Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

trojan win32 fakesys


  • This topic is locked This topic is locked
20 replies to this topic

#1 miss_october

miss_october

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 26 November 2011 - 03:37 PM

Hi there. I have been sent here after running logs. everything has run fine. the problem i am at right now is that after running the gmer i cannot access the save button to save the log. it is there but it is just beyond the bottom of the screen so i cannont access it. i have tried using a shortcut key but that is not working. is there a way around this? i also have tried changing my screen resolution but that did not work. i am in safe mode as nothing is visible in regular mode.

orginal post in other thread: hello, I came home from thanksgiving dinner last night. My dad says soemthing is wrong with the computer, then admits to having been surfing for porn. SO I have found that we have trojanwin32fakesys infection. the desktop has nothing on it any more. i have been able to boot in safe mode and run microsoft security program as well as malewares and rkill and tdskiller. i have the .cmd file to unhide files. which has worked in safe mode only. My friend had me install combofix and told me to come here and ask for help. I am using an xp machine

the only real details i have are that it put up a bunch of error messages, which are fake, then it asked him to run this check on the comp, then listed errors saying there was a bad hard drive bad memery etc. then asked him to purchase a full version to fix it. my dad says he didnt try to purchase anything just turned the comp off. the virus protection has been disabled. we use chrome so i have no idea if it has done anything to IE. but if i am not in safe mode we cant access any programs anyway. and advice would be greatly appreciated.



right now i do have the dds and attach logs. the main thing going on right now is that in regular mode there is nothing there. under start menu i dotn even have the option to run. the task manage was disabled as well as all programs hidden and files hidden. the errors that were showing up are gone. they were the typical security fake scan with option to purchase. claiming problems with differnt hardware in computer followed by a pop up with an error along the lines of what is shown in screen shots here http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/FakeSysdef. hope this is hepful info.

the main issue right now though is not being able to scroll down to get the gmer log saved. is it because of a wide screen monitor? should i try using a different monitor? i have been following the prep guide before coming here.


logs that i have :
dds:

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by Administrator at 13:01:24 on 2011-11-26
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.216 [GMT -6:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Mouse Suite 98 Daemon] c:\program files\rocketfish 2.4g wireless combo\ICO.EXE
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
uPolicies-system: <NO NAME> = 0
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.10.1
TCP: Interfaces\{ED1E9243-895F-4CE2-B9D0-4D649D89E307} : DhcpNameServer = 192.168.10.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [2011-6-28 642432]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
S1 MpKsl1f729eb4;MpKsl1f729eb4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c998c849-f171-4acf-9695-04fcda1e941f}\mpksl1f729eb4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c998c849-f171-4acf-9695-04fcda1e941f}\MpKsl1f729eb4.sys [?]
S1 MpKsl29fffd84;MpKsl29fffd84;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bb5a0d8e-4dbb-4c83-9483-2852f7e30c6f}\mpksl29fffd84.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bb5a0d8e-4dbb-4c83-9483-2852f7e30c6f}\MpKsl29fffd84.sys [?]
S1 MpKsl2bff2090;MpKsl2bff2090;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f0694e54-6733-47f1-aa3b-a7bf38db6144}\mpksl2bff2090.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f0694e54-6733-47f1-aa3b-a7bf38db6144}\MpKsl2bff2090.sys [?]
S1 MpKsleec33482;MpKsleec33482;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ac9ab7d2-7dba-47c5-99dc-8f604dff22bf}\mpksleec33482.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ac9ab7d2-7dba-47c5-99dc-8f604dff22bf}\MpKsleec33482.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-27 136176]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-24 366152]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-27 136176]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-24 22216]
.
=============== Created Last 30 ================
.
2011-11-26 18:52:27 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1bbbcba7-2421-4935-8be2-e81f282ea852}\offreg.dll
2011-11-26 18:46:27 157 ----a-w- C:\Fakesysdef_unhide.cmd
2011-11-25 21:32:27 -------- d-sh--w- c:\documents and settings\administrator\IECompatCache
2011-11-25 21:32:06 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
2011-11-25 20:48:04 -------- d-sha-r- C:\cmdcons
2011-11-25 20:44:01 98816 ----a-w- c:\windows\sed.exe
2011-11-25 20:44:01 518144 ----a-w- c:\windows\SWREG.exe
2011-11-25 20:44:01 256000 ----a-w- c:\windows\PEV.exe
2011-11-25 20:44:01 208896 ----a-w- c:\windows\MBR.exe
2011-11-25 00:39:24 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 00:39:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-25 00:00:23 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2011-11-25 00:00:17 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-24 23:44:23 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Google
2011-11-24 23:24:02 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
2011-11-24 23:02:53 357106 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-11-24 23:02:46 6668624 ---ha-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1bbbcba7-2421-4935-8be2-e81f282ea852}\mpengine.dll
2011-11-24 15:07:07 319488 ---ha-r- c:\windows\system32\XMOUSE.CPL
2011-11-24 15:07:07 24576 ---ha-w- c:\windows\system32\drivers\pelusblf.sys
2011-11-24 15:07:07 19456 ---ha-w- c:\windows\system32\drivers\PELMOUSE.SYS
2011-11-18 18:44:42 19456 ---ha-w- c:\windows\PELMOUSE.SYS
2011-11-18 18:44:27 -------- d--h--w- c:\program files\Rocketfish 2.4G Wireless Combo
2011-11-18 18:44:06 69632 ---ha-r- c:\windows\setupnt.exe
2011-11-18 18:43:48 -------- d--h--w- c:\windows\ms98
.
==================== Find3M ====================
.
2011-10-10 14:22:41 692736 ---ha-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ---ha-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41:20 611328 ---h--w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ---ha-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ---ha-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20:51 1858944 ---ha-w- c:\windows\system32\win32k.sys
.
============= FINISH: 13:01:55.21 ===============


