Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet search links go to ad sites


  • This topic is locked This topic is locked
12 replies to this topic

#1 eta508

eta508

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 16 October 2011 - 10:28 AM

I've run AVG Free and MalwareByte Anti-Malware. It finds random trojans (Bento, CouponBook, Hiloti or something like that), but after restart the same problem occurs. I have Win XP SP3 and use IE8 or Firefox 7.0.1.

I've tried to post this from my infected desktop, but every time I click "post", I always get an error... I've tried this site as well as one other spyware help site and it never let me post it. So, I copied the logs onto a flashdrive and am posting this from my laptop. I ran Windows Security Essentials on the text files and they came back as clean...

EDIT: Yep, I was able to post to this site with no problem. So, besides the search links going to ad sites, there is something there that is also stopping me from posting this topic from the infected desktop.

DDS:
.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by Erik and Sarah Palau at 9:59:03 on 2011-10-16
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.1781 [GMT -5:00]
.
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\PROGRA~1\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\AVG\AVG2012\avgtray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIEKA.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG2012\avgnsx.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\AVG\AVG2012\AVGIDSAgent.exe
C:\Documents and Settings\Erik and Sarah Palau\Desktop\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Yontoo Layers: {fd72061e-9fde-484d-a58a-0bab4151cad8} - c:\program files\yontoo layers runtime\YontooIEClient_2.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [EPSON WorkForce 600 Series] c:\windows\system32\spool\drivers\w32x86\3\e_fatieka.exe /fu "c:\windows\temp\E_S168.tmp" /EF "HKCU"
mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [RCSystem] "c:\program files\creative\shared files\module loader\DLLML.exe" RCSystem * -Startup
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Elehih] rundll32.exe "c:\windows\ohefenifijo.dll",Startup
mRun: [AVG_TRAY] "c:\program files\avg\avg2012\avgtray.exe"
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236818300420
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{AE7B861D-976C-4369-B0A2-2E5E2B70E285} : DhcpNameServer = 192.168.1.1
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: inetwork - inetsw32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\erik and sarah palau\application data\mozilla\firefox\profiles\ofp3h1a7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?fr=fptb-
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff5.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff6.dll
FF - component: c:\program files\avg\avg2012\firefox4\components\avgssff7.dll
FF - plugin: c:\documents and settings\erik and sarah palau\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2011-7-11 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2011-9-13 32592]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2011-7-11 229840]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2011-8-8 40016]
R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2011-7-11 295248]
R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2012\AVGIDSAgent.exe [2011-9-12 5265248]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2011-7-11 134608]
R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2011-7-11 24272]
R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2011-7-11 16720]
S1 MpKsl2781994f;MpKsl2781994f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b8b7ef1c-355f-413e-8734-51d67022f6d8}\mpksl2781994f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b8b7ef1c-355f-413e-8734-51d67022f6d8}\MpKsl2781994f.sys [?]
S1 MpKsl3ad641b2;MpKsl3ad641b2;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dbc4fcc1-9bdc-4355-81de-5a0a5de1adfe}\mpksl3ad641b2.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dbc4fcc1-9bdc-4355-81de-5a0a5de1adfe}\MpKsl3ad641b2.sys [?]
S1 MpKsl5905b6c5;MpKsl5905b6c5;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1b276d52-e837-4ce6-87b6-b906a6934ced}\mpksl5905b6c5.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1b276d52-e837-4ce6-87b6-b906a6934ced}\MpKsl5905b6c5.sys [?]
S1 MpKsl69ae0e4a;MpKsl69ae0e4a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e79812e7-1861-4712-984e-555830753df3}\mpksl69ae0e4a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e79812e7-1861-4712-984e-555830753df3}\MpKsl69ae0e4a.sys [?]
S1 MpKslbedfff26;MpKslbedfff26;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8eb10f35-5e28-4651-a012-c6a55efb49d6}\mpkslbedfff26.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8eb10f35-5e28-4651-a012-c6a55efb49d6}\MpKslbedfff26.sys [?]
S1 MpKsld91f53a4;MpKsld91f53a4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5d3b4035-f072-4d51-b108-78d742d07688}\mpksld91f53a4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5d3b4035-f072-4d51-b108-78d742d07688}\MpKsld91f53a4.sys [?]
S2 itlperf;Network Location Awarenes;c:\windows\system32\svchost.exe -k itnetsvc [2003-3-31 14336]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\asushwio.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [2009-10-15 14848]
.
=============== Created Last 30 ================
.
2011-10-16 13:32:13 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-16 13:32:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-15 19:58:52 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-10-15 19:58:50 924632 ----a-w- c:\program files\mozilla firefox\firefox.exe
2011-10-15 19:58:50 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-10-15 19:58:50 773080 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-10-15 19:58:50 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-10-15 19:58:50 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-10-15 19:58:50 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-10-15 19:58:50 19416 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
2011-10-15 19:58:50 1833944 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-10-15 19:58:50 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-10-15 19:58:50 125912 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
2011-10-15 18:10:44 -------- d--h--w- C:\$AVG
2011-10-15 17:51:33 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-10-15 17:50:58 -------- d-----w- c:\documents and settings\erik and sarah palau\local settings\application data\PCHealth
2011-10-15 17:24:22 -------- d-----w- c:\program files\YONTOO LAYERS RUNTIME
2011-10-15 17:24:12 -------- d-----w- c:\documents and settings\erik and sarah palau\application data\AVG2012
2011-10-15 17:22:45 -------- d-----w- c:\windows\system32\drivers\AVG
2011-10-15 17:22:45 -------- d-----w- c:\documents and settings\all users\application data\AVG2012
2011-10-15 17:18:51 -------- d-----w- c:\documents and settings\erik and sarah palau\local settings\application data\{7AAB3727-B9F2-4D80-A6CC-724B5204075C}
2011-10-15 17:15:54 -------- d-----w- c:\program files\AVG
2011-10-15 17:06:24 -------- d-----w- c:\documents and settings\erik and sarah palau\local settings\application data\{A1F33107-2180-4AD3-ABBF-3262834A5446}
2011-10-15 17:00:34 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-10-15 17:00:13 -------- d-----w- c:\documents and settings\all users\application data\MFAData
2011-10-15 16:58:48 -------- d-----w- c:\documents and settings\erik and sarah palau\local settings\application data\{B0A3265A-6925-44BC-A725-438EC199416A}
.
==================== Find3M ====================
.
2011-10-16 13:48:58 0 ----a-w- c:\windows\Itedujehokonip.bin
2011-10-10 15:09:10 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-13 11:30:10 32592 ----a-w- c:\windows\system32\drivers\avgrkx86.sys
2011-09-09 14:00:10 169 ----a-w- c:\windows\system32\delme.bat
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JD-32HKA0 rev.13.03G13 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8A86B4D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a8717d0]; MOV EAX, [0x8a87184c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A91C550]
3 CLASSPNP[0xF7667FD7] -> nt!IofCallDriver[0x804E13B9] -> [0x8A7DB9D8]
\Driver\atapi[0x8A845388] -> IRP_MJ_CREATE -> 0x8A86B4D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A86B31B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 10:00:55.65 ===============


GMER Log:
GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-10-16 10:16:14
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort2 WDC_WD800JD-32HKA0 rev.13.03G13
Running: yk7cf4j5.exe; Driver: C:\DOCUME~1\ERIKAN~1\LOCALS~1\Temp\fxddapoc.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA2589F3C]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA2589FE4]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA258A080]
SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA258A11C]

