Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google redirect possible TDSS infection


  • This topic is locked This topic is locked
45 replies to this topic

#1 BattleRidden

BattleRidden

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 30 November 2011 - 01:49 AM

Hello,
I believe my computer has been infected by the Google Redirect Virus. I have tried to make all preparations in assuming this for posting. After reading some other posts I have downloaded and run some of the simpler possible problem solving programs. I'm sure you will be able to see from my logs what these programs are. In trying to follow your guide I was unsuccessful in getting GMER to run effectively (I assume), when initiating the program I get an error screen that reads - LoadDriver ("C:\DOCUME~1\MyName\LOCALS~1\Temp\kwryypog.sys")error 0xC000010E: Cannot create a stable subkey under a volatile parent key. When clicking OK the GMER screen comes up and runs to no effect or results with ONLY the Services, Registry, Files, C:\ and ADS boxes checked by default. All the other boxes are greyed and unable to be selected. I tried taking the GMER sections advice in letting it randomly choose a name and also renaming the .exe file to others I chose, including the iexplorer.exe name. All to the same effect. In addition I have tried downloading and running the TDSS rootkit removing tool multiple times, with also trying to rename it, and upon double clicking on it to start, nothing appears to happen, even after waiting a good amount of time.

I ran a full scan with MBAM and it seemed to find one type of problem and removed it. Since doing so and running some of the other cleaners the problem seems to have stopped or slowed for the most part. Understanding that this type of rootkit virus can come and go until fully removed I want to take every necessary step to make sure it is removed. I have already backed up the computer with Cobian to a spare external HD. Below is the DDS log and additionally the MBAM log from the most recent scan.

Thank you for any help you may be able to give me in solving this issue, it is a great service that you do for those in "technical" need and abundantly appreciated by many.