attach:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 4/15/2011 3:32:05 PM
System Uptime: 11/26/2011 12:51:50 PM (1 hours ago)
.
Motherboard: ECS | | K7VMM+
Processor: AMD Athlon™ XP 2400+ | Socket-A | 2000/133mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 34 GiB total, 20.817 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP157: 8/23/2011 7:19:41 PM - System Checkpoint
RP158: 8/24/2011 7:19:16 PM - Software Distribution Service 3.0
RP159: 8/24/2011 9:26:58 PM - Software Distribution Service 3.0
RP160: 8/25/2011 10:07:40 PM - Software Distribution Service 3.0
RP161: 8/28/2011 7:39:23 AM - Software Distribution Service 3.0
RP162: 8/29/2011 5:46:04 PM - Software Distribution Service 3.0
RP163: 8/30/2011 7:33:21 PM - Software Distribution Service 3.0
RP164: 9/1/2011 5:49:43 PM - Software Distribution Service 3.0
RP165: 9/2/2011 6:52:05 PM - Software Distribution Service 3.0
RP166: 9/4/2011 6:46:00 AM - Software Distribution Service 3.0
RP167: 9/5/2011 11:05:08 AM - Software Distribution Service 3.0
RP168: 9/6/2011 5:58:58 PM - Software Distribution Service 3.0
RP169: 9/6/2011 8:59:11 PM - Software Distribution Service 3.0
RP170: 9/8/2011 6:05:34 PM - Software Distribution Service 3.0
RP171: 9/9/2011 6:20:04 PM - System Checkpoint
RP172: 9/10/2011 12:25:54 AM - Software Distribution Service 3.0
RP173: 9/11/2011 8:56:42 AM - Software Distribution Service 3.0
RP174: 9/12/2011 6:35:36 PM - Software Distribution Service 3.0
RP175: 9/13/2011 6:43:20 PM - Software Distribution Service 3.0
RP176: 9/13/2011 10:04:49 PM - Software Distribution Service 3.0
RP177: 9/15/2011 7:18:38 PM - Software Distribution Service 3.0
RP178: 9/16/2011 7:52:04 PM - Software Distribution Service 3.0
RP179: 9/18/2011 10:53:13 AM - Software Distribution Service 3.0
RP180: 9/19/2011 5:53:05 PM - Software Distribution Service 3.0
RP181: 9/20/2011 1:58:58 AM - Software Distribution Service 3.0
RP182: 9/21/2011 6:45:29 PM - Software Distribution Service 3.0
RP183: 9/22/2011 7:56:44 PM - Software Distribution Service 3.0
RP184: 9/25/2011 1:19:52 AM - Software Distribution Service 3.0
RP185: 9/25/2011 1:45:39 PM - Installed Windows Media Player 11
RP186: 9/25/2011 1:50:54 PM - Software Distribution Service 3.0
RP187: 9/25/2011 7:15:35 PM - Software Distribution Service 3.0
RP188: 9/26/2011 7:18:14 PM - Software Distribution Service 3.0
RP189: 9/27/2011 8:05:35 PM - Software Distribution Service 3.0
RP190: 9/28/2011 7:44:17 PM - Software Distribution Service 3.0
RP191: 9/29/2011 9:31:53 PM - Software Distribution Service 3.0
RP192: 10/1/2011 7:49:26 PM - Software Distribution Service 3.0
RP193: 10/2/2011 8:42:37 PM - Software Distribution Service 3.0
RP194: 10/4/2011 5:59:09 PM - Software Distribution Service 3.0
RP195: 10/5/2011 6:23:12 PM - Software Distribution Service 3.0
RP196: 10/6/2011 8:12:50 PM - Software Distribution Service 3.0
RP197: 10/7/2011 8:29:54 PM - Software Distribution Service 3.0
RP198: 10/9/2011 5:23:56 PM - System Checkpoint
RP199: 10/9/2011 11:18:45 PM - Software Distribution Service 3.0
RP200: 10/10/2011 8:51:18 AM - Restore Operation
RP201: 10/10/2011 9:01:06 AM - Software Distribution Service 3.0
RP202: 10/12/2011 1:20:01 PM - Software Distribution Service 3.0
RP203: 10/12/2011 5:56:33 PM - Software Distribution Service 3.0
RP204: 10/15/2011 4:27:04 PM - Software Distribution Service 3.0
RP205: 10/17/2011 7:04:20 PM - Software Distribution Service 3.0
RP206: 10/19/2011 5:41:50 PM - Software Distribution Service 3.0
RP207: 10/20/2011 6:30:11 PM - System Checkpoint
RP208: 10/21/2011 7:57:49 PM - Software Distribution Service 3.0
RP209: 10/22/2011 2:05:52 AM - Software Distribution Service 3.0
RP210: 10/23/2011 5:22:48 AM - Software Distribution Service 3.0
RP211: 10/24/2011 6:16:42 PM - Software Distribution Service 3.0
RP212: 10/25/2011 6:49:45 PM - System Checkpoint
RP213: 10/26/2011 1:21:44 AM - Software Distribution Service 3.0
RP214: 10/27/2011 5:33:58 PM - Software Distribution Service 3.0
RP215: 10/30/2011 1:47:45 AM - Software Distribution Service 3.0
RP216: 10/31/2011 7:53:41 PM - Software Distribution Service 3.0
RP217: 11/2/2011 5:51:10 PM - Software Distribution Service 3.0
RP218: 11/3/2011 6:40:17 PM - Software Distribution Service 3.0
RP219: 11/5/2011 2:44:53 AM - Software Distribution Service 3.0
RP220: 11/6/2011 11:09:18 AM - Software Distribution Service 3.0
RP221: 11/7/2011 6:43:00 PM - Software Distribution Service 3.0
RP222: 11/9/2011 6:15:17 PM - Software Distribution Service 3.0
RP223: 11/10/2011 5:49:10 PM - Software Distribution Service 3.0
RP224: 11/12/2011 5:46:42 PM - Software Distribution Service 3.0
RP225: 11/12/2011 5:56:38 PM - Software Distribution Service 3.0
RP226: 11/13/2011 6:16:29 PM - System Checkpoint
RP227: 11/14/2011 3:21:58 AM - Software Distribution Service 3.0
RP228: 11/15/2011 6:02:18 AM - Software Distribution Service 3.0
RP229: 11/16/2011 6:53:27 AM - System Checkpoint
RP230: 11/16/2011 7:29:36 PM - Software Distribution Service 3.0
RP231: 11/17/2011 7:53:37 PM - System Checkpoint
RP232: 11/18/2011 6:39:05 AM - Software Distribution Service 3.0
RP233: 11/19/2011 8:39:21 AM - Software Distribution Service 3.0
RP234: 11/20/2011 8:49:00 AM - Software Distribution Service 3.0
RP235: 11/21/2011 5:42:16 PM - Software Distribution Service 3.0
RP236: 11/22/2011 6:08:31 PM - Software Distribution Service 3.0
RP237: 11/24/2011 8:34:05 AM - Software Distribution Service 3.0
RP238: 11/24/2011 5:02:23 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Reader X (10.0.1)
Adobe Reader X (10.1.1)
Google Chrome
Google Earth
Google Update Helper
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
ImgBurn
Java Auto Updater
Java™ 6 Update 26
K-Lite Codec Pack 7.1.0 (Full)
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Security Client
Microsoft Security Essentials
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
OpenOffice.org 3.3
Rocketfish 2.4G Wireless Combo
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2497640)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VIA Rhine-Family Fast Ethernet Adapter
VLC media player 1.1.9
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
.
==== Event Viewer Messages From Past Week ========
.
11/25/2011 3:25:04 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
11/24/2011 8:31:49 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:DOS/Alureon.E&threatid=2147650952 Name: Trojan:DOS/Alureon.E ID: 2147650952 Severity: Severe Category: Trojan Path: boot:_\\.\PHYSICALDRIVE0\Partition1 (Type 17) Detection Origin: Local machine Detection Type: Concrete Detection Source: User User: OWNER-69DF6A62A\Administrator Process Name: Unknown Action: Remove Action Status: To finish removing malware and other potentially unwanted software, restart the computer. To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x800704ec Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator. Signature Version: AV: 1.115.2549.0, AS: 1.115.2549.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.7801.0, NIS: 0.0.0.0
11/24/2011 8:31:49 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:DOS/Alureon.E&threatid=2147650952 Name: Trojan:DOS/Alureon.E ID: 2147650952 Severity: Severe Category: Trojan Path: boot:_\\.\PHYSICALDRIVE0\Partition1 (Type 17) Detection Origin: Local machine Detection Type: Concrete Detection Source: User User: OWNER-69DF6A62A\Administrator Process Name: Unknown Action: Quarantine Action Status: To finish removing malware and other potentially unwanted software, restart the computer. To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x80070032 Error description: The request is not supported. Signature Version: AV: 1.115.2549.0, AS: 1.115.2549.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.7801.0, NIS: 0.0.0.0
11/24/2011 6:34:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
11/24/2011 5:52:34 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK7 Fips MpFilter
11/24/2011 5:41:28 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'System Fix' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
11/24/2011 5:23:24 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK7 Fips IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
11/24/2011 5:23:24 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
11/24/2011 5:23:24 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/24/2011 5:23:24 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/24/2011 5:23:24 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/24/2011 5:23:07 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
11/24/2011 5:22:31 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
.
==== End Of File ===========================

Edited by miss_october, 26 November 2011 - 03:47 PM.


BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,604 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:28 AM

Posted 01 December 2011 - 03:40 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/429434 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 miss_october

miss_october
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 01 December 2011 - 08:14 PM

as requested by autobot reply here is my logs again. i still am unable to create the gmer log. it runs but i cannot access the save button in order to get the log. i am still in need of help. here is all the info again as requested by helpbot:

Hi there. I have been sent here after running logs. everything has run fine. the problem i am at right now is that after running the gmer i cannot access the save button to save the log. it is there but it is just beyond the bottom of the screen so i cannont access it. i have tried using a shortcut key but that is not working. is there a way around this? i also have tried changing my screen resolution but that did not work. i am in safe mode as nothing is visible in regular mode.

orginal post in other thread: hello, I came home from thanksgiving dinner last night. My dad says soemthing is wrong with the computer, then admits to having been surfing for porn. SO I have found that we have trojanwin32fakesys infection. the desktop has nothing on it any more. i have been able to boot in safe mode and run microsoft security program as well as malewares and rkill and tdskiller. i have the .cmd file to unhide files. which has worked in safe mode only. My friend had me install combofix and told me to come here and ask for help. I am using an xp machine

the only real details i have are that it put up a bunch of error messages, which are fake, then it asked him to run this check on the comp, then listed errors saying there was a bad hard drive bad memery etc. then asked him to purchase a full version to fix it. my dad says he didnt try to purchase anything just turned the comp off. the virus protection has been disabled. we use chrome so i have no idea if it has done anything to IE. but if i am not in safe mode we cant access any programs anyway. and advice would be greatly appreciated.


right now i do have the dds and attach logs. the main thing going on right now is that in regular mode there is nothing there. under start menu i dotn even have the option to run. the task manage was disabled as well as all programs hidden and files hidden. the errors that were showing up are gone. they were the typical security fake scan with option to purchase. claiming problems with differnt hardware in computer followed by a pop up with an error along the lines of what is shown in screen shots here http://www.microsoft.com/security/portal/threat/encyclopedia/Entry.aspx?Name=Trojan:Win32/FakeSysdef. hope this is hepful info.

the main issue right now though is not being able to scroll down to get the gmer log saved. is it because of a wide screen monitor? should i try using a different monitor? i have been following the prep guide before coming here.


logs that i have :
dds:

.
DDS (Ver_2011-08-26.01) - NTFSx86 NETWORK
Internet Explorer: 8.0.6001.18702
Run by Administrator at 13:01:24 on 2011-11-26
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.216 [GMT -6:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
.
============== Pseudo HJT Report ===============
.
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [Mouse Suite 98 Daemon] c:\program files\rocketfish 2.4g wireless combo\ICO.EXE
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
uPolicies-system: <NO NAME> = 0
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
TCP: DhcpNameServer = 192.168.10.1
TCP: Interfaces\{ED1E9243-895F-4CE2-B9D0-4D649D89E307} : DhcpNameServer = 192.168.10.1
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
============= SERVICES / DRIVERS ===============
.
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [2011-6-28 642432]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2011-4-18 165648]
S1 MpKsl1f729eb4;MpKsl1f729eb4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c998c849-f171-4acf-9695-04fcda1e941f}\mpksl1f729eb4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c998c849-f171-4acf-9695-04fcda1e941f}\MpKsl1f729eb4.sys [?]
S1 MpKsl29fffd84;MpKsl29fffd84;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bb5a0d8e-4dbb-4c83-9483-2852f7e30c6f}\mpksl29fffd84.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{bb5a0d8e-4dbb-4c83-9483-2852f7e30c6f}\MpKsl29fffd84.sys [?]
S1 MpKsl2bff2090;MpKsl2bff2090;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f0694e54-6733-47f1-aa3b-a7bf38db6144}\mpksl2bff2090.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{f0694e54-6733-47f1-aa3b-a7bf38db6144}\MpKsl2bff2090.sys [?]
S1 MpKsleec33482;MpKsleec33482;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ac9ab7d2-7dba-47c5-99dc-8f604dff22bf}\mpksleec33482.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{ac9ab7d2-7dba-47c5-99dc-8f604dff22bf}\MpKsleec33482.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-27 136176]
S2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-24 366152]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-27 136176]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-24 22216]
.
=============== Created Last 30 ================
.
2011-11-26 18:52:27 56200 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1bbbcba7-2421-4935-8be2-e81f282ea852}\offreg.dll
2011-11-26 18:46:27 157 ----a-w- C:\Fakesysdef_unhide.cmd
2011-11-25 21:32:27 -------- d-sh--w- c:\documents and settings\administrator\IECompatCache
2011-11-25 21:32:06 -------- d-sh--w- c:\documents and settings\administrator\PrivacIE
2011-11-25 20:48:04 -------- d-sha-r- C:\cmdcons
2011-11-25 20:44:01 98816 ----a-w- c:\windows\sed.exe
2011-11-25 20:44:01 518144 ----a-w- c:\windows\SWREG.exe
2011-11-25 20:44:01 256000 ----a-w- c:\windows\PEV.exe
2011-11-25 20:44:01 208896 ----a-w- c:\windows\MBR.exe
2011-11-25 00:39:24 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 00:39:24 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-25 00:00:23 -------- d-----w- c:\documents and settings\administrator\application data\Malwarebytes
2011-11-25 00:00:17 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-11-24 23:44:23 -------- d-----w- c:\documents and settings\administrator\local settings\application data\Google
2011-11-24 23:24:02 -------- d-sh--w- c:\documents and settings\administrator\IETldCache
2011-11-24 23:02:53 357106 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-11-24 23:02:46 6668624 ---ha-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{1bbbcba7-2421-4935-8be2-e81f282ea852}\mpengine.dll
2011-11-24 15:07:07 319488 ---ha-r- c:\windows\system32\XMOUSE.CPL
2011-11-24 15:07:07 24576 ---ha-w- c:\windows\system32\drivers\pelusblf.sys
2011-11-24 15:07:07 19456 ---ha-w- c:\windows\system32\drivers\PELMOUSE.SYS
2011-11-18 18:44:42 19456 ---ha-w- c:\windows\PELMOUSE.SYS
2011-11-18 18:44:27 -------- d--h--w- c:\program files\Rocketfish 2.4G Wireless Combo
2011-11-18 18:44:06 69632 ---ha-r- c:\windows\setupnt.exe
2011-11-18 18:43:48 -------- d--h--w- c:\windows\ms98
.
==================== Find3M ====================
.
2011-10-10 14:22:41 692736 ---ha-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ---ha-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41:20 611328 ---h--w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41:20 220160 ---ha-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41:14 20480 ---ha-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20:51 1858944 ---ha-w- c:\windows\system32\win32k.sys
.
============= FINISH: 13:01:55.21 ===============