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!ZwYieldExecution + 47A 804E4CD4 2 Bytes [E4, 9F] {IN AL, 0x9f}
.text ntoskrnl.exe!ZwYieldExecution + 4CA 804E4D24 2 Bytes [1C, A1] {SBB AL, 0xa1}
? veqa.sys The system cannot find the file specified. !
.text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8E06000, 0x1C5D38, 0xE8000020]
? C:\DOCUME~1\ERIKAN~1\LOCALS~1\Temp\mbr.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[312] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00C1000A
.text C:\WINDOWS\Explorer.EXE[312] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C2000A
.text C:\WINDOWS\Explorer.EXE[312] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00E3000A
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00E4000A
.text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00E2000C
.text C:\WINDOWS\System32\svchost.exe[1116] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 01DB000A
.text C:\WINDOWS\System32\svchost.exe[1116] USER32.dll!WindowFromPoint 7E429766 5 Bytes JMP 01DC000A
.text C:\WINDOWS\System32\svchost.exe[1116] USER32.dll!GetForegroundWindow 7E429823 5 Bytes JMP 01DD000A
.text C:\WINDOWS\System32\svchost.exe[1116] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 01DA000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3032] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0112000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3032] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0113000A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3032] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0111000C
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3788] USER32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 104589A7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\Mozilla Firefox\plugin-container.exe[3788] USER32.dll!TrackPopupMenu 7E46531E 5 Bytes JMP 10458F65 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8A86B31B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A86B31B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A86B31B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A86B31B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A86B31B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T0L0-e 8A86B31B

AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- EOF - GMER 1.0.15 ----

Attached Files


Edited by eta508, 16 October 2011 - 10:29 AM.


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:03 PM

Posted 17 October 2011 - 04:04 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 eta508

eta508
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 17 October 2011 - 08:22 PM

I ran combofix and it displayed the log then my whole computer froze and wouldn't allow me to save it so I did end up rerunning combofix and it worked correctly the 2nd time... Here was the log:

ComboFix 11-10-17.02 - Erik and Sarah Palau 10/17/2011 20:04:47.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.2125 [GMT -5:00]
Running from: c:\documents and settings\Erik and Sarah Palau\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
.
((((((((((((((((((((((((( Files Created from 2011-09-18 to 2011-10-18 )))))))))))))))))))))))))))))))
.
.
2011-10-16 13:32 . 2011-10-16 13:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-16 13:32 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-15 19:58 . 2011-09-29 06:53 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-10-15 19:58 . 2011-09-29 06:53 924632 ----a-w- c:\program files\Mozilla Firefox\firefox.exe
2011-10-15 19:58 . 2011-09-29 06:53 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-10-15 19:58 . 2011-09-29 06:53 773080 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-10-15 19:58 . 2011-09-29 06:53 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-10-15 19:58 . 2011-09-29 06:53 19416 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
2011-10-15 19:58 . 2011-09-29 06:53 1833944 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-10-15 19:58 . 2011-09-29 06:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-10-15 19:58 . 2011-09-29 06:53 125912 ----a-w- c:\program files\Mozilla Firefox\crashreporter.exe
2011-10-15 19:58 . 2011-09-29 00:26 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-10-15 19:58 . 2011-09-29 00:26 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-10-15 17:51 . 2011-10-16 14:35 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-10-15 17:50 . 2011-10-15 17:50 -------- d-----w- c:\documents and settings\Erik and Sarah Palau\Local Settings\Application Data\PCHealth
2011-10-15 17:24 . 2011-10-17 23:35 -------- d-----w- c:\program files\YONTOO LAYERS RUNTIME
2011-10-15 17:15 . 2011-10-15 17:15 -------- d-----w- c:\program files\AVG
2011-10-15 17:00 . 2011-10-15 17:00 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-10-15 17:00 . 2011-10-17 23:46 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 15:09 . 2011-07-14 13:59 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2003-03-31 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2003-03-31 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2003-03-31 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2003-03-31 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2003-03-31 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2003-03-31 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2003-03-31 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-09-29 06:53 . 2011-10-15 19:58 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-10-18_00.10.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-10-18 00:58 . 2011-10-18 00:58 16384 c:\windows\Temp\Perflib_Perfdata_3fc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"RCSystem"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 122880]
"CTHelper"="CTHELPER.EXE" [2006-12-12 19456]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-12-12 20480]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-02-19 591696]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVXV1UtV0JEWEMtVllGTjMtUURKTUgtNDJBT0EtSzZIVTk&inst=NzctNzgyNTA4NTQzLVNUMTJGT0krMS1ERFQrMC1FVUxBKzEtU1QxMkZBUFArMQ&prod=90&ver=2012.0.1831&mid=66d9127c295547d1af8ad147e07655a0-ad1491be2ce6c122f6b66faa90e70c2decf7d34c" [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\ASUS\\AsusUpdate\\Update.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\E_DUPA30.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
S1 MpKsl2781994f;MpKsl2781994f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B8B7EF1C-355F-413E-8734-51D67022F6D8}\MpKsl2781994f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B8B7EF1C-355F-413E-8734-51D67022F6D8}\MpKsl2781994f.sys [?]
S1 MpKsl3ad641b2;MpKsl3ad641b2;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DBC4FCC1-9BDC-4355-81DE-5A0A5DE1ADFE}\MpKsl3ad641b2.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DBC4FCC1-9BDC-4355-81DE-5A0A5DE1ADFE}\MpKsl3ad641b2.sys [?]
S1 MpKsl5905b6c5;MpKsl5905b6c5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1B276D52-E837-4CE6-87B6-B906A6934CED}\MpKsl5905b6c5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1B276D52-E837-4CE6-87B6-B906A6934CED}\MpKsl5905b6c5.sys [?]
S1 MpKsl69ae0e4a;MpKsl69ae0e4a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E79812E7-1861-4712-984E-555830753DF3}\MpKsl69ae0e4a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E79812E7-1861-4712-984E-555830753DF3}\MpKsl69ae0e4a.sys [?]
S1 MpKslbedfff26;MpKslbedfff26;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8EB10F35-5E28-4651-A012-C6A55EFB49D6}\MpKslbedfff26.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8EB10F35-5E28-4651-A012-C6A55EFB49D6}\MpKslbedfff26.sys [?]
S1 MpKsld91f53a4;MpKsld91f53a4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5D3B4035-F072-4D51-B108-78D742D07688}\MpKsld91f53a4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5D3B4035-F072-4D51-B108-78D742D07688}\MpKsld91f53a4.sys [?]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\ASUSHWIO.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [3/28/2009 9:01 AM 47360]
S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [10/15/2009 7:31 PM 14848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itnetsvc REG_MULTI_SZ itlperf
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Erik and Sarah Palau\Application Data\Mozilla\Firefox\Profiles\ofp3h1a7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?fr=fptb-
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-17 20:14
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JD-32HKA0 rev.13.03G13 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A81A31B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(468)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(532)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(1100)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-10-17 20:17:37
ComboFix-quarantined-files.txt 2011-10-18 01:17
ComboFix2.txt 2011-10-18 00:17
.
Pre-Run: 59,384,561,664 bytes free
Post-Run: 59,380,834,304 bytes free
.
- - End Of File - - C051C0AB1B4B9D878587443ADE0E43A6

#4 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:03 PM

Posted 17 October 2011 - 09:24 PM

Hi

Please do the following:

Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)


NEXT



Please navigate to c:\qoobox\combofix2.txt and post the content in your next reply

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#5 eta508

eta508
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 18 October 2011 - 05:28 PM

