.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP372\A0074243.dll (Trojan.Downloader.adb) -> Not selected for removal.
c:\system volume information\_restore{129201fa-b0ac-49b3-96b2-deb8b91e727b}\RP372\A0074244.exe (Trojan.Downloader.adb) -> Not selected for removal.
c:\documents and settings\Heba\application data\microsoft\internet explorer\quick launch\antivirus xp 2008.lnk (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:04 PM

Posted 05 October 2011 - 08:50 PM

crojj42:

Please do this next:

Posted Image Go to Start > Run and copy/paste the contents of the codebox below into the Run box and click OK:

cmd /c rd "c:\documents and settings\Heba\Application Data\Syheo"

A DOS window may briefly open and close again, this is normal.

Posted Image Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Post that log, please.

Please include the following in your next post:
  • TDSSKiller log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 crojj42

crojj42
  • Topic Starter

  • Members
  • 75 posts
  • OFFLINE
  •  
  • Local time:01:04 PM

Posted 09 October 2011 - 07:53 PM

Here is the requested log:

20:51:16.0734 3700 TDSS rootkit removing tool 2.6.6.0 Oct 7 2011 12:45:24
20:51:17.0031 3700 ============================================================
20:51:17.0031 3700 Current date / time: 2011/10/09 20:51:17.0031
20:51:17.0031 3700 SystemInfo:
20:51:17.0031 3700
20:51:17.0031 3700 OS Version: 5.1.2600 ServicePack: 3.0
20:51:17.0031 3700 Product type: Workstation
20:51:17.0031 3700 ComputerName: DAHAB
20:51:17.0031 3700 UserName: Heba
20:51:17.0031 3700 Windows directory: C:\WINDOWS
20:51:17.0031 3700 System windows directory: C:\WINDOWS
20:51:17.0031 3700 Processor architecture: Intel x86
20:51:17.0031 3700 Number of processors: 2
20:51:17.0031 3700 Page size: 0x1000
20:51:17.0031 3700 Boot type: Normal boot
20:51:17.0031 3700 ============================================================
20:51:17.0890 3700 Initialize success
20:51:23.0296 3968 ============================================================
20:51:23.0296 3968 Scan started
20:51:23.0296 3968 Mode: Manual;
20:51:23.0296 3968 ============================================================
20:51:24.0359 3968 Abiosdsk - ok
20:51:24.0390 3968 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
20:51:24.0406 3968 abp480n5 - ok
20:51:24.0453 3968 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:51:24.0453 3968 ACPI - ok
20:51:24.0484 3968 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
20:51:24.0484 3968 ACPIEC - ok
20:51:24.0531 3968 ADM8511 (b05f2367f62552a2de7e3c352b7b9885) C:\WINDOWS\system32\DRIVERS\ADM8511.SYS
20:51:24.0531 3968 ADM8511 - ok
20:51:24.0562 3968 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
20:51:24.0562 3968 adpu160m - ok
20:51:24.0593 3968 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
20:51:24.0593 3968 aec - ok
20:51:24.0640 3968 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
20:51:24.0656 3968 AFD - ok
20:51:24.0671 3968 AFGMp50 - ok
20:51:24.0718 3968 AFGSp50 (1961590aa191b6b7dcf18a6a693af7b8) C:\WINDOWS\system32\Drivers\AFGSp50.sys
20:51:24.0718 3968 AFGSp50 - ok
20:51:24.0750 3968 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
20:51:24.0750 3968 agp440 - ok
20:51:24.0796 3968 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
20:51:24.0796 3968 agpCPQ - ok
20:51:24.0828 3968 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
20:51:24.0828 3968 Aha154x - ok
20:51:24.0859 3968 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
20:51:24.0859 3968 aic78u2 - ok
20:51:24.0875 3968 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
20:51:24.0875 3968 aic78xx - ok
20:51:24.0906 3968 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
20:51:24.0906 3968 AliIde - ok
20:51:24.0937 3968 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
20:51:24.0937 3968 alim1541 - ok
20:51:24.0968 3968 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
20:51:24.0968 3968 amdagp - ok
20:51:24.0984 3968 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
20:51:24.0984 3968 amsint - ok
20:51:25.0031 3968 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
20:51:25.0031 3968 Arp1394 - ok
20:51:25.0062 3968 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
20:51:25.0062 3968 asc - ok
20:51:25.0078 3968 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
20:51:25.0078 3968 asc3350p - ok
20:51:25.0109 3968 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
20:51:25.0109 3968 asc3550 - ok
20:51:25.0156 3968 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:51:25.0156 3968 AsyncMac - ok
20:51:25.0187 3968 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:51:25.0187 3968 atapi - ok
20:51:25.0203 3968 Atdisk - ok
20:51:25.0234 3968 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:51:25.0234 3968 Atmarpc - ok
20:51:25.0265 3968 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:51:25.0265 3968 audstub - ok
20:51:25.0312 3968 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:51:25.0312 3968 Beep - ok