attach:
.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 4/15/2011 3:32:05 PM
System Uptime: 11/26/2011 12:51:50 PM (1 hours ago)
.
Motherboard: ECS | | K7VMM+
Processor: AMD Athlon™ XP 2400+ | Socket-A | 2000/133mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 34 GiB total, 20.817 GiB free.
D: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP157: 8/23/2011 7:19:41 PM - System Checkpoint
RP158: 8/24/2011 7:19:16 PM - Software Distribution Service 3.0
RP159: 8/24/2011 9:26:58 PM - Software Distribution Service 3.0
RP160: 8/25/2011 10:07:40 PM - Software Distribution Service 3.0
RP161: 8/28/2011 7:39:23 AM - Software Distribution Service 3.0
RP162: 8/29/2011 5:46:04 PM - Software Distribution Service 3.0
RP163: 8/30/2011 7:33:21 PM - Software Distribution Service 3.0
RP164: 9/1/2011 5:49:43 PM - Software Distribution Service 3.0
RP165: 9/2/2011 6:52:05 PM - Software Distribution Service 3.0
RP166: 9/4/2011 6:46:00 AM - Software Distribution Service 3.0
RP167: 9/5/2011 11:05:08 AM - Software Distribution Service 3.0
RP168: 9/6/2011 5:58:58 PM - Software Distribution Service 3.0
RP169: 9/6/2011 8:59:11 PM - Software Distribution Service 3.0
RP170: 9/8/2011 6:05:34 PM - Software Distribution Service 3.0
RP171: 9/9/2011 6:20:04 PM - System Checkpoint
RP172: 9/10/2011 12:25:54 AM - Software Distribution Service 3.0
RP173: 9/11/2011 8:56:42 AM - Software Distribution Service 3.0
RP174: 9/12/2011 6:35:36 PM - Software Distribution Service 3.0
RP175: 9/13/2011 6:43:20 PM - Software Distribution Service 3.0
RP176: 9/13/2011 10:04:49 PM - Software Distribution Service 3.0
RP177: 9/15/2011 7:18:38 PM - Software Distribution Service 3.0
RP178: 9/16/2011 7:52:04 PM - Software Distribution Service 3.0
RP179: 9/18/2011 10:53:13 AM - Software Distribution Service 3.0
RP180: 9/19/2011 5:53:05 PM - Software Distribution Service 3.0
RP181: 9/20/2011 1:58:58 AM - Software Distribution Service 3.0
RP182: 9/21/2011 6:45:29 PM - Software Distribution Service 3.0
RP183: 9/22/2011 7:56:44 PM - Software Distribution Service 3.0
RP184: 9/25/2011 1:19:52 AM - Software Distribution Service 3.0
RP185: 9/25/2011 1:45:39 PM - Installed Windows Media Player 11
RP186: 9/25/2011 1:50:54 PM - Software Distribution Service 3.0
RP187: 9/25/2011 7:15:35 PM - Software Distribution Service 3.0
RP188: 9/26/2011 7:18:14 PM - Software Distribution Service 3.0
RP189: 9/27/2011 8:05:35 PM - Software Distribution Service 3.0
RP190: 9/28/2011 7:44:17 PM - Software Distribution Service 3.0
RP191: 9/29/2011 9:31:53 PM - Software Distribution Service 3.0
RP192: 10/1/2011 7:49:26 PM - Software Distribution Service 3.0
RP193: 10/2/2011 8:42:37 PM - Software Distribution Service 3.0
RP194: 10/4/2011 5:59:09 PM - Software Distribution Service 3.0
RP195: 10/5/2011 6:23:12 PM - Software Distribution Service 3.0
RP196: 10/6/2011 8:12:50 PM - Software Distribution Service 3.0
RP197: 10/7/2011 8:29:54 PM - Software Distribution Service 3.0
RP198: 10/9/2011 5:23:56 PM - System Checkpoint
RP199: 10/9/2011 11:18:45 PM - Software Distribution Service 3.0
RP200: 10/10/2011 8:51:18 AM - Restore Operation
RP201: 10/10/2011 9:01:06 AM - Software Distribution Service 3.0
RP202: 10/12/2011 1:20:01 PM - Software Distribution Service 3.0
RP203: 10/12/2011 5:56:33 PM - Software Distribution Service 3.0
RP204: 10/15/2011 4:27:04 PM - Software Distribution Service 3.0
RP205: 10/17/2011 7:04:20 PM - Software Distribution Service 3.0
RP206: 10/19/2011 5:41:50 PM - Software Distribution Service 3.0
RP207: 10/20/2011 6:30:11 PM - System Checkpoint
RP208: 10/21/2011 7:57:49 PM - Software Distribution Service 3.0
RP209: 10/22/2011 2:05:52 AM - Software Distribution Service 3.0
RP210: 10/23/2011 5:22:48 AM - Software Distribution Service 3.0
RP211: 10/24/2011 6:16:42 PM - Software Distribution Service 3.0
RP212: 10/25/2011 6:49:45 PM - System Checkpoint
RP213: 10/26/2011 1:21:44 AM - Software Distribution Service 3.0
RP214: 10/27/2011 5:33:58 PM - Software Distribution Service 3.0
RP215: 10/30/2011 1:47:45 AM - Software Distribution Service 3.0
RP216: 10/31/2011 7:53:41 PM - Software Distribution Service 3.0
RP217: 11/2/2011 5:51:10 PM - Software Distribution Service 3.0
RP218: 11/3/2011 6:40:17 PM - Software Distribution Service 3.0
RP219: 11/5/2011 2:44:53 AM - Software Distribution Service 3.0
RP220: 11/6/2011 11:09:18 AM - Software Distribution Service 3.0
RP221: 11/7/2011 6:43:00 PM - Software Distribution Service 3.0
RP222: 11/9/2011 6:15:17 PM - Software Distribution Service 3.0
RP223: 11/10/2011 5:49:10 PM - Software Distribution Service 3.0
RP224: 11/12/2011 5:46:42 PM - Software Distribution Service 3.0
RP225: 11/12/2011 5:56:38 PM - Software Distribution Service 3.0
RP226: 11/13/2011 6:16:29 PM - System Checkpoint
RP227: 11/14/2011 3:21:58 AM - Software Distribution Service 3.0
RP228: 11/15/2011 6:02:18 AM - Software Distribution Service 3.0
RP229: 11/16/2011 6:53:27 AM - System Checkpoint
RP230: 11/16/2011 7:29:36 PM - Software Distribution Service 3.0
RP231: 11/17/2011 7:53:37 PM - System Checkpoint
RP232: 11/18/2011 6:39:05 AM - Software Distribution Service 3.0
RP233: 11/19/2011 8:39:21 AM - Software Distribution Service 3.0
RP234: 11/20/2011 8:49:00 AM - Software Distribution Service 3.0
RP235: 11/21/2011 5:42:16 PM - Software Distribution Service 3.0
RP236: 11/22/2011 6:08:31 PM - Software Distribution Service 3.0
RP237: 11/24/2011 8:34:05 AM - Software Distribution Service 3.0
RP238: 11/24/2011 5:02:23 PM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Adobe Flash Player 10 ActiveX
Adobe Reader X (10.0.1)
Adobe Reader X (10.1.1)
Google Chrome
Google Earth
Google Update Helper
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB952287)
ImgBurn
Java Auto Updater
Java™ 6 Update 26
K-Lite Codec Pack 7.1.0 (Full)
Malwarebytes' Anti-Malware version 1.51.2.1300
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Security Client
Microsoft Security Essentials
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
OpenOffice.org 3.3
Rocketfish 2.4G Wireless Combo
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Internet Explorer 8 (KB2559049)
Security Update for Windows Internet Explorer 8 (KB2586448)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2497640)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Update for Windows Internet Explorer 8 (KB2447568)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB898461)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VIA Rhine-Family Fast Ethernet Adapter
VLC media player 1.1.9
WebFldrs XP
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
.
==== Event Viewer Messages From Past Week ========
.
11/25/2011 3:25:04 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service MSIServer with arguments "" in order to run the server: {000C101C-0000-0000-C000-000000000046}
11/24/2011 8:31:49 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:DOS/Alureon.E&threatid=2147650952 Name: Trojan:DOS/Alureon.E ID: 2147650952 Severity: Severe Category: Trojan Path: boot:_\\.\PHYSICALDRIVE0\Partition1 (Type 17) Detection Origin: Local machine Detection Type: Concrete Detection Source: User User: OWNER-69DF6A62A\Administrator Process Name: Unknown Action: Remove Action Status: To finish removing malware and other potentially unwanted software, restart the computer. To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x800704ec Error description: Windows cannot open this program because it has been prevented by a software restriction policy. For more information, open Event Viewer or contact your system administrator. Signature Version: AV: 1.115.2549.0, AS: 1.115.2549.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.7801.0, NIS: 0.0.0.0
11/24/2011 8:31:49 PM, error: Microsoft Antimalware [1119] - Microsoft Antimalware has encountered a critical error when taking action on malware or other potentially unwanted software. For more information please see the following: http://go.microsoft.com/fwlink/?linkid=37020&name=Trojan:DOS/Alureon.E&threatid=2147650952 Name: Trojan:DOS/Alureon.E ID: 2147650952 Severity: Severe Category: Trojan Path: boot:_\\.\PHYSICALDRIVE0\Partition1 (Type 17) Detection Origin: Local machine Detection Type: Concrete Detection Source: User User: OWNER-69DF6A62A\Administrator Process Name: Unknown Action: Quarantine Action Status: To finish removing malware and other potentially unwanted software, restart the computer. To see how to finish removing malware and other potentially unwanted software, see the support article on the Microsoft Security website. Error Code: 0x80070032 Error description: The request is not supported. Signature Version: AV: 1.115.2549.0, AS: 1.115.2549.0, NIS: 0.0.0.0 Engine Version: AM: 1.1.7801.0, NIS: 0.0.0.0
11/24/2011 6:34:43 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
11/24/2011 5:52:34 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AmdK7 Fips MpFilter
11/24/2011 5:41:28 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000243' while processing the file 'System Fix' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.
11/24/2011 5:23:24 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD AmdK7 Fips IPSec MpFilter MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
11/24/2011 5:23:24 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
11/24/2011 5:23:24 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/24/2011 5:23:24 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
11/24/2011 5:23:24 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
11/24/2011 5:23:07 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
11/24/2011 5:22:31 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
.
==== End Of File ===========================