17:22:31.0859 3584 TDSS rootkit removing tool 2.6.10.0 Oct 17 2011 15:43:23
17:22:32.0125 3584 ============================================================
17:22:32.0125 3584 Current date / time: 2011/10/18 17:22:32.0125
17:22:32.0125 3584 SystemInfo:
17:22:32.0125 3584
17:22:32.0125 3584 OS Version: 5.1.2600 ServicePack: 3.0
17:22:32.0125 3584 Product type: Workstation
17:22:32.0125 3584 ComputerName: DESKTOP2
17:22:32.0125 3584 UserName: Erik and Sarah Palau
17:22:32.0125 3584 Windows directory: C:\WINDOWS
17:22:32.0125 3584 System windows directory: C:\WINDOWS
17:22:32.0125 3584 Processor architecture: Intel x86
17:22:32.0125 3584 Number of processors: 2
17:22:32.0125 3584 Page size: 0x1000
17:22:32.0125 3584 Boot type: Normal boot
17:22:32.0125 3584 ============================================================
17:22:33.0203 3584 Initialize success
17:22:42.0421 2536 ============================================================
17:22:42.0421 2536 Scan started
17:22:42.0421 2536 Mode: Manual;
17:22:42.0421 2536 ============================================================
17:22:43.0421 2536 Abiosdsk - ok
17:22:43.0437 2536 abp480n5 - ok
17:22:43.0500 2536 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
17:22:43.0500 2536 ACPI - ok
17:22:43.0546 2536 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
17:22:43.0546 2536 ACPIEC - ok
17:22:43.0562 2536 adpu160m - ok
17:22:43.0593 2536 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
17:22:43.0593 2536 aec - ok
17:22:43.0640 2536 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
17:22:43.0640 2536 AFD - ok
17:22:43.0656 2536 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
17:22:43.0656 2536 agp440 - ok
17:22:43.0671 2536 Aha154x - ok
17:22:43.0687 2536 aic78u2 - ok
17:22:43.0984 2536 aic78xx - ok
17:22:44.0015 2536 AliIde - ok
17:22:44.0031 2536 amsint - ok
17:22:44.0093 2536 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
17:22:44.0093 2536 Arp1394 - ok
17:22:44.0109 2536 asc - ok
17:22:44.0125 2536 asc3350p - ok
17:22:44.0140 2536 asc3550 - ok
17:22:44.0187 2536 aslm75 (71356a1370739e25375a1d17b6ae318f) C:\WINDOWS\system32\drivers\aslm75.sys
17:22:44.0203 2536 aslm75 - ok
17:22:44.0218 2536 ASUSHWIO - ok
17:22:44.0250 2536 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
17:22:44.0250 2536 AsyncMac - ok
17:22:44.0281 2536 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
17:22:44.0281 2536 atapi - ok
17:22:44.0312 2536 Atdisk - ok
17:22:44.0453 2536 ati2mtag (c0b86ecb324e50f6bbd529f9d5c6b24b) C:\WINDOWS\system32\DRIVERS\ati2mtag.sys
17:22:44.0484 2536 ati2mtag - ok
17:22:44.0515 2536 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
17:22:44.0515 2536 Atmarpc - ok
17:22:44.0546 2536 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
17:22:44.0546 2536 audstub - ok
17:22:44.0578 2536 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
17:22:44.0578 2536 Beep - ok
17:22:44.0687 2536 catchme - ok
17:22:44.0718 2536 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
17:22:44.0718 2536 cbidf2k - ok
17:22:44.0750 2536 cd20xrnt - ok
17:22:44.0781 2536 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
17:22:44.0781 2536 Cdaudio - ok
17:22:44.0812 2536 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
17:22:44.0812 2536 Cdfs - ok
17:22:44.0843 2536 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
17:22:44.0843 2536 Cdrom - ok
17:22:44.0968 2536 Changer - ok
17:22:45.0000 2536 CmdIde - ok
17:22:45.0031 2536 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
17:22:45.0031 2536 Compbatt - ok
17:22:45.0046 2536 Cpqarray - ok
17:22:45.0093 2536 ctac32k (177bc4ee3840119a780eafad5a010f8f) C:\WINDOWS\system32\drivers\ctac32k.sys
17:22:45.0109 2536 ctac32k - ok
17:22:45.0140 2536 ctaud2k (eb0c0d62d8d2b8f41da149c866e93397) C:\WINDOWS\system32\drivers\ctaud2k.sys
17:22:45.0156 2536 ctaud2k - ok
17:22:45.0234 2536 ctdvda2k (5a0eeb00b02fc78605aa9d3590b24978) C:\WINDOWS\system32\drivers\ctdvda2k.sys
17:22:45.0234 2536 ctdvda2k - ok
17:22:45.0265 2536 ctprxy2k (7d7eea7ffbc19e1b712d241490be51ed) C:\WINDOWS\system32\drivers\ctprxy2k.sys
17:22:45.0265 2536 ctprxy2k - ok
17:22:45.0281 2536 ctsfm2k (538122d33dd4b04cc189d5ca72bd6706) C:\WINDOWS\system32\drivers\ctsfm2k.sys
17:22:45.0281 2536 ctsfm2k - ok
17:22:45.0296 2536 dac2w2k - ok
17:22:45.0312 2536 dac960nt - ok
17:22:45.0359 2536 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
17:22:45.0359 2536 Disk - ok
17:22:45.0421 2536 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
17:22:45.0453 2536 dmboot - ok
17:22:45.0484 2536 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
17:22:45.0500 2536 dmio - ok
17:22:45.0531 2536 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
17:22:45.0531 2536 dmload - ok
17:22:45.0562 2536 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
17:22:45.0578 2536 DMusic - ok
17:22:45.0593 2536 dpti2o - ok
17:22:45.0625 2536 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
17:22:45.0625 2536 drmkaud - ok
17:22:45.0656 2536 emupia (8e0eb62be9f9bee7c2e4c50685038e8d) C:\WINDOWS\system32\drivers\emupia2k.sys
17:22:45.0656 2536 emupia - ok
17:22:45.0687 2536 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
17:22:45.0687 2536 Fastfat - ok
17:22:45.0750 2536 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
17:22:45.0750 2536 Fdc - ok
17:22:45.0859 2536 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
17:22:45.0875 2536 Fips - ok
17:22:45.0906 2536 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
17:22:45.0906 2536 Flpydisk - ok
17:22:45.0937 2536 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
17:22:45.0937 2536 FltMgr - ok
17:22:45.0968 2536 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
17:22:45.0968 2536 Fs_Rec - ok
17:22:45.0984 2536 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
17:22:46.0000 2536 Ftdisk - ok
17:22:46.0046 2536 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
17:22:46.0046 2536 Gpc - ok
17:22:46.0125 2536 ha20x2k (f2607d0d89f57d3564cf65a61a237f1a) C:\WINDOWS\system32\drivers\ha20x2k.sys
17:22:46.0125 2536 ha20x2k - ok
17:22:46.0171 2536 HidBatt (748031ff4fe45ccc47546294905feab8) C:\WINDOWS\system32\DRIVERS\HidBatt.sys
17:22:46.0171 2536 HidBatt - ok
17:22:46.0203 2536 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
17:22:46.0203 2536 hidusb - ok
17:22:46.0218 2536 hpn - ok
17:22:46.0265 2536 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
17:22:46.0265 2536 HPZid412 - ok
17:22:46.0328 2536 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
17:22:46.0328 2536 HPZipr12 - ok