.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_29
Run by Rian at 0:44:20 on 2011-11-30
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.209 [GMT -5:00]
.
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
C:\Program Files\Intel\WiFi\bin\WLKeeper.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
C:\Program Files\Cobian Backup 10\cbVSCService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
uStart Page = hxxp://yahoo.com/
uInternet Connection Wizard,ShellNext = "c:\program files\outlook express\msimn.exe" //mailurl:mailto:feedback@livingsocial.com
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
uURLSearchHooks: H - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
TB: Conduit Engine: {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\ConduitEngine.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: Ask Toolbar: {3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\askbardis\bar\bin\askBar.dll
TB: Vuze Remote Toolbar: {ba14329e-9550-4989-b3f2-9732e92d17cc} - c:\program files\vuze_remote\tbVuze.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
{555d4d79-4bd2-4094-a395-cfc534424a05}
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ISUSPM] "c:\program files\common files\installshield\updateservice\ISUSPM.exe" -scheduler
uRun: [SmartRAM] "c:\program files\iobit\advanced systemcare 4\Suo10_SmartRAM.exe" /m
uRun: [Xvid] c:\program files\xvid\CheckUpdate.exe
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
mRun: [IntelZeroConfig] "c:\program files\intel\wifi\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\common files\intel\wirelesscommon\iFrmewrk.exe" /tf Intel Wireless Tray
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
uPolicies-explorer: NoResolveTrack = 1 (0x1)
uPolicies-explorer: NoThumbnailCache = 1 (0x1)
uPolicies-explorer: link = 00000000
mPolicies-explorer: NoResolveTrack = 1 (0x1)
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156949791114
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} -
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 68.87.68.166 68.87.74.166
TCP: Interfaces\{79656C46-F7E3-4FC2-8A5D-926C729B4B59} : DhcpNameServer = 68.87.68.166 68.87.74.166
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: LBTWlgn - c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\rian\application data\mozilla\firefox\profiles\t786d2az.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 5555
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\rian\application data\mozilla\firefox\profiles\t786d2az.default\extensions\{ba14329e-9550-4989-b3f2-9732e92d17cc}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\rian\application data\mozilla\firefox\profiles\t786d2az.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff5.dll
FF - plugin: c:\documents and settings\rian\application data\mozilla\plugins\npcoolirisplugin.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
.
---- FIREFOX POLICIES ----
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
============= SERVICES / DRIVERS ===============
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2011-11-28 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2011-11-28 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2011-11-28 656320]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [2011-6-15 13496]
R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [2007-1-30 241664]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\iobit\advanced systemcare 4\ASCService.exe [2011-6-15 328536]
R2 ASKUpgrade;ASKUpgrade;c:\program files\askbardis\bar\bin\ASKUpgrade.exe [2009-10-5 234888]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\cobian backup 10\cbVSCService.exe [2011-11-28 67584]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [2009-6-18 10384]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-11-27 366152]
R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [2005-7-27 14080]
R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [2005-7-27 36352]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-11-27 22216]
R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [2005-7-27 77056]
S1 MpKsl0315ab4d;MpKsl0315ab4d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{207ea161-5eab-4fe3-bb47-c7ce1da3be4b}\mpksl0315ab4d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{207ea161-5eab-4fe3-bb47-c7ce1da3be4b}\MpKsl0315ab4d.sys [?]
S1 MpKsl79593073;MpKsl79593073;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c83a4b9a-799e-4b8c-8701-c5e3bc43ce08}\mpksl79593073.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{c83a4b9a-799e-4b8c-8701-c5e3bc43ce08}\MpKsl79593073.sys [?]
S1 MpKsl8b54b2a3;MpKsl8b54b2a3;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{10245551-3f07-43f8-8b20-6b02ee24d487}\mpksl8b54b2a3.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{10245551-3f07-43f8-8b20-6b02ee24d487}\MpKsl8b54b2a3.sys [?]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 CrucialSMBusScan;CrucialSMBusScan; [x]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2010-11-16 24576]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2011-11-28 366840]
S3 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2011-11-28 1150936]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\verizo~1\vzacce~1\SMSIVZAM5.SYS [2009-5-25 32408]
.
=============== Created Last 30 ================
.
2011-11-28 21:13:55 -------- d-----w- c:\program files\Cobian Backup 10
2011-11-28 21:12:35 656320 ------w- c:\windows\system32\drivers\pctEFA.sys
2011-11-28 21:12:35 338880 ------w- c:\windows\system32\drivers\pctDS.sys
2011-11-28 21:12:31 251560 ------w- c:\windows\system32\drivers\pctgntdi.sys
2011-11-28 21:12:19 239168 ------w- c:\windows\system32\drivers\PCTCore.sys
2011-11-28 21:12:19 160448 ------w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-11-28 21:12:06 70536 ------w- c:\windows\system32\drivers\pctplsg.sys
2011-11-28 21:11:42 -------- d-----w- c:\program files\common files\PC Tools
2011-11-28 21:11:41 -------- d-----w- c:\program files\PC Tools Security
2011-11-28 21:11:41 -------- d-----w- c:\documents and settings\rian\application data\PC Tools
2011-11-28 20:33:52 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2011-11-28 08:08:23 -------- dc-h--w- c:\windows\ie8
2011-11-28 07:01:40 -------- d-----w- c:\program files\Trend Micro
2011-11-28 04:27:32 22216 ------w- c:\windows\system32\drivers\mbam.sys
2011-11-28 04:27:30 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-13 19:57:10 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-13 19:57:10 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
.
==================== Find3M ====================
.
2011-11-29 14:25:57 96384 ----a-w- c:\windows\system32\drivers\sptd2301.sys
2011-11-11 22:07:22 414368 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 19:29:02 94208 ------w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29:02 69632 ------w- c:\windows\system32\QuickTime.qts
2011-10-10 14:22:41 692736 ------w- c:\windows\system32\inetcomm.dll
2011-10-03 10:06:03 472808 ------w- c:\windows\system32\deployJava1.dll
2011-10-03 07:37:52 73728 ------w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06:50 599040 ------w- c:\windows\system32\crypt32.dll
2011-09-26 15:41:20 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41:20 220160 ------w- c:\windows\system32\oleacc.dll
2011-09-26 15:41:14 20480 ------w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20:51 1858944 ------w- c:\windows\system32\win32k.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST9120821AS rev.8.03 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; PUSH CS; POP DS; PUSH CS; POP ES; PUSHAD ; MOV [0x7e00], DL; MOV BYTE [0x7e04], 0x1e; MOV AH, 0x48; MOV SI, 0x7e04; INT 0x13; MOV AL, 0x50; JB 0x19b; }
user != kernel MBR !!!
sectors 231496648 (+255): user != kernel
.
============= FINISH: 0:57:33.90 ===============


MBAM LOG:

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8255

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

11/27/2011 11:46:16 PM
mbam-log-2011-11-27 (23-46-16).txt

Scan type: Quick scan
Objects scanned: 194483
Time elapsed: 14 minute(s), 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Files



BC AdBot (Login to Remove)

 


#2 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:03 AM

Posted 01 December 2011 - 09:30 PM

Hello and welcome. Please follow these guidelines while we work on your PC:
  • Malware removal is a sometimes lengthy and tedious process. Please stick with the thread until Iíve given you the ďAll clear.Ē Absence of symptoms does not mean your machine is clean!
  • Please do not run any scans or install/uninstall any applications without being directed to do so.
  • Please note that the forum is very busy and if I don't hear from you within five days this thread will be closed.
Posted Image P2P - I see you have P2P software (Vuze) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to malware infections. Please see this post for more information. I recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs. If you choose to keep these applications, please do not use them until our fixes at TSF are complete.