20:51:25.0359 3968 BlackBox (32790d68ddcf79c990622564585ca546) C:\WINDOWS\system32\drivers\BlackBox.sys
20:51:25.0359 3968 BlackBox - ok
20:51:25.0390 3968 bvrp_pci (c945dc4eee3f624dfd07788ea7f0db0a) C:\WINDOWS\system32\drivers\bvrp_pci.sys
20:51:25.0390 3968 bvrp_pci - ok
20:51:25.0406 3968 BW2NDIS5 - ok
20:51:25.0406 3968 catchme - ok
20:51:25.0437 3968 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
20:51:25.0453 3968 cbidf - ok
20:51:25.0453 3968 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:51:25.0453 3968 cbidf2k - ok
20:51:25.0500 3968 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
20:51:25.0500 3968 CCDECODE - ok
20:51:25.0515 3968 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
20:51:25.0515 3968 cd20xrnt - ok
20:51:25.0546 3968 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:51:25.0546 3968 Cdaudio - ok
20:51:25.0578 3968 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
20:51:25.0578 3968 Cdfs - ok
20:51:25.0593 3968 Cdrom - ok
20:51:25.0609 3968 Changer - ok
20:51:25.0640 3968 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
20:51:25.0640 3968 CmdIde - ok
20:51:25.0671 3968 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
20:51:25.0671 3968 Cpqarray - ok
20:51:25.0718 3968 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
20:51:25.0718 3968 dac2w2k - ok
20:51:25.0734 3968 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
20:51:25.0734 3968 dac960nt - ok
20:51:25.0781 3968 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
20:51:25.0781 3968 Disk - ok
20:51:25.0859 3968 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
20:51:25.0890 3968 dmboot - ok
20:51:25.0906 3968 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
20:51:25.0906 3968 dmio - ok
20:51:25.0921 3968 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:51:25.0921 3968 dmload - ok
20:51:25.0953 3968 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
20:51:25.0953 3968 DMusic - ok
20:51:26.0000 3968 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
20:51:26.0000 3968 dpti2o - ok
20:51:26.0031 3968 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
20:51:26.0031 3968 drmkaud - ok
20:51:26.0078 3968 E100B (95974e66d3de4951d29e28e8bc0b644c) C:\WINDOWS\system32\DRIVERS\e100b325.sys
20:51:26.0078 3968 E100B - ok
20:51:26.0140 3968 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
20:51:26.0140 3968 Fastfat - ok
20:51:26.0203 3968 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
20:51:26.0203 3968 Fdc - ok
20:51:26.0234 3968 FINEPIX_PCC (c05d16c1ef3f5519764fefdf281ca4d2) C:\WINDOWS\system32\Drivers\V4CB011D.SYS
20:51:26.0234 3968 FINEPIX_PCC - ok
20:51:26.0265 3968 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
20:51:26.0265 3968 Fips - ok
20:51:26.0312 3968 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
20:51:26.0312 3968 Flpydisk - ok
20:51:26.0359 3968 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
20:51:26.0359 3968 FltMgr - ok
20:51:26.0375 3968 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:51:26.0375 3968 Fs_Rec - ok
20:51:26.0406 3968 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:51:26.0406 3968 Ftdisk - ok
20:51:26.0453 3968 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:51:26.0453 3968 Gpc - ok
20:51:26.0468 3968 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
20:51:26.0468 3968 HDAudBus - ok
20:51:26.0500 3968 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:51:26.0500 3968 HidUsb - ok
20:51:26.0546 3968 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
20:51:26.0546 3968 hpn - ok
20:51:26.0609 3968 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
20:51:26.0656 3968 HPZid412 - ok
20:51:26.0671 3968 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
20:51:26.0671 3968 HPZipr12 - ok
20:51:26.0687 3968 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
20:51:26.0687 3968 HPZius12 - ok
20:51:26.0734 3968 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
20:51:26.0734 3968 HSFHWBS2 - ok
20:51:26.0765 3968 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
20:51:26.0812 3968 HSF_DP - ok
20:51:26.0875 3968 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
20:51:26.0875 3968 HTTP - ok
20:51:26.0921 3968 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
20:51:26.0921 3968 i2omgmt - ok
20:51:26.0953 3968 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
20:51:26.0953 3968 i2omp - ok
20:51:26.0984 3968 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:51:26.0984 3968 i8042prt - ok
20:51:27.0078 3968 ialm (5a8e05f1d5c36abd58cffa111eb325ea) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
20:51:27.0125 3968 ialm - ok
20:51:27.0171 3968 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:51:27.0171 3968 Imapi - ok
20:51:27.0203 3968 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
20:51:27.0203 3968 ini910u - ok
20:51:27.0250 3968 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
20:51:27.0250 3968 IntelIde - ok
20:51:27.0296 3968 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
20:51:27.0296 3968 intelppm - ok