17:22:46.0359 2536 HPZius12 (cf1b7951b4ec8d13f3c93b74bb2b461b) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
17:22:46.0359 2536 HPZius12 - ok
17:22:46.0406 2536 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
17:22:46.0406 2536 HTTP - ok
17:22:46.0421 2536 i2omgmt - ok
17:22:46.0437 2536 i2omp - ok
17:22:46.0484 2536 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
17:22:46.0484 2536 i8042prt - ok
17:22:46.0515 2536 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
17:22:46.0515 2536 Imapi - ok
17:22:46.0531 2536 ini910u - ok
17:22:46.0546 2536 IntelIde - ok
17:22:46.0578 2536 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
17:22:46.0578 2536 intelppm - ok
17:22:46.0593 2536 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
17:22:46.0609 2536 ip6fw - ok
17:22:46.0625 2536 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
17:22:46.0625 2536 IpFilterDriver - ok
17:22:46.0640 2536 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
17:22:46.0640 2536 IpInIp - ok
17:22:46.0671 2536 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
17:22:46.0671 2536 IpNat - ok
17:22:46.0687 2536 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
17:22:46.0703 2536 IPSec - ok
17:22:46.0718 2536 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
17:22:46.0718 2536 IRENUM - ok
17:22:46.0750 2536 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
17:22:46.0750 2536 isapnp - ok
17:22:46.0781 2536 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
17:22:46.0781 2536 Kbdclass - ok
17:22:46.0796 2536 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
17:22:46.0796 2536 kbdhid - ok
17:22:46.0921 2536 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
17:22:46.0937 2536 kmixer - ok
17:22:46.0968 2536 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
17:22:46.0968 2536 KSecDD - ok
17:22:46.0984 2536 lbrtfdc - ok
17:22:47.0031 2536 LHidFilt (dd83dc92463fce6324fd30a13d17d0da) C:\WINDOWS\system32\DRIVERS\LHidFilt.Sys
17:22:47.0031 2536 LHidFilt - ok
17:22:47.0046 2536 LMouFilt (8fe0008e183ff0293a925b78a5581c5f) C:\WINDOWS\system32\DRIVERS\LMouFilt.Sys
17:22:47.0046 2536 LMouFilt - ok
17:22:47.0093 2536 LUsbFilt (0dec219cb6efcbc872f88f9aec320ea6) C:\WINDOWS\system32\Drivers\LUsbFilt.Sys
17:22:47.0093 2536 LUsbFilt - ok
17:22:47.0109 2536 MBAMSwissArmy - ok
17:22:47.0140 2536 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
17:22:47.0156 2536 mnmdd - ok
17:22:47.0187 2536 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
17:22:47.0187 2536 Modem - ok
17:22:47.0203 2536 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
17:22:47.0203 2536 Mouclass - ok
17:22:47.0234 2536 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
17:22:47.0234 2536 mouhid - ok
17:22:47.0265 2536 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
17:22:47.0265 2536 MountMgr - ok
17:22:47.0328 2536 MpKsl2781994f - ok
17:22:47.0328 2536 MpKsl3ad641b2 - ok
17:22:47.0328 2536 MpKsl5905b6c5 - ok
17:22:47.0343 2536 MpKsl69ae0e4a - ok
17:22:47.0343 2536 MpKslbedfff26 - ok
17:22:47.0359 2536 MpKsld91f53a4 - ok
17:22:47.0375 2536 mraid35x - ok
17:22:47.0406 2536 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
17:22:47.0406 2536 MRxDAV - ok
17:22:47.0468 2536 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
17:22:47.0484 2536 MRxSmb - ok
17:22:47.0531 2536 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
17:22:47.0531 2536 Msfs - ok
17:22:47.0578 2536 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
17:22:47.0578 2536 MSKSSRV - ok
17:22:47.0593 2536 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
17:22:47.0593 2536 MSPCLOCK - ok
17:22:47.0609 2536 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
17:22:47.0609 2536 MSPQM - ok
17:22:47.0640 2536 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
17:22:47.0640 2536 mssmbios - ok
17:22:47.0671 2536 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
17:22:47.0671 2536 Mup - ok
17:22:47.0718 2536 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
17:22:47.0718 2536 NDIS - ok
17:22:47.0765 2536 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
17:22:47.0765 2536 NdisTapi - ok
17:22:47.0906 2536 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
17:22:47.0906 2536 Ndisuio - ok
17:22:47.0937 2536 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
17:22:47.0937 2536 NdisWan - ok
17:22:47.0984 2536 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
17:22:47.0984 2536 NDProxy - ok
17:22:48.0000 2536 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
17:22:48.0000 2536 NetBIOS - ok
17:22:48.0015 2536 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
17:22:48.0015 2536 NetBT - ok
17:22:48.0046 2536 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
17:22:48.0046 2536 NIC1394 - ok
17:22:48.0062 2536 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
17:22:48.0062 2536 Npfs - ok
17:22:48.0093 2536 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
17:22:48.0109 2536 Ntfs - ok
17:22:48.0140 2536 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
17:22:48.0140 2536 NuidFltr - ok
17:22:48.0171 2536 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
17:22:48.0187 2536 Null - ok
17:22:48.0218 2536 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
17:22:48.0218 2536 NwlnkFlt - ok
17:22:48.0234 2536 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
17:22:48.0234 2536 NwlnkFwd - ok
17:22:48.0250 2536 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
17:22:48.0250 2536 ohci1394 - ok
17:22:48.0296 2536 ossrv (611b58c2fd89aa9e80743a197ba62277) C:\WINDOWS\system32\drivers\ctoss2k.sys
17:22:48.0296 2536 ossrv - ok
17:22:48.0312 2536 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
17:22:48.0328 2536 Parport - ok
17:22:48.0328 2536 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
17:22:48.0328 2536 PartMgr - ok
17:22:48.0375 2536 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
17:22:48.0375 2536 ParVdm - ok
17:22:48.0390 2536 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
17:22:48.0390 2536 PCI - ok
17:22:48.0406 2536 PCIDump - ok
17:22:48.0437 2536 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
17:22:48.0437 2536 PCIIde - ok
17:22:48.0468 2536 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
17:22:48.0484 2536 Pcmcia - ok
17:22:48.0515 2536 pcouffin (5b6c11de7e839c05248ced8825470fef) C:\WINDOWS\system32\Drivers\pcouffin.sys
17:22:48.0515 2536 pcouffin - ok
17:22:48.0515 2536 PDCOMP - ok
17:22:48.0531 2536 PDFRAME - ok
17:22:48.0546 2536 PDRELI - ok
17:22:48.0562 2536 PDRFRAME - ok
17:22:48.0578 2536 perc2 - ok
17:22:48.0593 2536 perc2hib - ok