#4 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:08:28 AM

Posted 02 December 2011 - 03:23 PM

Hi,

Welcome to Bleeping Computer. My name is oneof4 and I will be helping you with your log.
Please subscribe to this topic, if you haven't already. You can subscribe by clicking the Watch Topic box to the right of your topic title and selecting Immediate Notification.


Please avoid installing/uninstalling or updating any programs and attempting any unsupervised fixes or scans. This can make helping you impossible.



Please give me some time to research your logs, and I will return with instructions that will begin the process of cleaning up your infected computer.

Thanks :thumbup2:

Best Regards,
oneof4.


#5 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:08:28 AM

Posted 03 December 2011 - 06:06 PM

Hello miss_october, and :welcome: to the Virus/Trojan/Spyware/Malware Removal forum.

I am oneof4, and I am here to help you!

  • I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received and do not proceed if you need clarification.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.
  • At the top right-center of the topic you will see a button called Watch Topic. If you click on this, another page will open. Please choose Immediate Notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.
  • If after 5 days you have not replied to this topic, I will assume it has been abandoned, and I will close it.
  • I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. :heart: Please be courteous and appreciative for the assistance provided!
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. Your computer fix will be based on the current condition of your computer! Any changes might delay my ability to help you.

==========

Let's see if we can first get your program icons back:

This infection family will hide all the files on your computer from being seen. To make your files visible again, please download the following program to your desktop:

Unhide.exe

Once the program has been downloaded, double-click on the Unhide.exe icon on your desktop and allow the program to run. This program will remove the +H, or hidden, attribute from all the files on your hard drives. If there are any files that were purposely hidden by you, you will need to hide them again after this tool is run.

==========

Now, I notice that you have previously run ComboFix, MalwareBytes, and TDSSKiller; could you copy and paste the logs from each into your next reply.

For ComboFix, the log should be located at C:\Combofix\ComboFix.txt

The MBAM log can be found by opening the program and clicking on the Logs tab. Scroll to the log with the most recent date, highlight it, choose Open.

For TDSSKiller, there should be a log in your root directory (C:\), with a name like this: TDSSKiller_version_date_time_log.txt (i.e. TDSSKiller.2.4.0.0_27.07.2010_09.o7.26_log.txt), double-click to open it.

==========

Things I need to see in your next reply:

  • Did Unhide.exe work?
  • ComboFix.txt from your earlier run.
  • MBAM Log from your earlier run.
  • TDSSKiller Log from your earlier run.

Best Regards,
oneof4.


#6 miss_october

miss_october
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 05 December 2011 - 01:51 AM

thank you for your response. it has been a hectic week and i almost forgot to check in on my topic! thank goodness for email alert. i will do what you have instructed tomorrow. I have already used the unhide.exe file. however it has only worked in safe mode. i will get the requested logs up asap in the morning. and i appreciate you taking the time to help me . hope you had a nice weekend!

#7 miss_october

miss_october
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 06 December 2011 - 01:13 PM

combofix log :

ComboFix 11-11-25.02 - Administrator 11/25/2011 14:49:22.1.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.479.297 [GMT -6:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\pthreadVC.dll
c:\windows\system32\wpcap.dll
.
.
((((((((((((((((((((((((( Files Created from 2011-10-25 to 2011-11-25 )))))))))))))))))))))))))))))))
.
.
2011-11-25 20:33 . 2011-11-25 20:33 56200 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1BBBCBA7-2421-4935-8BE2-E81F282EA852}\offreg.dll
2011-11-25 00:39 . 2011-11-25 00:39 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-25 00:39 . 2011-08-31 23:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 00:00 . 2011-11-25 00:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-11-24 23:21 . 2011-11-24 23:24 -------- d-----w- c:\documents and settings\Administrator
2011-11-24 23:02 . 2011-11-25 20:37 357106 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2011-11-24 23:02 . 2011-10-07 03:48 6668624 ---ha-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{1BBBCBA7-2421-4935-8BE2-E81F282EA852}\mpengine.dll
2011-11-24 15:07 . 2010-03-20 17:58 319488 ---ha-r- c:\windows\system32\XMOUSE.CPL
2011-11-24 15:07 . 2010-03-17 00:09 24576 ---ha-w- c:\windows\system32\drivers\pelusblf.sys
2011-11-24 15:07 . 2010-03-17 00:08 19456 ---ha-w- c:\windows\system32\drivers\PELMOUSE.SYS
2011-11-18 18:44 . 2011-11-18 18:44 -------- dc-h--w- c:\windows\system32\DRVSTORE
2011-11-18 18:44 . 2010-03-17 00:08 19456 ---ha-w- c:\windows\PELMOUSE.SYS
2011-11-18 18:44 . 2011-11-24 15:07 -------- d--h--w- c:\program files\Rocketfish 2.4G Wireless Combo
2011-11-18 18:44 . 2009-01-16 04:08 69632 ---ha-r- c:\windows\setupnt.exe
2011-11-18 18:43 . 2011-11-24 15:08 -------- d--h--w- c:\windows\ms98
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-10-10 14:22 . 2011-04-15 20:26 692736 ---ha-w- c:\windows\system32\inetcomm.dll
2011-10-07 03:48 . 2011-04-18 22:46 6668624 ---ha-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-09-28 07:06 . 2008-04-14 10:41 599040 ---ha-w- c:\windows\system32\crypt32.dll
2011-09-26 16:41 . 2011-09-26 16:41 611328 ---h--w- c:\windows\system32\uiautomationcore.dll
2011-09-26 16:41 . 2001-08-18 11:00 220160 ---ha-w- c:\windows\system32\oleacc.dll
2011-09-26 16:41 . 2001-08-18 11:00 20480 ---ha-w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2008-04-14 06:00 1858944 ---ha-w- c:\windows\system32\win32k.sys
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-09-05 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-03-30 937920]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2011-06-15 997920]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-04-08 254696]
"Mouse Suite 98 Daemon"="c:\program files\Rocketfish 2.4G Wireless Combo\ICO.EXE" [2009-07-18 61440]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"<NO NAME>"= 0
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Earth\\client\\googleearth.exe"=
.
R3 BCMH43XX;Broadcom 802.11 USB Network Adapter Driver;c:\windows\system32\drivers\bcmwlhigh5.sys [6/28/2011 5:28 PM 642432]
S1 MpKsl1f729eb4;MpKsl1f729eb4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C998C849-F171-4ACF-9695-04FCDA1E941F}\MpKsl1f729eb4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C998C849-F171-4ACF-9695-04FCDA1E941F}\MpKsl1f729eb4.sys [?]
S1 MpKsl29fffd84;MpKsl29fffd84;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB5A0D8E-4DBB-4C83-9483-2852F7E30C6F}\MpKsl29fffd84.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BB5A0D8E-4DBB-4C83-9483-2852F7E30C6F}\MpKsl29fffd84.sys [?]
S1 MpKsl2bff2090;MpKsl2bff2090;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F0694E54-6733-47F1-AA3B-A7BF38DB6144}\MpKsl2bff2090.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F0694E54-6733-47F1-AA3B-A7BF38DB6144}\MpKsl2bff2090.sys [?]
S1 MpKsleec33482;MpKsleec33482;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AC9AB7D2-7DBA-47C5-99DC-8F604DFF22BF}\MpKsleec33482.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{AC9AB7D2-7DBA-47C5-99DC-8F604DFF22BF}\MpKsleec33482.sys [?]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [4/27/2011 7:13 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [4/27/2011 7:13 PM 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
.
Contents of the 'Scheduled Tasks' folder
.
2011-08-18 c:\windows\Tasks\Disk Cleanup.job
- c:\windows\system32\cleanmgr.exe [2008-04-14 10:42]
.
2011-11-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-28 01:13]
.
2011-11-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-28 01:13]
.
2011-11-25 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2011-04-27 20:39]
.
2011-11-25 c:\windows\Tasks\User_Feed_Synchronization-{DD013921-4FD2-4389-9612-9F2049604A2E}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.10.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-11-25 14:53
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\l3codeca.acm
c:\windows\system32\ac3acm.acm
c:\windows\system32\lameACM.acm
c:\windows\system32\IEFRAME.dll
.
Completion time: 2011-11-25 14:54:32
ComboFix-quarantined-files.txt 2011-11-25 20:54
.
Pre-Run: 21,822,038,016 bytes free
Post-Run: 22,354,718,720 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - D56B1314D7B0BA7CBC224887161484CD