Posted Image Download aswMBR.exe ( 511KB ) to your desktop.
  • Double click the aswMBR.exe to run it
  • Click the "Scan" button to start scan
  • On completion of the scan click save log, save it to your desktop and post in your next reply.
Please include the following in your next post:
  • aswMBR log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#3 BattleRidden

BattleRidden
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 03 December 2011 - 12:42 AM

Thank you for the timely response. I have removed the P2P programs and toolbar until we can find a solution to this issue. Unfortunately after downloading the aswMBR file and trying to run it, it did not work. It did the same thing TDDS Killer did when trying to run it. Both download fine, but when trying to open them you get an hourglass flash and then nothing happens. I've tried closing as much services and running processes and running it, tried renaming the file and tried running in safe mode. Nothing helped. Does it matter what browser I use and if certain add-ons are enabled??? Thanks again for the continued help.

#4 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:03 AM

Posted 03 December 2011 - 10:53 AM

Hi,

See it this one will run for you:

Posted Image Please download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A small window should open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#5 BattleRidden

BattleRidden
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 03 December 2011 - 07:35 PM

Ok, looks like we found an application that does what it is supposed to do. Says it has found non-standard or infected MBR... .txt file contents below.


MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 152):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xF7B51000 \WINDOWS\system32\KDCOM.DLL
0xF7A61000 \WINDOWS\system32\BOOTVID.dll
0xF7530000 fltmgr.sys
0xF7502000 ACPI.sys
0xF7B53000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74F1000 pci.sys
0xF7651000 isapnp.sys
0xF7A65000 compbatt.sys
0xF7A69000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7C19000 pciide.sys
0xF78D1000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7661000 MountMgr.sys
0xF74D2000 ftdisk.sys
0xF78D9000 PartMgr.sys
0xF7671000 VolSnap.sys
0xF74BA000 atapi.sys
0xF7681000 disk.sys
0xF7691000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF74A8000 sr.sys
0xF746B000 PCTCore.sys
0xF7414000 pctDS.sys
0xF736F000 pctEFA.sys
0xF7359000 DRVMCDB.SYS
0xF76A1000 PxHelp20.sys
0xF7342000 KSecDD.sys
0xF732F000 WudfPf.sys
0xF72A2000 Ntfs.sys
0xF7275000 NDIS.sys
0xF7B55000 SmartDefragDriver.sys
0xF76B1000 ohci1394.sys
0xF76C1000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF725B000 Mup.sys
0xF6675000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF722B000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF7227000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF61DE000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF61CA000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF61A4000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF5B56000 \SystemRoot\system32\DRIVERS\NETw5x32.sys
0xF79A1000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF5B32000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF79A9000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF6665000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xF5B1F000 \SystemRoot\system32\DRIVERS\ubohci.sys
0xF5B09000 \SystemRoot\system32\DRIVERS\UB1394.SYS
0xF5AF5000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF6655000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0xF5AE1000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0xF5A90000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0xF6645000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF5A61000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7BA1000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF79B1000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF79B9000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF6635000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF6625000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF6615000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF5A3E000 \SystemRoot\system32\DRIVERS\ks.sys
0xF6605000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF7D59000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF65F5000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF6786000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF5A27000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF65E5000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7751000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF79C1000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF5A16000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7761000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF79C9000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF79D1000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7771000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF59DB000 \SystemRoot\System32\Drivers\c2scsi.SYS
0xF59C3000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
0xF7BA3000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5965000 \SystemRoot\system32\DRIVERS\update.sys
0xF677A000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF79D9000 \SystemRoot\system32\DRIVERS\omci.sys
0xF7741000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xEB560000 \SystemRoot\system32\drivers\sthda.sys