17:22:48.0625 2536 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
17:22:48.0625 2536 PptpMiniport - ok
17:22:48.0656 2536 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
17:22:48.0656 2536 Processor - ok
17:22:48.0687 2536 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
17:22:48.0687 2536 PSched - ok
17:22:48.0703 2536 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
17:22:48.0703 2536 Ptilink - ok
17:22:48.0875 2536 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
17:22:48.0875 2536 PxHelp20 - ok
17:22:48.0890 2536 ql1080 - ok
17:22:48.0906 2536 Ql10wnt - ok
17:22:48.0921 2536 ql12160 - ok
17:22:48.0921 2536 ql1240 - ok
17:22:48.0937 2536 ql1280 - ok
17:22:48.0953 2536 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
17:22:48.0953 2536 RasAcd - ok
17:22:48.0984 2536 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
17:22:48.0984 2536 Rasl2tp - ok
17:22:49.0000 2536 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
17:22:49.0000 2536 RasPppoe - ok
17:22:49.0015 2536 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
17:22:49.0015 2536 Raspti - ok
17:22:49.0062 2536 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
17:22:49.0062 2536 Rdbss - ok
17:22:49.0078 2536 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
17:22:49.0078 2536 RDPCDD - ok
17:22:49.0125 2536 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
17:22:49.0125 2536 RDPWD - ok
17:22:49.0140 2536 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
17:22:49.0140 2536 redbook - ok
17:22:49.0187 2536 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
17:22:49.0187 2536 Secdrv - ok
17:22:49.0234 2536 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
17:22:49.0234 2536 serenum - ok
17:22:49.0250 2536 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
17:22:49.0250 2536 Serial - ok
17:22:49.0265 2536 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
17:22:49.0265 2536 Sfloppy - ok
17:22:49.0281 2536 Simbad - ok
17:22:49.0328 2536 SIUSBXP (bc9c2ef22ee0320c079e3ff9b4d29951) C:\WINDOWS\system32\drivers\SiUSBXp.sys
17:22:49.0328 2536 SIUSBXP - ok
17:22:49.0359 2536 SONYPVU1 (a1eceeaa5c5e74b2499eb51d38185b84) C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
17:22:49.0359 2536 SONYPVU1 - ok
17:22:49.0359 2536 Sparrow - ok
17:22:49.0406 2536 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
17:22:49.0406 2536 splitter - ok
17:22:49.0421 2536 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
17:22:49.0421 2536 sr - ok
17:22:49.0468 2536 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
17:22:49.0484 2536 Srv - ok
17:22:49.0515 2536 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
17:22:49.0515 2536 swenum - ok
17:22:49.0546 2536 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
17:22:49.0546 2536 swmidi - ok
17:22:49.0562 2536 symc810 - ok
17:22:49.0578 2536 symc8xx - ok
17:22:49.0593 2536 sym_hi - ok
17:22:49.0609 2536 sym_u3 - ok
17:22:49.0656 2536 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
17:22:49.0656 2536 sysaudio - ok
17:22:49.0718 2536 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
17:22:49.0734 2536 Tcpip - ok
17:22:49.0765 2536 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
17:22:49.0765 2536 TDPIPE - ok
17:22:49.0812 2536 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
17:22:49.0812 2536 TDTCP - ok
17:22:49.0921 2536 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
17:22:49.0921 2536 TermDD - ok
17:22:49.0953 2536 TosIde - ok
17:22:50.0000 2536 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
17:22:50.0000 2536 Udfs - ok
17:22:50.0015 2536 ultra - ok
17:22:50.0062 2536 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
17:22:50.0109 2536 Update - ok
17:22:50.0156 2536 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
17:22:50.0156 2536 usbccgp - ok
17:22:50.0203 2536 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
17:22:50.0203 2536 usbehci - ok
17:22:50.0234 2536 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
17:22:50.0234 2536 usbhub - ok
17:22:50.0250 2536 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
17:22:50.0265 2536 usbprint - ok
17:22:50.0546 2536 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
17:22:50.0562 2536 usbscan - ok
17:22:50.0609 2536 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
17:22:50.0609 2536 USBSTOR - ok
17:22:50.0640 2536 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
17:22:50.0640 2536 usbuhci - ok
17:22:50.0656 2536 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
17:22:50.0656 2536 VgaSave - ok
17:22:50.0671 2536 ViaIde - ok
17:22:50.0718 2536 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
17:22:50.0718 2536 VolSnap - ok
17:22:50.0750 2536 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
17:22:50.0750 2536 Wanarp - ok
17:22:50.0828 2536 Wdf01000 (d918617b46457b9ac28027722e30f647) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
17:22:50.0843 2536 Wdf01000 - ok
17:22:50.0843 2536 WDICA - ok
17:22:50.0875 2536 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
17:22:50.0875 2536 wdmaud - ok
17:22:51.0062 2536 WinUSB (fd600b032e741eb6aab509fc630f7c42) C:\WINDOWS\system32\DRIVERS\WinUSB.sys
17:22:51.0062 2536 WinUSB - ok
17:22:51.0140 2536 WudfPf (eaa6324f51214d2f6718977ec9ce0def) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
17:22:51.0140 2536 WudfPf - ok
17:22:51.0156 2536 WudfRd (f91ff1e51fca30b3c3981db7d5924252) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
17:22:51.0156 2536 WudfRd - ok
17:22:51.0218 2536 yukonwxp (4322c32ced8c4772e039616dcbf01d3f) C:\WINDOWS\system32\DRIVERS\yk51x86.sys
17:22:51.0218 2536 yukonwxp - ok
17:22:51.0234 2536 zumbus - ok
17:22:51.0250 2536 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
17:22:51.0250 2536 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - infected
17:22:51.0250 2536 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
17:22:51.0265 2536 Boot (0x1200) (ee15a8f67b721ad45a211b541b64a98d) \Device\Harddisk0\DR0\Partition0
17:22:51.0265 2536 \Device\Harddisk0\DR0\Partition0 - ok
17:22:51.0265 2536 ============================================================
17:22:51.0265 2536 Scan finished
17:22:51.0265 2536 ============================================================
17:22:51.0281 1320 Detected object count: 1
17:22:51.0281 1320 Actual detected object count: 1
17:23:04.0515 1320 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - will be cured on reboot
17:23:04.0515 1320 \Device\Harddisk0\DR0 - ok
17:23:04.0515 1320 \Device\Harddisk0\DR0 ( Rootkit.Win32.TDSS.tdl4 ) - User select action: Cure
17:23:16.0015 1892 Deinitialize success