20:51:27.0328 3968 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
20:51:27.0328 3968 Ip6Fw - ok
20:51:27.0359 3968 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:51:27.0359 3968 IpFilterDriver - ok
20:51:27.0390 3968 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:51:27.0390 3968 IpInIp - ok
20:51:27.0437 3968 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:51:27.0437 3968 IpNat - ok
20:51:27.0453 3968 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:51:27.0453 3968 IPSec - ok
20:51:27.0484 3968 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:51:27.0484 3968 IRENUM - ok
20:51:27.0515 3968 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:51:27.0515 3968 isapnp - ok
20:51:27.0531 3968 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:51:27.0531 3968 Kbdclass - ok
20:51:27.0546 3968 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
20:51:27.0546 3968 kbdhid - ok
20:51:27.0609 3968 KDZfiltr (238a7e633a36abef00967a2a87e6e59c) C:\WINDOWS\system32\DRIVERS\KDZfiltr.sys
20:51:27.0625 3968 KDZfiltr - ok
20:51:27.0640 3968 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
20:51:27.0640 3968 kmixer - ok
20:51:27.0703 3968 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
20:51:27.0703 3968 KSecDD - ok
20:51:27.0750 3968 Lavasoft Kernexplorer - ok
20:51:27.0781 3968 lbrtfdc - ok
20:51:27.0828 3968 MASPINT (a2ae666cee860babe7fa6f1662b71737) C:\WINDOWS\system32\drivers\MASPINT.sys
20:51:27.0828 3968 MASPINT - ok
20:51:27.0859 3968 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys
20:51:27.0859 3968 MBAMProtector - ok
20:51:27.0875 3968 MBAMSwissArmy - ok
20:51:27.0921 3968 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
20:51:27.0921 3968 mdmxsdk - ok
20:51:27.0953 3968 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
20:51:27.0953 3968 MHNDRV - ok
20:51:28.0000 3968 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:51:28.0000 3968 mnmdd - ok
20:51:28.0031 3968 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
20:51:28.0046 3968 Modem - ok
20:51:28.0062 3968 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
20:51:28.0062 3968 MODEMCSA - ok
20:51:28.0078 3968 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:51:28.0078 3968 Mouclass - ok
20:51:28.0125 3968 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:51:28.0125 3968 mouhid - ok
20:51:28.0156 3968 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
20:51:28.0156 3968 MountMgr - ok
20:51:28.0187 3968 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
20:51:28.0187 3968 mraid35x - ok
20:51:28.0203 3968 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:51:28.0218 3968 MRxDAV - ok
20:51:28.0265 3968 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:51:28.0265 3968 MRxSmb - ok
20:51:28.0296 3968 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
20:51:28.0296 3968 Msfs - ok
20:51:28.0328 3968 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:51:28.0328 3968 MSKSSRV - ok
20:51:28.0343 3968 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:51:28.0343 3968 MSPCLOCK - ok
20:51:28.0375 3968 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
20:51:28.0375 3968 MSPQM - ok
20:51:28.0406 3968 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:51:28.0406 3968 mssmbios - ok
20:51:28.0437 3968 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
20:51:28.0437 3968 MSTEE - ok
20:51:28.0484 3968 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
20:51:28.0484 3968 Mup - ok
20:51:28.0515 3968 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
20:51:28.0515 3968 NABTSFEC - ok
20:51:28.0562 3968 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
20:51:28.0562 3968 NDIS - ok
20:51:28.0593 3968 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
20:51:28.0593 3968 NdisIP - ok
20:51:28.0640 3968 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:51:28.0640 3968 NdisTapi - ok
20:51:28.0656 3968 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:51:28.0656 3968 Ndisuio - ok
20:51:28.0671 3968 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:51:28.0671 3968 NdisWan - ok
20:51:28.0718 3968 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
20:51:28.0718 3968 NDProxy - ok
20:51:28.0734 3968 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:51:28.0734 3968 NetBIOS - ok
20:51:28.0765 3968 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:51:28.0765 3968 NetBT - ok
20:51:28.0812 3968 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
20:51:28.0812 3968 NIC1394 - ok
20:51:28.0828 3968 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
20:51:28.0843 3968 Npfs - ok
20:51:28.0875 3968 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
20:51:28.0906 3968 Ntfs - ok
20:51:28.0937 3968 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:51:28.0937 3968 Null - ok
20:51:29.0031 3968 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
20:51:29.0093 3968 nv - ok
20:51:29.0109 3968 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:51:29.0109 3968 NwlnkFlt - ok