0xEB53C000 \SystemRoot\system32\drivers\portcls.sys
0xF7821000 \SystemRoot\system32\drivers\drmk.sys
0xEB3E8000 \SystemRoot\system32\drivers\monfilt.sys
0xEB3A4000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
0xEB2AD000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
0xEB1F7000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0xF7939000 \SystemRoot\System32\Drivers\Modem.SYS
0xF77E1000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF3D04000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7B61000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xF7B63000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF6F56000 \SystemRoot\System32\Drivers\Null.SYS
0xF7B65000 \SystemRoot\System32\Drivers\Beep.SYS
0xF3CB0000 \SystemRoot\System32\Drivers\DLARTL_M.SYS
0xEB1E5000 \SystemRoot\System32\drivers\vga.sys
0xF7B67000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7B69000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xEB1DD000 \SystemRoot\System32\Drivers\Msfs.SYS
0xEB1D5000 \SystemRoot\System32\Drivers\Npfs.SYS
0xEB00B000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB9979000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB9920000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB98F8000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB98D2000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xF66F3000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xB98B0000 \SystemRoot\System32\drivers\afd.sys
0xF3C75000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB988E000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xEB1CD000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xB9863000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB97F3000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF3C55000 \SystemRoot\System32\Drivers\Fips.SYS
0xF3C45000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF7005000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
0xB5B15000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xF71D3000 \SystemRoot\System32\drivers\Dxapi.sys
0xB40CF000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xB90F4000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF058000 \SystemRoot\System32\ati2cqag.dll
0xBF0D3000 \SystemRoot\System32\atikvmag.dll
0xBF141000 \SystemRoot\System32\atiok3x2.dll
0xBF16E000 \SystemRoot\System32\ati3duag.dll
0xBF469000 \SystemRoot\System32\ativvaxx.dll
0xBF600000 \SystemRoot\System32\ATMFD.DLL
0xB779E000 \??\C:\WINDOWS\system32\drivers\mbam.sys
0xB5B05000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xB64D4000 \SystemRoot\System32\DLA\DLADResM.SYS
0xB1E97000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0xF7921000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0xF7B95000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0xF7999000 \SystemRoot\System32\DLA\DLABMFSM.SYS
0xF7909000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0xB1E81000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0xB1E6A000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0xF71E7000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB68DD000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xF69A8000 \SystemRoot\System32\Drivers\LBeepKE.sys
0xB1501000 \SystemRoot\system32\DRIVERS\srv.sys
0xB1621000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB14A5000 \SystemRoot\system32\DRIVERS\ubsbm.sys
0xB95AB000 \SystemRoot\system32\DRIVERS\ubumapi.sys
0xB0EFC000 \SystemRoot\system32\drivers\wdmaud.sys
0xB11E9000 \SystemRoot\system32\drivers\sysaudio.sys
0xB0DBF000 \SystemRoot\system32\drivers\ctusfsyn.sys
0xB0D8F000 \SystemRoot\system32\DRIVERS\ctoss2k.sys
0xB0D69000 \SystemRoot\system32\DRIVERS\ctsfm2k.sys
0xB12E1000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 41):
0 System Idle Process
4 System
856 C:\WINDOWS\system32\smss.exe
904 csrss.exe
944 C:\WINDOWS\system32\winlogon.exe
988 C:\WINDOWS\system32\services.exe
1000 C:\WINDOWS\system32\lsass.exe
1172 C:\WINDOWS\system32\ati2evxx.exe
1192 C:\WINDOWS\system32\svchost.exe
1268 svchost.exe
1380 C:\WINDOWS\system32\svchost.exe
1424 C:\WINDOWS\system32\svchost.exe
1628 C:\Program Files\Intel\WiFi\bin\EvtEng.exe
1664 C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
1716 C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe
1792 svchost.exe
2004 C:\WINDOWS\system32\svchost.exe
2036 C:\WINDOWS\system32\spoolsv.exe
340 C:\Program Files\SUPERAntiSpyware\SASCore.exe
412 C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
744 C:\Program Files\Java\jre6\bin\jqs.exe
1592 C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
1844 C:\WINDOWS\system32\svchost.exe
2140 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2172 unsecapp.exe
2252 wmiprvse.exe
2288 C:\WINDOWS\system32\searchindexer.exe
3048 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
2448 alg.exe
2708 unsecapp.exe
228 C:\WINDOWS\system32\ati2evxx.exe
592 C:\Program Files\IObit\Advanced SystemCare 4\PMonitor.exe
3584 C:\WINDOWS\explorer.exe
4052 C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
596 C:\Program Files\Sigmatel\C-Major Audio\WDM\stsystra.exe
3624 C:\WINDOWS\system32\ctfmon.exe
3456 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
2816 C:\WINDOWS\system32\wbem\unsecapp.exe
3820 C:\Program Files\Mozilla Firefox\firefox.exe
1136 C:\Program Files\Mozilla Firefox\plugin-container.exe
2656 C:\Documents and Settings\Rian\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)