ComboFix 11-10-17.02 - Erik and Sarah Palau 10/17/2011 18:53:46.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.1917 [GMT -5:00]
Running from: c:\documents and settings\Erik and Sarah Palau\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\Tarma Installer
c:\documents and settings\Erik and Sarah Palau\Application Data\7FDDEF7E36FCCCF8D5A310E893FE7EA3
c:\documents and settings\Erik and Sarah Palau\Application Data\7FDDEF7E36FCCCF8D5A310E893FE7EA3\enemies-names.txt
c:\documents and settings\Erik and Sarah Palau\Application Data\7FDDEF7E36FCCCF8D5A310E893FE7EA3\local.ini
c:\documents and settings\Erik and Sarah Palau\Application Data\7FDDEF7E36FCCCF8D5A310E893FE7EA3\lsrslt.ini
c:\documents and settings\Erik and Sarah Palau\Application Data\Adobe\plugs
c:\documents and settings\Erik and Sarah Palau\Application Data\Adobe\shed
c:\documents and settings\Erik and Sarah Palau\Application Data\inst.exe
c:\documents and settings\Erik and Sarah Palau\Application Data\Remote
c:\documents and settings\Erik and Sarah Palau\Application Data\Remote\ffcd
c:\documents and settings\Erik and Sarah Palau\Application Data\Remote\mnj.dat
c:\documents and settings\Erik and Sarah Palau\Application Data\Remote\mxd1.txt
c:\documents and settings\Erik and Sarah Palau\Application Data\Remote\oitlm
c:\documents and settings\Erik and Sarah Palau\Application Data\Remote\qpbl7_shrd
c:\documents and settings\Erik and Sarah Palau\Application Data\Remote\uuoo.dat
c:\documents and settings\Erik and Sarah Palau\Application Data\Remote\xnhrr.dat
c:\documents and settings\Erik and Sarah Palau\Application Data\vso_ts_preview.xml
c:\documents and settings\Erik and Sarah Palau\Local Settings\Application Data\{3D459282-5AA8-45DC-B856-A566E133495D}
c:\documents and settings\Erik and Sarah Palau\Local Settings\Application Data\{3D459282-5AA8-45DC-B856-A566E133495D}\chrome.manifest
c:\documents and settings\Erik and Sarah Palau\Local Settings\Application Data\{3D459282-5AA8-45DC-B856-A566E133495D}\chrome\content\overlay.xul
c:\documents and settings\Erik and Sarah Palau\Local Settings\Application Data\{3D459282-5AA8-45DC-B856-A566E133495D}\install.rdf
c:\documents and settings\Erik and Sarah Palau\Local Settings\Application Data\{7AAB3727-B9F2-4D80-A6CC-724B5204075C}
c:\documents and settings\Erik and Sarah Palau\Local Settings\Application Data\{7AAB3727-B9F2-4D80-A6CC-724B5204075C}\chrome.manifest
c:\documents and settings\Erik and Sarah Palau\Local Settings\Application Data\{7AAB3727-B9F2-4D80-A6CC-724B5204075C}\chrome\content\_cfg.js
c:\documents and settings\Erik and Sarah Palau\Local Settings\Application Data\{7AAB3727-B9F2-4D80-A6CC-724B5204075C}\chrome\content\overlay.xul
c:\documents and settings\Erik and Sarah Palau\Local Settings\Application Data\{7AAB3727-B9F2-4D80-A6CC-724B5204075C}\install.rdf
c:\documents and settings\Erik and Sarah Palau\Local Settings\Application Data\{A1F33107-2180-4AD3-ABBF-3262834A5446}
c:\documents and settings\Erik and Sarah Palau\Local Settings\Application Data\{A1F33107-2180-4AD3-ABBF-3262834A5446}\chrome.manifest
c:\documents and settings\Erik and Sarah Palau\Local Settings\Application Data\{A1F33107-2180-4AD3-ABBF-3262834A5446}\chrome\content\overlay.xul
c:\documents and settings\Erik and Sarah Palau\Local Settings\Application Data\{A1F33107-2180-4AD3-ABBF-3262834A5446}\install.rdf
c:\documents and settings\Erik and Sarah Palau\Local Settings\Application Data\{B0A3265A-6925-44BC-A725-438EC199416A}
c:\documents and settings\Erik and Sarah Palau\Local Settings\Application Data\{B0A3265A-6925-44BC-A725-438EC199416A}\chrome.manifest
c:\documents and settings\Erik and Sarah Palau\Local Settings\Application Data\{B0A3265A-6925-44BC-A725-438EC199416A}\chrome\content\overlay.xul
c:\documents and settings\Erik and Sarah Palau\Local Settings\Application Data\{B0A3265A-6925-44BC-A725-438EC199416A}\install.rdf
c:\documents and settings\Erik and Sarah Palau\Start Menu\Zentom System Guard.lnk
c:\documents and settings\Erik and Sarah Palau\WINDOWS
c:\program files\messenger\msmsgsin.exe
c:\program files\msn\msncorefiles\custdial.dll
c:\program files\msn\msncorefiles\logonmgr.dll
c:\windows\ohefenifijo.dll
c:\windows\system32\_003697_.tmp.dll
c:\windows\system32\d3d9caps.dat
c:\windows\system32\delme.bat
c:\windows\tsoc.log
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_ITLPERF
-------\Service_itlperf
.
.
((((((((((((((((((((((((( Files Created from 2011-09-18 to 2011-10-18 )))))))))))))))))))))))))))))))
.
.
2011-10-16 13:32 . 2011-10-16 13:32 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-16 13:32 . 2011-08-31 22:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-15 19:58 . 2011-09-29 06:53 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-10-15 19:58 . 2011-09-29 06:53 924632 ----a-w- c:\program files\Mozilla Firefox\firefox.exe
2011-10-15 19:58 . 2011-09-29 06:53 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-10-15 19:58 . 2011-09-29 06:53 773080 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-10-15 19:58 . 2011-09-29 06:53 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-10-15 19:58 . 2011-09-29 06:53 19416 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
2011-10-15 19:58 . 2011-09-29 06:53 1833944 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-10-15 19:58 . 2011-09-29 06:53 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-10-15 19:58 . 2011-09-29 06:53 125912 ----a-w- c:\program files\Mozilla Firefox\crashreporter.exe
2011-10-15 19:58 . 2011-09-29 00:26 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-10-15 19:58 . 2011-09-29 00:26 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-10-15 17:51 . 2011-10-16 14:35 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-10-15 17:50 . 2011-10-15 17:50 -------- d-----w- c:\documents and settings\Erik and Sarah Palau\Local Settings\Application Data\PCHealth
2011-10-15 17:24 . 2011-10-17 23:35 -------- d-----w- c:\program files\YONTOO LAYERS RUNTIME
2011-10-15 17:15 . 2011-10-15 17:15 -------- d-----w- c:\program files\AVG
2011-10-15 17:00 . 2011-10-15 17:00 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
2011-10-15 17:00 . 2011-10-17 23:46 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 15:09 . 2011-07-14 13:59 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-09-26 16:41 . 2008-07-30 00:59 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2003-03-31 12:00 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2003-03-31 12:00 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12 . 2003-03-31 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20 . 2003-03-31 12:00 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48 . 2003-03-31 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48 . 2003-03-31 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48 . 2003-03-31 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56 . 2004-08-04 05:59 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49 . 2003-03-31 12:00 138496 ----a-w- c:\windows\system32\drivers\afd.sys
2011-09-29 06:53 . 2011-10-15 19:58 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-19 204288]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTDVDDET"="c:\program files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"RCSystem"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"AudioDrvEmulator"="c:\program files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-06-17 49152]
"VolPanel"="c:\program files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-07-11 122880]
"CTHelper"="CTHELPER.EXE" [2006-12-12 19456]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-12-12 20480]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
"EEventManager"="c:\progra~1\EPSONS~1\EVENTM~1\EEventManager.exe" [2008-02-19 591696]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2008-04-17 98616]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-02-11 61440]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-09-07 37296]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AvgUninstallURL"="start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVXV1UtV0JEWEMtVllGTjMtUURKTUgtNDJBT0EtSzZIVTk&inst=NzctNzgyNTA4NTQzLVNUMTJGT0krMS1ERFQrMC1FVUxBKzEtU1QxMkZBUFArMQ&prod=90&ver=2012.0.1831&mid=66d9127c295547d1af8ad147e07655a0-ad1491be2ce6c122f6b66faa90e70c2decf7d34c" [?]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2008-11-04 435096]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WudfSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\ASUS\\AsusUpdate\\Update.exe"=
"c:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\E_DUPA30.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
S1 MpKsl2781994f;MpKsl2781994f;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B8B7EF1C-355F-413E-8734-51D67022F6D8}\MpKsl2781994f.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{B8B7EF1C-355F-413E-8734-51D67022F6D8}\MpKsl2781994f.sys [?]
S1 MpKsl3ad641b2;MpKsl3ad641b2;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DBC4FCC1-9BDC-4355-81DE-5A0A5DE1ADFE}\MpKsl3ad641b2.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DBC4FCC1-9BDC-4355-81DE-5A0A5DE1ADFE}\MpKsl3ad641b2.sys [?]
S1 MpKsl5905b6c5;MpKsl5905b6c5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1B276D52-E837-4CE6-87B6-B906A6934CED}\MpKsl5905b6c5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1B276D52-E837-4CE6-87B6-B906A6934CED}\MpKsl5905b6c5.sys [?]
S1 MpKsl69ae0e4a;MpKsl69ae0e4a;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E79812E7-1861-4712-984E-555830753DF3}\MpKsl69ae0e4a.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{E79812E7-1861-4712-984E-555830753DF3}\MpKsl69ae0e4a.sys [?]
S1 MpKslbedfff26;MpKslbedfff26;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8EB10F35-5E28-4651-A012-C6A55EFB49D6}\MpKslbedfff26.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{8EB10F35-5E28-4651-A012-C6A55EFB49D6}\MpKslbedfff26.sys [?]
S1 MpKsld91f53a4;MpKsld91f53a4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5D3B4035-F072-4D51-B108-78D742D07688}\MpKsld91f53a4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{5D3B4035-F072-4D51-B108-78D742D07688}\MpKsld91f53a4.sys [?]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\ASUSHWIO.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 pcouffin;VSO Software pcouffin;c:\windows\system32\drivers\pcouffin.sys [3/28/2009 9:01 AM 47360]
S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [10/15/2009 7:31 PM 14848]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
itnetsvc REG_MULTI_SZ itlperf
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Erik and Sarah Palau\Application Data\Mozilla\Firefox\Profiles\ofp3h1a7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?fr=fptb-
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{FD72061E-9FDE-484D-A58A-0BAB4151CAD8} - c:\program files\Yontoo Layers Runtime\YontooIEClient_2.dll
HKLM-Run-Elehih - c:\windows\ohefenifijo.dll
Notify-inetwork - inetsw32.dll
SafeBoot-WudfPf
SafeBoot-WudfRd
AddRemove-SIUSBXP&10C4&8227 - c:\windows\system32\Silabs\DriverUninstaller.exe USBXpress\SIUSBXP&10C4&8227
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-17 19:09
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: WDC_WD800JD-32HKA0 rev.13.03G13 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e
.
device: opened successfully
user: MBR read successfully
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A87131B
user & kernel MBR OK
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(468)
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
.
- - - - - - - > 'lsass.exe'(532)
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2532)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\SYSTEM32\CTXFISPI.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
c:\program files\Creative\ShareDLL\CADI\NotiMan.exe
.
**************************************************************************
.
Completion time: 2011-10-17 19:17:13 - machine was rebooted
ComboFix-quarantined-files.txt 2011-10-18 00:17
.
Pre-Run: 58,465,992,704 bytes free
Post-Run: 59,389,751,296 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
.
- - End Of File - - 05BC1BB6ADAB4C6A849DFB221A2D03DF