20:51:29.0125 3968 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:51:29.0125 3968 NwlnkFwd - ok
20:51:29.0171 3968 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
20:51:29.0171 3968 ohci1394 - ok
20:51:29.0187 3968 PalmUSBD - ok
20:51:29.0234 3968 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
20:51:29.0234 3968 Parport - ok
20:51:29.0250 3968 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
20:51:29.0250 3968 PartMgr - ok
20:51:29.0281 3968 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:51:29.0281 3968 ParVdm - ok
20:51:29.0281 3968 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
20:51:29.0296 3968 PCI - ok
20:51:29.0296 3968 PCIDump - ok
20:51:29.0328 3968 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
20:51:29.0328 3968 PCIIde - ok
20:51:29.0375 3968 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
20:51:29.0390 3968 Pcmcia - ok
20:51:29.0390 3968 PDCOMP - ok
20:51:29.0406 3968 PDFRAME - ok
20:51:29.0421 3968 PDRELI - ok
20:51:29.0437 3968 PDRFRAME - ok
20:51:29.0468 3968 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
20:51:29.0468 3968 perc2 - ok
20:51:29.0484 3968 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
20:51:29.0484 3968 perc2hib - ok
20:51:29.0562 3968 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:51:29.0562 3968 PptpMiniport - ok
20:51:29.0578 3968 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
20:51:29.0578 3968 PSched - ok
20:51:29.0593 3968 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:51:29.0593 3968 Ptilink - ok
20:51:29.0656 3968 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
20:51:29.0656 3968 PxHelp20 - ok
20:51:29.0687 3968 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
20:51:29.0687 3968 ql1080 - ok
20:51:29.0718 3968 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
20:51:29.0718 3968 Ql10wnt - ok
20:51:29.0734 3968 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
20:51:29.0734 3968 ql12160 - ok
20:51:29.0750 3968 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
20:51:29.0750 3968 ql1240 - ok
20:51:29.0765 3968 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
20:51:29.0765 3968 ql1280 - ok
20:51:29.0796 3968 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:51:29.0796 3968 RasAcd - ok
20:51:29.0843 3968 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:51:29.0843 3968 Rasl2tp - ok
20:51:29.0859 3968 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:51:29.0859 3968 RasPppoe - ok
20:51:29.0875 3968 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:51:29.0875 3968 Raspti - ok
20:51:29.0921 3968 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:51:29.0937 3968 Rdbss - ok
20:51:29.0953 3968 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:51:29.0953 3968 RDPCDD - ok
20:51:29.0984 3968 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
20:51:30.0000 3968 rdpdr - ok
20:51:30.0046 3968 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
20:51:30.0046 3968 RDPWD - ok
20:51:30.0078 3968 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:51:30.0078 3968 redbook - ok
20:51:30.0140 3968 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:51:30.0140 3968 Secdrv - ok
20:51:30.0187 3968 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
20:51:30.0187 3968 serenum - ok
20:51:30.0218 3968 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
20:51:30.0218 3968 Serial - ok
20:51:30.0250 3968 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
20:51:30.0265 3968 Sfloppy - ok
20:51:30.0281 3968 Simbad - ok
20:51:30.0328 3968 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
20:51:30.0328 3968 sisagp - ok
20:51:30.0343 3968 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
20:51:30.0343 3968 SLIP - ok
20:51:30.0375 3968 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
20:51:30.0390 3968 Sparrow - ok
20:51:30.0421 3968 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
20:51:30.0421 3968 splitter - ok
20:51:30.0437 3968 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
20:51:30.0453 3968 sr - ok
20:51:30.0484 3968 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
20:51:30.0500 3968 Srv - ok
20:51:30.0578 3968 STHDA (26eb7acf476a3461b85f5bce9a677a4a) C:\WINDOWS\system32\drivers\sthda.sys
20:51:30.0578 3968 STHDA - ok
20:51:30.0609 3968 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
20:51:30.0609 3968 streamip - ok
20:51:30.0640 3968 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:51:30.0640 3968 swenum - ok
20:51:30.0671 3968 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
20:51:30.0671 3968 swmidi - ok
20:51:30.0718 3968 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
20:51:30.0718 3968 symc810 - ok
20:51:30.0750 3968 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
20:51:30.0750 3968 symc8xx - ok
20:51:30.0765 3968 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
20:51:30.0765 3968 sym_hi - ok
20:51:30.0781 3968 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
20:51:30.0781 3968 sym_u3 - ok
20:51:30.0828 3968 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