PhysicalDrive0 Model Number: ST9120821AS, Rev: 8.03

Size Device Name MBR Status
--------------------------------------------
110 GB \\.\PhysicalDrive0 MBR Code Faked!
SHA1: 38BE7869FCCF026F920DA4A541B12E68993C36ED


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

#6 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:03 AM

Posted 03 December 2011 - 11:51 PM

Please do this now:

Posted Image Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please include the following in your next post:
  • ComboFix log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#7 BattleRidden

BattleRidden
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 04 December 2011 - 07:23 PM

Here is the log from the ComboFix run...


ComboFix 11-12-04.03 - Rian 12/04/2011 12:42:11.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.335 [GMT -5:00]
Running from: c:\documents and settings\Rian\Desktop\ComboFix.exe
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\DragToDiscUserNameD.txt
c:\documents and settings\All Users\Application Data\TEMP
c:\windows\bwUnin-6.1.4.61-8876480L.exe
c:\windows\system32\24F4B1CE7E.dll
c:\windows\system32\ccrpTmr6.dll
c:\windows\system32\drivers\1028_DELL_XPS_MP061 .MRK
c:\windows\system32\drivers\DELL_XPS_MP061 .MRK
c:\windows\system32\index.html
c:\windows\system32\regobj.dll
c:\windows\system32\usmt\migwiz_a.exe
c:\windows\system32\win.ini
c:\windows\WindowsUpdate.log . . . . Failed to delete
.
.
((((((((((((((((((((((((( Files Created from 2011-11-04 to 2011-12-04 )))))))))))))))))))))))))))))))
.
.
2011-11-28 21:15 . 2011-11-28 21:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Safe mirror
2011-11-28 21:13 . 2011-11-28 22:11 -------- d-----w- c:\program files\Cobian Backup 10
2011-11-28 21:12 . 2010-07-16 19:59 656320 ------w- c:\windows\system32\drivers\pctEFA.sys
2011-11-28 21:12 . 2010-07-16 19:59 338880 ------w- c:\windows\system32\drivers\pctDS.sys
2011-11-28 21:12 . 2011-01-17 14:10 251560 ------w- c:\windows\system32\drivers\pctgntdi.sys
2011-11-28 21:12 . 2010-12-10 21:57 160448 ------w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-11-28 21:12 . 2010-12-10 18:24 239168 ------w- c:\windows\system32\drivers\PCTCore.sys
2011-11-28 21:12 . 2010-12-16 13:46 70536 ------w- c:\windows\system32\drivers\pctplsg.sys
2011-11-28 21:11 . 2011-11-28 21:16 -------- d-----w- c:\program files\Common Files\PC Tools
2011-11-28 21:11 . 2011-11-28 22:05 -------- d-----w- c:\program files\PC Tools Security
2011-11-28 21:11 . 2011-11-28 21:11 -------- d-----w- c:\documents and settings\Rian\Application Data\PC Tools
2011-11-28 20:33 . 2011-11-28 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-11-28 08:08 . 2011-11-28 08:11 -------- dc-h--w- c:\windows\ie8
2011-11-28 07:01 . 2011-11-28 07:01 -------- d-----w- c:\program files\Trend Micro
2011-11-28 04:27 . 2011-08-31 22:00 22216 ------w- c:\windows\system32\drivers\mbam.sys
2011-11-28 04:27 . 2011-11-28 04:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-27 21:49 . 2011-11-27 21:49 -------- d-----w- c:\program files\Common Files\Apple
2011-11-27 21:48 . 2011-11-27 21:48 -------- d-----w- c:\program files\Apple Software Update
2011-11-13 19:57 . 2011-11-13 19:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-13 19:57 . 2011-11-13 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-11-06 19:51 . 2011-11-06 19:52 -------- d-----w- c:\program files\Common Files\Adobe AIR
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-29 14:25 . 2006-09-06 16:06 96384 ----a-w- c:\windows\system32\drivers\sptd2301.sys
2011-11-11 22:07 . 2011-05-25 17:32 414368 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 19:29 . 2011-10-24 19:29 94208 ------w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29 . 2011-10-24 19:29 69632 ------w- c:\windows\system32\QuickTime.qts
2011-10-10 14:22 . 2004-08-10 18:02 692736 ------w- c:\windows\system32\inetcomm.dll
2011-10-03 10:06 . 2010-07-24 10:39 472808 ------w- c:\windows\system32\deployJava1.dll
2011-10-03 07:37 . 2010-09-09 06:01 73728 ------w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06 . 2004-08-10 17:50 599040 ------w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-30 00:59 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2004-08-10 17:51 220160 ------w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2004-08-10 17:51 20480 ------w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2004-08-10 17:51 1858944 ------w- c:\windows\system32\win32k.sys
2011-11-11 06:14 . 2011-11-06 19:23 134104 ------w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ------w- c:\documents and settings\Rian\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ------w- c:\documents and settings\Rian\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ------w- c:\documents and settings\Rian\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ------w- c:\documents and settings\Rian\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 4\Suo10_SmartRAM.exe" [2011-08-09 373080]
"Xvid"="c:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10h_ActiveX.exe" [2010-07-10 231888]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2010-03-05 1396736]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-03-05 1206544]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoThumbnailCache"= 1 (0x1)
"link"= 00000000
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ------w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 17:28 72208 ------w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Nikon Monitor.lnk]
backup=c:\windows\pss\Nikon Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Rian^Start Menu^Programs^Startup^Dropbox.lnk]