#6 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:03 PM

Posted 18 October 2011 - 05:57 PM

Hi

Please do the following


  • Please open your MalwareBytes AntiMalware Program
  • Click the Update Tab and search for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected. <-- very important
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



NEXT


Go here to run an online scanner from ESET.
  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activeX control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked and the Scan Archives option is ticked.
  • Click on Advanced Settings, ensure the options Scan for potentially unwanted applications, Scan for potentially unsafe applications, and Enable Anti-Stealth Technology are ticked.
  • Click Scan
  • Wait for the scan to finish
  • When the scan completes, press the LIST OF THREATS FOUND button
  • Press EXPORT TO TEXT FILE , name the file ESETSCAN and save it to your desktop
  • Include the contents of this report in your next reply.
  • Press the BACK button.
  • Press Finish

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#7 eta508

eta508
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 18 October 2011 - 07:27 PM

Nothing in MBAM, lots of flagged from ESET.

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7976

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/18/2011 6:10:18 PM
mbam-log-2011-10-18 (18-10-18).txt

Scan type: Quick scan
Objects scanned: 161049
Time elapsed: 2 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)




C:\Qoobox\Quarantine\C\Documents and Settings\Erik and Sarah Palau\Application Data\7FDDEF7E36FCCCF8D5A310E893FE7EA3\enemies-names.txt.vir Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\Qoobox\Quarantine\C\Documents and Settings\Erik and Sarah Palau\Application Data\7FDDEF7E36FCCCF8D5A310E893FE7EA3\local.ini.vir Win32/Adware.AntimalwareDoctor.AE.Gen application
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1054\A0065239.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1054\A0065240.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1054\A0066238.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1054\A0066239.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1054\A0066254.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1054\A0066256.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1054\A0067254.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1054\A0067256.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1054\A0067257.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1054\A0067258.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1056\A0067322.dll a variant of Win32/Adware.Yontoo.A application
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1056\A0067323.dll a variant of Win32/Adware.Yontoo.A application
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1056\A0067325.dll a variant of Win32/Adware.Yontoo.B application
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1056\A0067354.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1056\A0067356.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1056\A0067357.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1056\A0067358.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1056\A0067359.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1056\A0067360.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1056\A0067361.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1056\A0067362.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1056\A0067363.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1056\A0067378.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1056\A0067380.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1056\A0067395.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1056\A0067397.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1056\A0068395.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1056\A0068396.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1056\A0068398.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1056\A0068399.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1056\A0068419.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1061\A0069556.exe a variant of Win32/AdInstaller application
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1061\A0069557.exe a variant of Win32/AdInstaller application
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1061\A0069587.dll a variant of Win32/TrojanProxy.Agent.NHY trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1064\A0069607.exe a variant of Win32/Injector.JCF trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1066\A0070255.exe a variant of Win32/Kryptik.SOJ trojan
C:\System Volume Information\_restore{D0A02B2B-EA45-4BF7-9868-0ACDFB1B6E37}\RP1068\A0070715.ini Win32/Adware.AntimalwareDoctor.AE.Gen application

#8 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:03 PM

Posted 18 October 2011 - 07:59 PM

Hi

The items found by ESET are either in quarantine or old system restore points, which we will clean up shortly,

please do the following:


Visit ADOBE and download the latest version of Acrobat Reader (version X)
Having the latest updates ensures there are no security vulnerabilities in your system.

NEXT

Posted Image Your Java is out of date.
Java™ 6 Update 23 can be updated from the Java control panel Start > Control Panel (Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now.
An update should begin; > follow the prompts.


Clear Java cache

Go into the Control Panel and double-click the Java Icon. (looks like a coffee cup) If you do not see the icon, look to your left and click 'Switch to Classic View'.
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.



NEXT


Please post a fresh DDS Log and advise how the computer is running now and if there are any outstanding issues

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#9 eta508

eta508
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 18 October 2011 - 09:02 PM

I don't seem to have any ad's popping up through search links so I'm pretty happy! You're pretty good at this, CatByte :)