mbam log: (though its weird there is nothing there. it did quarentine stuff...PUM.HIJACK.TaskManager registry)


Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8235

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

11/24/2011 6:33:19 PM
mbam-log-2011-11-24 (18-33-19).txt

Scan type: Full scan (C:\|)
Objects scanned: 43519
Time elapsed: 6 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


TDSkiller :

19:55:29.0159 1588 TDSS rootkit removing tool 2.6.21.0 Nov 24 2011 12:32:44
19:55:30.0080 1588 ============================================================
19:55:30.0080 1588 Current date / time: 2011/11/24 19:55:30.0080
19:55:30.0080 1588 SystemInfo:
19:55:30.0080 1588
19:55:30.0080 1588 OS Version: 5.1.2600 ServicePack: 3.0
19:55:30.0080 1588 Product type: Workstation
19:55:30.0080 1588 ComputerName: OWNER-69DF6A62A
19:55:30.0080 1588 UserName: Administrator
19:55:30.0080 1588 Windows directory: C:\WINDOWS
19:55:30.0080 1588 System windows directory: C:\WINDOWS
19:55:30.0080 1588 Processor architecture: Intel x86
19:55:30.0080 1588 Number of processors: 1
19:55:30.0080 1588 Page size: 0x1000
19:55:30.0080 1588 Boot type: Safe boot with network
19:55:30.0080 1588 ============================================================
19:55:34.0216 1588 Initialize success
20:32:26.0517 0696 ============================================================
20:32:26.0517 0696 Scan started
20:32:26.0517 0696 Mode: Manual;
20:32:26.0517 0696 ============================================================
20:32:27.0899 0696 Abiosdsk - ok
20:32:27.0999 0696 abp480n5 - ok
20:32:28.0129 0696 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
20:32:28.0139 0696 ACPI - ok
20:32:28.0250 0696 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
20:32:28.0250 0696 ACPIEC - ok
20:32:28.0350 0696 adpu160m - ok
20:32:28.0440 0696 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
20:32:28.0450 0696 aec - ok
20:32:28.0570 0696 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
20:32:28.0580 0696 AFD - ok
20:32:28.0680 0696 Aha154x - ok
20:32:28.0760 0696 aic78u2 - ok
20:32:28.0840 0696 aic78xx - ok
20:32:28.0961 0696 AliIde - ok
20:32:29.0051 0696 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
20:32:29.0061 0696 AmdK7 - ok
20:32:29.0121 0696 amsint - ok
20:32:29.0211 0696 asc - ok
20:32:29.0271 0696 asc3350p - ok
20:32:29.0351 0696 asc3550 - ok
20:32:29.0421 0696 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
20:32:29.0421 0696 AsyncMac - ok
20:32:29.0511 0696 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
20:32:29.0521 0696 atapi - ok
20:32:29.0601 0696 Atdisk - ok
20:32:29.0722 0696 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
20:32:29.0732 0696 Atmarpc - ok
20:32:29.0832 0696 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
20:32:29.0842 0696 audstub - ok
20:32:29.0992 0696 BCMH43XX (b770039886598aab7cf5eaeec2409e31) C:\WINDOWS\system32\DRIVERS\bcmwlhigh5.sys
20:32:30.0032 0696 BCMH43XX - ok
20:32:30.0132 0696 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
20:32:30.0132 0696 Beep - ok
20:32:30.0292 0696 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
20:32:30.0292 0696 cbidf2k - ok
20:32:30.0373 0696 cd20xrnt - ok
20:32:30.0443 0696 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
20:32:30.0443 0696 Cdaudio - ok
20:32:30.0503 0696 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
20:32:30.0503 0696 Cdfs - ok
20:32:30.0593 0696 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
20:32:30.0603 0696 Cdrom - ok
20:32:30.0663 0696 Changer - ok
20:32:30.0773 0696 CmdIde - ok
20:32:30.0893 0696 Cpqarray - ok
20:32:30.0943 0696 dac2w2k - ok
20:32:31.0013 0696 dac960nt - ok
20:32:31.0144 0696 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
20:32:31.0144 0696 Disk - ok
20:32:31.0294 0696 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
20:32:31.0324 0696 dmboot - ok
20:32:31.0434 0696 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
20:32:31.0434 0696 dmio - ok
20:32:31.0544 0696 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
20:32:31.0544 0696 dmload - ok
20:32:31.0694 0696 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
20:32:31.0694 0696 DMusic - ok
20:32:31.0835 0696 dpti2o - ok
20:32:31.0925 0696 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
20:32:31.0925 0696 drmkaud - ok
20:32:32.0125 0696 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
20:32:32.0135 0696 Fastfat - ok
20:32:32.0225 0696 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
20:32:32.0225 0696 Fdc - ok
20:32:32.0305 0696 FETND5BV (cfc4cc73c903152a23e1db28eaba1f03) C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
20:32:32.0305 0696 FETND5BV - ok
20:32:32.0405 0696 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
20:32:32.0405 0696 FETNDIS - ok
20:32:32.0516 0696 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
20:32:32.0516 0696 Fips - ok
20:32:32.0626 0696 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
20:32:32.0626 0696 Flpydisk - ok
20:32:32.0706 0696 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
20:32:32.0716 0696 FltMgr - ok
20:32:32.0816 0696 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
20:32:32.0816 0696 Fs_Rec - ok
20:32:32.0936 0696 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
20:32:32.0936 0696 Ftdisk - ok
20:32:33.0036 0696 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
20:32:33.0036 0696 gameenum - ok
20:32:33.0147 0696 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
20:32:33.0157 0696 Gpc - ok
20:32:33.0337 0696 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
20:32:33.0337 0696 HidUsb - ok
20:32:33.0467 0696 hpn - ok
20:32:33.0547 0696 HSFHWBS2 (970178e8e003eb1481293830069624b9) C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys
20:32:33.0557 0696 HSFHWBS2 - ok
20:32:33.0727 0696 HSF_DP (ebb354438a4c5a3327fb97306260714a) C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys
20:32:33.0767 0696 HSF_DP - ok
20:32:33.0898 0696 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
20:32:33.0918 0696 HTTP - ok
20:32:34.0018 0696 i2omgmt - ok
20:32:34.0088 0696 i2omp - ok
20:32:34.0178 0696 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
20:32:34.0188 0696 i8042prt - ok
20:32:34.0288 0696 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
20:32:34.0288 0696 Imapi - ok
20:32:34.0408 0696 ini910u - ok
20:32:34.0509 0696 IntelIde - ok
20:32:34.0609 0696 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
20:32:34.0609 0696 Ip6Fw - ok
20:32:34.0719 0696 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
20:32:34.0719 0696 IpFilterDriver - ok
20:32:34.0819 0696 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
20:32:34.0829 0696 IpInIp - ok
20:32:34.0939 0696 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
20:32:34.0949 0696 IpNat - ok
20:32:35.0049 0696 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
20:32:35.0049 0696 IPSec - ok
20:32:35.0149 0696 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
20:32:35.0149 0696 IRENUM - ok
20:32:35.0280 0696 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
20:32:35.0280 0696 isapnp - ok
20:32:35.0400 0696 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
20:32:35.0400 0696 Kbdclass - ok
20:32:35.0500 0696 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
20:32:35.0500 0696 kbdhid - ok
20:32:35.0610 0696 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
20:32:35.0620 0696 kmixer - ok
20:32:35.0750 0696 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
20:32:35.0750 0696 KSecDD - ok
20:32:35.0870 0696 lbrtfdc - ok
20:32:36.0011 0696 MBAMSwissArmy - ok
20:32:36.0091 0696 mdmxsdk (195741aee20369980796b557358cd774) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
20:32:36.0101 0696 mdmxsdk - ok
20:32:36.0211 0696 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
20:32:36.0211 0696 mnmdd - ok
20:32:36.0331 0696 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
20:32:36.0331 0696 Modem - ok
20:32:36.0441 0696 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
20:32:36.0441 0696 MODEMCSA - ok
20:32:36.0521 0696 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
20:32:36.0521 0696 Mouclass - ok
20:32:36.0642 0696 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
20:32:36.0642 0696 mouhid - ok
20:32:36.0742 0696 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
20:32:36.0742 0696 MountMgr - ok
20:32:36.0862 0696 MpFilter (fee0baded54222e9f1dae9541212aab1) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
20:32:36.0862 0696 MpFilter - ok
20:32:36.0962 0696 MpKsl1f729eb4 - ok
20:32:37.0012 0696 MpKsl29fffd84 - ok
20:32:37.0062 0696 MpKsl2bff2090 - ok
20:32:37.0092 0696 MpKsleec33482 - ok
20:32:37.0162 0696 mraid35x - ok
20:32:37.0272 0696 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
20:32:37.0272 0696 MRxDAV - ok
20:32:37.0413 0696 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
20:32:37.0433 0696 MRxSmb - ok
20:32:37.0593 0696 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