backup=c:\windows\pss\Dropbox.lnkStartup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupportCenter
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 4]
2011-08-09 20:56 417112 ------w- c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2010-03-04 18:31 311296 ------w- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2003-12-17 13:50 19968 ------w- c:\windows\LOGI_MWX.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mobile Connectivity Suite]
2009-11-19 22:19 598016 ------r- c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 13:00 1116920 -c----w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 14:22 405504 ------w- c:\program files\Sigmatel\C-Major Audio\WDM\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 16:35 90112 ------w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-03-08 16:48 761947 ------w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Documents and Settings\\Rian\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:DHCP Discovery Service
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/28/2011 4:12 PM 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [11/28/2011 4:12 PM 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [11/28/2011 4:12 PM 656320]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [6/15/2011 2:24 PM 13496]
R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [1/30/2007 11:30 PM 241664]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [6/15/2011 2:31 PM 328536]
R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [10/5/2009 11:03 AM 234888]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [11/28/2011 5:11 PM 67584]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [6/18/2009 9:20 AM 10384]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/27/2011 11:27 PM 366152]
R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [7/27/2005 5:25 PM 14080]
R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [7/27/2005 5:25 PM 36352]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/27/2011 11:27 PM 22216]
R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [7/27/2005 5:25 PM 77056]
S1 MpKsl0315ab4d;MpKsl0315ab4d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{207EA161-5EAB-4FE3-BB47-C7CE1DA3BE4B}\MpKsl0315ab4d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{207EA161-5EAB-4FE3-BB47-C7CE1DA3BE4B}\MpKsl0315ab4d.sys [?]
S1 MpKsl79593073;MpKsl79593073;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C83A4B9A-799E-4B8C-8701-C5E3BC43CE08}\MpKsl79593073.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C83A4B9A-799E-4B8C-8701-C5E3BC43CE08}\MpKsl79593073.sys [?]
S1 MpKsl8b54b2a3;MpKsl8b54b2a3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{10245551-3F07-43F8-8B20-6B02EE24D487}\MpKsl8b54b2a3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{10245551-3F07-43F8-8B20-6B02EE24D487}\MpKsl8b54b2a3.sys [?]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 9:58 AM 11336]
S3 CrucialSMBusScan;CrucialSMBusScan; [x]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [11/16/2010 12:26 AM 24576]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [11/28/2011 4:11 PM 366840]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 3:43 PM 32408]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/6/2006 11:06 AM 643072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-04 c:\windows\Tasks\ASC4_PerformanceMonitor.job
- c:\program files\IObit\Advanced SystemCare 4\PMonitor.exe [2011-06-15 20:40]
.
2011-12-04 c:\windows\Tasks\Game_Booster_Startup.job
- c:\program files\IObit\Game Booster\gbtray.exe [2011-06-07 20:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
uStart Page = hxxp://yahoo.com/
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" //mailurl:mailto:feedback@livingsocial.com
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: DhcpNameServer = 68.87.68.166 68.87.74.166
FF - ProfilePath - c:\documents and settings\Rian\Application Data\Mozilla\Firefox\Profiles\t786d2az.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 5555
FF - prefs.js: network.proxy.type - 0
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-04 13:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST9120821AS rev.8.03 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
sectors 231496648 (+255): user != kernel
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(940)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(1812)
c:\windows\system32\WININET.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\documents and settings\Rian\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\dfshim.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Roxio\Drag-to-Disc\Shellex.dll
c:\windows\system32\DLAAPI_W.DLL
c:\windows\system32\CDRTC.DLL
c:\program files\Roxio\Drag-to-Disc\ShellRes.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\program files\Intel\WiFi\bin\EvtEng.exe
c:\program files\Intel\WiFi\bin\S24EvMon.exe
c:\program files\Intel\WiFi\bin\WLKeeper.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Intel\WirelessCommon\RegSrvc.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
c:\windows\system32\SearchIndexer.exe
c:\program files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\Internet Explorer\IEXPLORE.EXE
.
**************************************************************************
.
Completion time: 2011-12-04 13:58:22 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-04 18:57
.
Pre-Run: 6,209,667,072 bytes free
Post-Run: 6,179,827,712 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 2600D618C9E7084E4E0A417643AD6E88