20:51:30.0828 3968 sysaudio - ok
20:51:30.0890 3968 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:51:30.0906 3968 Tcpip - ok
20:51:30.0937 3968 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:51:30.0937 3968 TDPIPE - ok
20:51:30.0968 3968 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
20:51:30.0984 3968 TDTCP - ok
20:51:31.0015 3968 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:51:31.0015 3968 TermDD - ok
20:51:31.0046 3968 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
20:51:31.0046 3968 TosIde - ok
20:51:31.0093 3968 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
20:51:31.0093 3968 Udfs - ok
20:51:31.0125 3968 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
20:51:31.0140 3968 ultra - ok
20:51:31.0187 3968 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
20:51:31.0203 3968 Update - ok
20:51:31.0250 3968 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:51:31.0250 3968 usbccgp - ok
20:51:31.0265 3968 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:51:31.0265 3968 usbehci - ok
20:51:31.0296 3968 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:51:31.0296 3968 usbhub - ok
20:51:31.0312 3968 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
20:51:31.0312 3968 usbprint - ok
20:51:31.0328 3968 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
20:51:31.0328 3968 usbscan - ok
20:51:31.0343 3968 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:51:31.0343 3968 USBSTOR - ok
20:51:31.0375 3968 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:51:31.0375 3968 usbuhci - ok
20:51:31.0390 3968 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
20:51:31.0390 3968 VgaSave - ok
20:51:31.0437 3968 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
20:51:31.0437 3968 viaagp - ok
20:51:31.0453 3968 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
20:51:31.0453 3968 ViaIde - ok
20:51:31.0484 3968 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
20:51:31.0484 3968 VolSnap - ok
20:51:31.0531 3968 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:51:31.0531 3968 Wanarp - ok
20:51:31.0531 3968 wanatw - ok
20:51:31.0546 3968 WDICA - ok
20:51:31.0578 3968 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
20:51:31.0578 3968 wdmaud - ok
20:51:31.0625 3968 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
20:51:31.0656 3968 winachsf - ok
20:51:31.0765 3968 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
20:51:31.0765 3968 WpdUsb - ok
20:51:31.0843 3968 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
20:51:31.0843 3968 WSTCODEC - ok
20:51:31.0890 3968 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
20:51:31.0890 3968 WudfPf - ok
20:51:31.0921 3968 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
20:51:31.0921 3968 WudfRd - ok
20:51:31.0953 3968 ZSMC301b - ok
20:51:31.0984 3968 MBR (0x1B8) (87f75abb087c82bee3a1fbec42bbabd0) \Device\Harddisk0\DR0
20:51:31.0984 3968 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - infected
20:51:31.0984 3968 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
20:51:32.0000 3968 Boot (0x1200) (521b4fb260e7220936768d2e6214c473) \Device\Harddisk0\DR0\Partition0
20:51:32.0000 3968 \Device\Harddisk0\DR0\Partition0 - ok
20:51:32.0000 3968 ============================================================
20:51:32.0000 3968 Scan finished
20:51:32.0000 3968 ============================================================
20:51:32.0000 3332 Detected object count: 1
20:51:32.0000 3332 Actual detected object count: 1
20:51:37.0843 3332 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - will be cured on reboot
20:51:37.0843 3332 \Device\Harddisk0\DR0 - ok
20:51:37.0843 3332 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - User select action: Cure
20:51:50.0031 3056 Deinitialize success

#10 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:04 PM

Posted 09 October 2011 - 08:45 PM

crojj42:

How is your computer running now? Please do this next:

Posted Image Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java™ 6) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Go to this page to download the latest version
  • Run the insatller you just downloaded
Posted Image Please go to here to run an online scan with ESET.
    • Turn off the real time scanner of any existing antivirus program while performing the online scan
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the activex control to install
    • Click Start
    • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
    • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click Scan
  • Wait for the scan to finish
  • If any threats were found, click the 'List of found threats' , then click Export to text file....
  • Save it to your desktop, then please copy and paste that log as a reply to this topic.
Please include the following in your next post:
  • How is the computer running?
  • ESET log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:04 PM

Posted 15 October 2011 - 09:34 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users