20:32:37.0593 0696 Msfs - ok
20:32:37.0723 0696 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
20:32:37.0723 0696 MSKSSRV - ok
20:32:37.0883 0696 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
20:32:37.0883 0696 MSPCLOCK - ok
20:32:38.0004 0696 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
20:32:38.0004 0696 MSPQM - ok
20:32:38.0124 0696 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
20:32:38.0124 0696 mssmbios - ok
20:32:38.0234 0696 ms_mpu401 (ca3e22598f411199adc2dfee76cd0ae0) C:\WINDOWS\system32\drivers\msmpu401.sys
20:32:38.0244 0696 ms_mpu401 - ok
20:32:38.0364 0696 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
20:32:38.0374 0696 Mup - ok
20:32:38.0524 0696 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
20:32:38.0534 0696 NDIS - ok
20:32:38.0664 0696 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
20:32:38.0664 0696 NdisTapi - ok
20:32:38.0825 0696 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
20:32:38.0825 0696 Ndisuio - ok
20:32:38.0955 0696 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
20:32:38.0965 0696 NdisWan - ok
20:32:39.0055 0696 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
20:32:39.0065 0696 NDProxy - ok
20:32:39.0165 0696 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
20:32:39.0165 0696 NetBIOS - ok
20:32:39.0255 0696 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
20:32:39.0265 0696 NetBT - ok
20:32:39.0426 0696 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
20:32:39.0426 0696 Npfs - ok
20:32:39.0536 0696 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
20:32:39.0556 0696 Ntfs - ok
20:32:39.0716 0696 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
20:32:39.0716 0696 Null - ok
20:32:39.0786 0696 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
20:32:39.0786 0696 NwlnkFlt - ok
20:32:39.0876 0696 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
20:32:39.0876 0696 NwlnkFwd - ok
20:32:39.0976 0696 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
20:32:39.0986 0696 Parport - ok
20:32:40.0067 0696 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
20:32:40.0077 0696 PartMgr - ok
20:32:40.0167 0696 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
20:32:40.0167 0696 ParVdm - ok
20:32:40.0297 0696 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
20:32:40.0307 0696 PCI - ok
20:32:40.0387 0696 PCIDump - ok
20:32:40.0447 0696 PCIIde - ok
20:32:40.0517 0696 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
20:32:40.0527 0696 Pcmcia - ok
20:32:40.0597 0696 PDCOMP - ok
20:32:40.0667 0696 PDFRAME - ok
20:32:40.0727 0696 PDRELI - ok
20:32:40.0808 0696 PDRFRAME - ok
20:32:40.0898 0696 pelmouse (e0f027ac728a92f23b92ead793dc64f7) C:\WINDOWS\system32\DRIVERS\pelmouse.sys
20:32:40.0898 0696 pelmouse - ok
20:32:41.0008 0696 pelusblf (52c6a962b39808ee9e0416335bfd0956) C:\WINDOWS\system32\DRIVERS\pelusblf.sys
20:32:41.0008 0696 pelusblf - ok
20:32:41.0108 0696 perc2 - ok
20:32:41.0168 0696 perc2hib - ok
20:32:41.0368 0696 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
20:32:41.0368 0696 PptpMiniport - ok
20:32:41.0479 0696 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
20:32:41.0479 0696 PSched - ok
20:32:41.0599 0696 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
20:32:41.0599 0696 Ptilink - ok
20:32:41.0679 0696 ql1080 - ok
20:32:41.0739 0696 Ql10wnt - ok
20:32:41.0809 0696 ql12160 - ok
20:32:41.0869 0696 ql1240 - ok
20:32:41.0949 0696 ql1280 - ok
20:32:42.0039 0696 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
20:32:42.0039 0696 RasAcd - ok
20:32:42.0170 0696 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
20:32:42.0180 0696 Rasl2tp - ok
20:32:42.0320 0696 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
20:32:42.0320 0696 RasPppoe - ok
20:32:42.0420 0696 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
20:32:42.0420 0696 Raspti - ok
20:32:42.0500 0696 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
20:32:42.0510 0696 Rdbss - ok
20:32:42.0620 0696 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
20:32:42.0620 0696 RDPCDD - ok
20:32:42.0760 0696 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
20:32:42.0770 0696 RDPWD - ok
20:32:42.0901 0696 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
20:32:42.0901 0696 redbook - ok
20:32:43.0111 0696 S3SavageNB (0dbcc071a268e0340a2ba6bdd98bace4) C:\WINDOWS\system32\DRIVERS\s3gnbm.sys
20:32:43.0111 0696 S3SavageNB - ok
20:32:43.0281 0696 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
20:32:43.0281 0696 Secdrv - ok
20:32:43.0421 0696 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
20:32:43.0431 0696 serenum - ok
20:32:43.0491 0696 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
20:32:43.0501 0696 Serial - ok
20:32:43.0612 0696 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
20:32:43.0612 0696 Sfloppy - ok
20:32:43.0742 0696 Simbad - ok
20:32:43.0802 0696 Sparrow - ok
20:32:43.0892 0696 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
20:32:43.0892 0696 splitter - ok
20:32:44.0012 0696 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
20:32:44.0012 0696 sr - ok
20:32:44.0162 0696 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
20:32:44.0182 0696 Srv - ok
20:32:44.0323 0696 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
20:32:44.0323 0696 swenum - ok
20:32:44.0373 0696 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
20:32:44.0383 0696 swmidi - ok
20:32:44.0433 0696 symc810 - ok
20:32:44.0503 0696 symc8xx - ok
20:32:44.0573 0696 sym_hi - ok
20:32:44.0653 0696 sym_u3 - ok
20:32:44.0743 0696 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
20:32:44.0753 0696 sysaudio - ok
20:32:44.0893 0696 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
20:32:44.0913 0696 Tcpip - ok
20:32:45.0014 0696 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
20:32:45.0014 0696 TDPIPE - ok
20:32:45.0124 0696 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
20:32:45.0124 0696 TDTCP - ok
20:32:45.0224 0696 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
20:32:45.0224 0696 TermDD - ok
20:32:45.0344 0696 TosIde - ok
20:32:45.0484 0696 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
20:32:45.0484 0696 Udfs - ok
20:32:45.0554 0696 ultra - ok
20:32:45.0695 0696 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
20:32:45.0715 0696 Update - ok
20:32:45.0865 0696 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
20:32:45.0875 0696 usbccgp - ok
20:32:45.0975 0696 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
20:32:45.0975 0696 usbehci - ok
20:32:46.0075 0696 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
20:32:46.0075 0696 usbhub - ok
20:32:46.0175 0696 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
20:32:46.0185 0696 USBSTOR - ok
20:32:46.0285 0696 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
20:32:46.0285 0696 usbuhci - ok
20:32:46.0386 0696 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
20:32:46.0386 0696 VgaSave - ok
20:32:46.0486 0696 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
20:32:46.0486 0696 viaagp - ok
20:32:46.0556 0696 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
20:32:46.0556 0696 ViaIde - ok
20:32:46.0676 0696 VIAudio (f4d7aa3bd65093a27e30ea75be1a1b1e) C:\WINDOWS\system32\drivers\viaudios.sys
20:32:46.0706 0696 VIAudio - ok
20:32:46.0846 0696 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
20:32:46.0846 0696 VolSnap - ok
20:32:47.0027 0696 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
20:32:47.0047 0696 Wanarp - ok
20:32:47.0117 0696 WDICA - ok
20:32:47.0217 0696 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
20:32:47.0217 0696 wdmaud - ok
20:32:47.0377 0696 winachsf (1225ebea76aac3c84df6c54fe5e5d8be) C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys
20:32:47.0407 0696 winachsf - ok
20:32:47.0748 0696 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
20:32:47.0758 0696 WudfPf - ok
20:32:47.0868 0696 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
20:32:47.0878 0696 WudfRd - ok
20:32:48.0038 0696 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
20:32:48.0058 0696 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - infected
20:32:48.0058 0696 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.b (0)
20:32:48.0118 0696 Boot (0x1200) (239ab3b475fb81c33820b4f7f86f1ddb) \Device\Harddisk0\DR0\Partition0
20:32:48.0118 0696 \Device\Harddisk0\DR0\Partition0 - ok
20:32:48.0138 0696 ============================================================
20:32:48.0138 0696 Scan finished
20:32:48.0138 0696 ============================================================
20:32:48.0208 0868 Detected object count: 1
20:32:48.0208 0868 Actual detected object count: 1
20:33:13.0164 0868 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - will be cured on reboot
20:33:13.0194 0868 \Device\Harddisk0\DR0 - ok
20:33:13.0194 0868 \Device\Harddisk0\DR0 ( Rootkit.Boot.SST.b ) - User select action: Cure
20:34:24.0477 0548 Deinitialize success