#8 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:03 AM

Posted 04 December 2011 - 10:37 PM

Please do this now:

Posted Image Open Notepad Go to Start> All Programs> Accessories> Notepad ( this will only work with Notepad ) and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Firefox::

Firefox::
FF - ProfilePath - c:\documents and settings\Rian\Application Data\Mozilla\Firefox\Profiles\t786d2az.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 5555

Save this as CFScript to your desktop.

Then disable your security programs and drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Posted Image Download TDSSKiller.zip and extract TDSSKiller.exe to your desktop
  • Execute TDSSKiller.exe by doubleclicking on it.
  • Press Start Scan
  • If Malicious objects are found then ensure Cure is selected. Important - If there is no option to "Cure" it is critical that you select "Skip"
  • Then click Continue > Reboot now
  • Once complete, a log will be produced in c:\. It will be named for example, TDSSKiller.2.4.0.0_24.07.2010_13.10.52_log.txt
  • Post that log, please.
Please include the following in your next post:
  • ComboFix log
  • TDSSKiller log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#9 BattleRidden

BattleRidden
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 04 December 2011 - 11:01 PM

After drag-n-drop of the text file into combo fix, it has prompted asking if I'd like to update ComboFix to the newer version. Do so or not?

#10 BattleRidden

BattleRidden
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 05 December 2011 - 10:36 AM

Here is ComboFix log... still can't get TDSSKiller to run. Same issue as before. Any suggestions?