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by Erik and Sarah Palau at 20:57:12 on 2011-10-18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2559.1936 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\EPSONS~1\EVENTM~1\EEventManager.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\Program Files\Creative\ShareDLL\CADI\NotiMan.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [CTDVDDET] "c:\program files\creative\sound blaster x-fi\dvdaudio\CTDVDDET.EXE"
mRun: [RCSystem] "c:\program files\creative\shared files\module loader\DLLML.exe" RCSystem * -Startup
mRun: [AudioDrvEmulator] "c:\program files\creative\shared files\module loader\dllml.exe" -1 audiodrvemulator "c:\program files\creative\shared files\module loader\audio emulator\AudDrvEm.dll"
mRun: [VolPanel] "c:\program files\creative\sound blaster x-fi\volume panel\VolPanel.exe" /r
mRun: [CTHelper] CTHELPER.EXE
mRun: [CTxfiHlp] CTXFIHLP.EXE
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [EEventManager] c:\progra~1\epsons~1\eventm~1\EEventManager.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [StartCCC] "c:\program files\ati technologies\ati.ace\core-static\CLIStart.exe" MSRun
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRunOnce: [AvgUninstallURL] cmd.exe /c start http://www.avg.com/ww.special-uninstallation-feedback-appf?lic=NFVXV1UtV0JEWEMtVllGTjMtUURKTUgtNDJBT0EtSzZIVTk"&"inst=NzctNzgyNTA4NTQzLVNUMTJGT0krMS1ERFQrMC1FVUxBKzEtU1QxMkZBUFArMQ"&"prod=90"&"ver=2012.0.1831"&"mid=66d9127c295547d1af8ad147e07655a0-ad1491be2ce6c122f6b66faa90e70c2decf7d34c
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1236818300420
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdate/content/opuc4.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: DhcpNameServer = 192.168.1.1
TCP: Interfaces\{AE7B861D-976C-4369-B0A2-2E5E2B70E285} : DhcpNameServer = 192.168.1.1
Notify: AtiExtEvent - Ati2evxx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\erik and sarah palau\application data\mozilla\firefox\profiles\ofp3h1a7.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Yahoo
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/?fr=fptb-
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - plugin: c:\documents and settings\erik and sarah palau\local settings\application data\yahoo!\browserplus\2.9.8\plugins\npybrowserplus_2.9.8.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\microsoft\office live\npOLW.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
.
---- FIREFOX POLICIES ----
user_pref(security.warn_viewing_mixed,false);
user_pref(security.warn_viewing_mixed.show_once,false);
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
user_pref(security.warn_submit_insecure,false);
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
R1 MpKsl3e2ad863;MpKsl3e2ad863;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3274e30f-312c-4529-b298-e9ece4e68068}\MpKsl3e2ad863.sys [2011-10-18 28752]
S1 MpKsl2781994f;MpKsl2781994f;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b8b7ef1c-355f-413e-8734-51d67022f6d8}\mpksl2781994f.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b8b7ef1c-355f-413e-8734-51d67022f6d8}\MpKsl2781994f.sys [?]
S1 MpKsl3ad641b2;MpKsl3ad641b2;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dbc4fcc1-9bdc-4355-81de-5a0a5de1adfe}\mpksl3ad641b2.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{dbc4fcc1-9bdc-4355-81de-5a0a5de1adfe}\MpKsl3ad641b2.sys [?]
S1 MpKsl5905b6c5;MpKsl5905b6c5;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1b276d52-e837-4ce6-87b6-b906a6934ced}\mpksl5905b6c5.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1b276d52-e837-4ce6-87b6-b906a6934ced}\MpKsl5905b6c5.sys [?]
S1 MpKsl69ae0e4a;MpKsl69ae0e4a;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e79812e7-1861-4712-984e-555830753df3}\mpksl69ae0e4a.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{e79812e7-1861-4712-984e-555830753df3}\MpKsl69ae0e4a.sys [?]
S1 MpKslbedfff26;MpKslbedfff26;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8eb10f35-5e28-4651-a012-c6a55efb49d6}\mpkslbedfff26.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{8eb10f35-5e28-4651-a012-c6a55efb49d6}\MpKslbedfff26.sys [?]
S1 MpKsld91f53a4;MpKsld91f53a4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5d3b4035-f072-4d51-b108-78d742d07688}\mpksld91f53a4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{5d3b4035-f072-4d51-b108-78d742d07688}\MpKsld91f53a4.sys [?]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\system32\drivers\asushwio.sys --> c:\windows\system32\drivers\ASUSHWIO.sys [?]
S3 SIUSBXP;SIUSBXP;c:\windows\system32\drivers\SiUSBXp.sys [2009-10-15 14848]
.
=============== Created Last 30 ================
.
2011-10-19 01:55:02 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3274e30f-312c-4529-b298-e9ece4e68068}\MpKsl3e2ad863.sys
2011-10-19 01:54:56 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3274e30f-312c-4529-b298-e9ece4e68068}\offreg.dll
2011-10-19 01:52:55 7269712 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-10-19 01:52:28 6668624 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3274e30f-312c-4529-b298-e9ece4e68068}\mpengine.dll
2011-10-19 01:48:37 -------- d-----w- c:\program files\Microsoft Security Client
2011-10-19 01:21:04 -------- d-----w- c:\documents and settings\erik and sarah palau\local settings\application data\Solid State Networks
2011-10-17 23:50:31 -------- d-sha-r- C:\cmdcons
2011-10-17 23:47:50 98816 ----a-w- c:\windows\sed.exe
2011-10-17 23:47:50 518144 ----a-w- c:\windows\SWREG.exe
2011-10-17 23:47:50 256000 ----a-w- c:\windows\PEV.exe
2011-10-17 23:47:50 208896 ----a-w- c:\windows\MBR.exe
2011-10-16 13:32:13 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-10-16 13:32:13 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-10-15 19:58:52 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-10-15 19:58:50 924632 ----a-w- c:\program files\mozilla firefox\firefox.exe
2011-10-15 19:58:50 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-10-15 19:58:50 773080 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-10-15 19:58:50 478168 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-10-15 19:58:50 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-10-15 19:58:50 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-10-15 19:58:50 19416 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
2011-10-15 19:58:50 1833944 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-10-15 19:58:50 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-10-15 19:58:50 125912 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
2011-10-15 17:51:33 -------- d-----w- c:\program files\MALWAREBYTES ANTI-MALWARE
2011-10-15 17:50:58 -------- d-----w- c:\documents and settings\erik and sarah palau\local settings\application data\PCHealth
2011-10-15 17:24:22 -------- d-----w- c:\program files\YONTOO LAYERS RUNTIME
2011-10-15 17:15:54 -------- d-----w- c:\program files\AVG
2011-10-15 17:00:34 -------- d--h--w- c:\documents and settings\all users\application data\Common Files
2011-10-15 17:00:13 -------- d-----w- c:\documents and settings\all users\application data\MFAData
.
==================== Find3M ====================
.
2011-10-17 23:38:43 0 ----a-w- c:\windows\Itedujehokonip.bin
2011-10-10 15:09:10 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-03 10:06:03 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-10-03 07:37:52 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-09-26 16:41:20 611328 ----a-w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ----a-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ----a-w- c:\windows\system32\oleaccrc.dll
2011-09-09 09:12:13 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-09-06 13:20:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-08-22 23:48:55 916480 ----a-w- c:\windows\system32\wininet.dll
2011-08-22 23:48:54 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-08-22 23:48:54 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-08-22 11:56:39 385024 ----a-w- c:\windows\system32\html.iec
2011-08-17 13:49:54 138496 ----a-w- c:\windows\system32\drivers\afd.sys
.
============= FINISH: 20:58:44.78 ===============

#10 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:03 PM

Posted 18 October 2011 - 09:13 PM

Hi

Just some housekeeping to do now,

Please do the following:


Press the WinKey + R to open a run box, then copy/paste the following single-line command into the Run box and click OK:

cmd /c del /f/a/q "c:\windows\Itedujehokonip.bin"



NEXT



You can delete the DDS and GMER logs and programs from your desktop.


NEXT


Follow these steps to uninstall Combofix

  • Make sure your security programs are totally disabled.
  • Click START then RUN
  • Now copy/paste Combofix /uninstall into the runbox and click OK. Note the space between the ..X and the /U, it needs to be there.

Posted Image


If there are any logs/tools remaining on your desktop > right click and delete them.


NEXT


Below I have included a number of recommendations for how to protect your computer against malware infections.

  • It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article
    Strong passwords: How to create and use them
    Then consider a password keeper, to keep all your passwords safe. KeePass is a small utility that allows you to manage all your passwords.

  • Keep Windows updated by regularly checking their website at :
    http://windowsupdate.microsoft.com/
    This will ensure your computer has always the latest security updates available installed on your computer.

  • Make Internet Explorer more secure
    • Click Start > Run
    • Type Inetcpl.cpl & click OK
    • Click on the Security tab
    • Click Reset all zones to default level
    • Make sure the Internet Zone is selected & Click Custom level
    • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
    • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

  • Download TFC to your desktop
    • Close any open windows.
    • Double click the TFC icon to run the program
    • TFC will close all open programs itself in order to run,
    • Click the Start button to begin the process.
    • Allow TFC to run uninterrupted.
    • The program should not take long to finish it's job
    • Once its finished it should automatically reboot your machine,
    • if it doesn't, manually reboot to ensure a complete clean
    It's normal after running TFC cleaner that the PC will be slower to boot the first time.

  • WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:
    • Green to go
    • Yellow for caution
    • Red to stop
    WOT has an addon available for both Firefox and IE

  • Keep a backup of your important files - Now, more than ever, it's especially important to protect your digital files and memories. This article is full of good information on alternatives for home backup solutions.

  • ERUNT (Emergency Recovery Utility NT) allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed.

  • In light of your recent issue, I'm sure you'd like to avoid any future infections. Please take a look at this well written article:
    PC Safety and Security--What Do I Need?.


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.


Thank you for your patience, and performing all of the procedures requested.

Please respond one last time so we can consider the thread resolved and close it, thank-you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#11 eta508

eta508
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:03 PM

Posted 19 October 2011 - 05:31 PM

Everything is running great. Thanks again for your help.

#12 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:03 PM

Posted 19 October 2011 - 06:43 PM

you are welcome

stay safe :hello:

~CB

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:01:03 PM

Posted 19 October 2011 - 06:44 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users