#8 miss_october

miss_october
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 06 December 2011 - 01:18 PM

unhide.exe still did not work.

thanks again!

Edited by miss_october, 06 December 2011 - 04:30 PM.


#9 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:08:28 AM

Posted 07 December 2011 - 03:41 PM

Hi miss_october :)

Before pursuing this any further, I need to make you aware of the following:

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the

PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where

applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and

there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected

with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more

information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide to continue trying to clean your computer, please follow the next set of instructions:

==========

Please download aswMBR ( 511KB ) to your desktop.
  • Double click the aswMBR.exe icon to run it
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

Also, when you boot into "Normal Windows", what exactly in the way of Desktop and Start Menu items are missing?

Best Regards,
oneof4.


#10 miss_october

miss_october
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 07 December 2011 - 05:11 PM

when i boot to normal mode there is nothing on the desktop at all. in the start menu everything is gone. there is not even an option to use "run" basically when i start normal mode that only thing i can do is stare at a screen.

the infected computer has been turned off with the exception of booting in safe mode with networking in order to install and run the programs told to me on here. should i no longer use network mode while in safe mode? other than those moments the computer power is off so I don't think anything was stolen. however, does this allow other computers on the network to have info stolen from websites and such?

I will do your ideas. i cannot get the windows disk to run sooo I will try this for now. thanks again

#11 miss_october

miss_october
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 07 December 2011 - 07:24 PM

if i were to want to reinstall the OS can you walk me through it? My dad said he is ok with doing that and losing everything on the comp if it will fix the problem.

#12 miss_october

miss_october
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 07 December 2011 - 07:28 PM

here is the log you requested



aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-12-07 18:15:45
-----------------------------
18:15:45.863 OS Version: Windows 5.1.2600 Service Pack 3
18:15:45.863 Number of processors: 1 586 0x801
18:15:45.863 ComputerName: OWNER-69DF6A62A UserName: Administrator
18:15:46.744 Initialize success
18:21:38.931 AVAST engine defs: 11120701
18:22:19.659 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
18:22:19.679 Disk 0 Vendor: ST340014A 3.16 Size: 34914MB BusType: 3
18:22:21.712 Disk 0 MBR read successfully
18:22:21.722 Disk 0 MBR scan
18:22:21.833 Disk 0 Windows XP default MBR code
18:22:21.873 Disk 0 scanning sectors +71489250
18:22:22.063 Disk 0 scanning C:\WINDOWS\system32\drivers
18:22:32.969 Service scanning
18:22:36.554 Modules scanning
18:22:42.753 Disk 0 trace - called modules:
18:22:42.803 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys PCIIDEX.SYS
18:22:42.823 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85b5b030]
18:22:42.843 3 CLASSPNP.SYS[f7609fd7] -> nt!IofCallDriver -> \Device\00000056[0x85bd1e98]
18:22:45.236 5 ACPI.sys[f7580620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x85b8baf0]
18:22:46.318 AVAST engine scan C:\WINDOWS
18:22:55.381 AVAST engine scan C:\WINDOWS\system32
18:25:27.800 AVAST engine scan C:\WINDOWS\system32\drivers
18:25:42.271 AVAST engine scan C:\Documents and Settings\Administrator
18:26:12.404 AVAST engine scan C:\Documents and Settings\All Users
18:26:26.404 Scan finished successfully
18:27:56.324 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\MBR.dat"
18:27:56.354 The log file has been saved successfully to "C:\Documents and Settings\Administrator\Desktop\aswMBR.txt"

#13 miss_october

miss_october
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 07 December 2011 - 07:58 PM

I am actaully doing a reinstall now thanks. i will let you know how that goes

#14 oneof4

oneof4

  • Malware Response Team
  • 3,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Collective
  • Local time:08:28 AM

Posted 07 December 2011 - 10:10 PM

:thumbup2:

Best Regards,
oneof4.


#15 miss_october

miss_october
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:07:28 AM

Posted 07 December 2011 - 11:59 PM

reinstalled and reformatted and everything is great~ thanks again~ you may now close this thread if you wish! i appreciate you taking the time to help me and provide info!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users