ComboFix 11-12-04.04 - Rian 12/05/2011 2:11.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.546 [GMT -5:00]
Running from: c:\documents and settings\Rian\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Rian\Desktop\CFScript.txt
AV: Spyware Doctor with AntiVirus *Disabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
.
((((((((((((((((((((((((( Files Created from 2011-11-05 to 2011-12-05 )))))))))))))))))))))))))))))))
.
.
2011-11-28 21:15 . 2011-11-28 21:15 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Safe mirror
2011-11-28 21:13 . 2011-11-28 22:11 -------- d-----w- c:\program files\Cobian Backup 10
2011-11-28 21:12 . 2010-07-16 19:59 656320 ------w- c:\windows\system32\drivers\pctEFA.sys
2011-11-28 21:12 . 2010-07-16 19:59 338880 ------w- c:\windows\system32\drivers\pctDS.sys
2011-11-28 21:12 . 2011-01-17 14:10 251560 ------w- c:\windows\system32\drivers\pctgntdi.sys
2011-11-28 21:12 . 2010-12-10 21:57 160448 ------w- c:\windows\system32\drivers\PCTAppEvent.sys
2011-11-28 21:12 . 2010-12-10 18:24 239168 ------w- c:\windows\system32\drivers\PCTCore.sys
2011-11-28 21:12 . 2010-12-16 13:46 70536 ------w- c:\windows\system32\drivers\pctplsg.sys
2011-11-28 21:11 . 2011-11-28 21:16 -------- d-----w- c:\program files\Common Files\PC Tools
2011-11-28 21:11 . 2011-11-28 22:05 -------- d-----w- c:\program files\PC Tools Security
2011-11-28 21:11 . 2011-11-28 21:11 -------- d-----w- c:\documents and settings\Rian\Application Data\PC Tools
2011-11-28 20:33 . 2011-11-28 21:12 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2011-11-28 08:08 . 2011-11-28 08:11 -------- dc-h--w- c:\windows\ie8
2011-11-28 07:01 . 2011-11-28 07:01 -------- d-----w- c:\program files\Trend Micro
2011-11-28 04:27 . 2011-08-31 22:00 22216 ------w- c:\windows\system32\drivers\mbam.sys
2011-11-28 04:27 . 2011-11-28 04:27 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-11-27 21:49 . 2011-11-27 21:49 -------- d-----w- c:\program files\Common Files\Apple
2011-11-27 21:48 . 2011-11-27 21:48 -------- d-----w- c:\program files\Apple Software Update
2011-11-13 19:57 . 2011-11-13 19:58 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-11-13 19:57 . 2011-11-13 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2011-11-06 19:51 . 2011-11-06 19:52 -------- d-----w- c:\program files\Common Files\Adobe AIR
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-29 14:25 . 2006-09-06 16:06 96384 ----a-w- c:\windows\system32\drivers\sptd2301.sys
2011-11-11 22:07 . 2011-05-25 17:32 414368 ------w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-10-24 19:29 . 2011-10-24 19:29 94208 ------w- c:\windows\system32\QuickTimeVR.qtx
2011-10-24 19:29 . 2011-10-24 19:29 69632 ------w- c:\windows\system32\QuickTime.qts
2011-10-10 14:22 . 2004-08-10 18:02 692736 ------w- c:\windows\system32\inetcomm.dll
2011-10-03 10:06 . 2010-07-24 10:39 472808 ------w- c:\windows\system32\deployJava1.dll
2011-10-03 07:37 . 2010-09-09 06:01 73728 ------w- c:\windows\system32\javacpl.cpl
2011-09-28 07:06 . 2004-08-10 17:50 599040 ------w- c:\windows\system32\crypt32.dll
2011-09-26 15:41 . 2008-07-30 00:59 611328 ------w- c:\windows\system32\uiautomationcore.dll
2011-09-26 15:41 . 2004-08-10 17:51 220160 ------w- c:\windows\system32\oleacc.dll
2011-09-26 15:41 . 2004-08-10 17:51 20480 ------w- c:\windows\system32\oleaccrc.dll
2011-09-06 13:20 . 2004-08-10 17:51 1858944 ------w- c:\windows\system32\win32k.sys
2011-11-11 06:14 . 2011-11-06 19:23 134104 ------w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2009-04-02 333192]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt1]
@="{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ------w- c:\documents and settings\Rian\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt2]
@="{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ------w- c:\documents and settings\Rian\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt3]
@="{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ------w- c:\documents and settings\Rian\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\DropboxExt4]
@="{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}"
[HKEY_CLASSES_ROOT\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}]
2011-02-18 05:12 94208 ------w- c:\documents and settings\Rian\Application Data\Dropbox\bin\DropboxExt.14.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 4\Suo10_SmartRAM.exe" [2011-08-09 373080]
"Xvid"="c:\program files\Xvid\CheckUpdate.exe" [2011-01-17 8192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2008-10-24 79136]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
"IntelZeroConfig"="c:\program files\Intel\WiFi\bin\ZCfgSvc.exe" [2010-03-05 1396736]
"IntelWireless"="c:\program files\Common Files\Intel\WirelessCommon\iFrmewrk.exe" [2010-03-05 1206544]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoThumbnailCache"= 1 (0x1)
"link"= 00000000
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ------w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
2009-07-20 17:28 72208 ------w- c:\program files\Common Files\Logishrd\Bluetooth\LBTWLgn.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Nikon Monitor.lnk]
backup=c:\windows\pss\Nikon Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Rian^Start Menu^Programs^Startup^Dropbox.lnk]
backup=c:\windows\pss\Dropbox.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 4]
2011-08-09 20:56 417112 ------w- c:\program files\IObit\Advanced SystemCare 4\ASCTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICustomerCare]
2010-03-04 18:31 311296 ------w- c:\program files\ATI\ATICustomerCare\ATICustomerCare.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
2003-12-17 13:50 19968 ------w- c:\windows\LOGI_MWX.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mobile Connectivity Suite]
2009-11-19 22:19 598016 ------r- c:\program files\HTC\HTC Sync\Application Launcher\Application Launcher.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
2006-08-17 13:00 1116920 -c----w- c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
2007-05-10 14:22 405504 ------w- c:\program files\Sigmatel\C-Major Audio\WDM\stsystra.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
2006-11-10 16:35 90112 ------w- c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
2006-03-08 16:48 761947 ------w- c:\program files\Synaptics\SynTP\SynTPEnh.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Documents and Settings\\Rian\\Application Data\\Dropbox\\bin\\Dropbox.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"67:UDP"= 67:UDP:DHCP Discovery Service
.
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [11/28/2011 4:12 PM 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [11/28/2011 4:12 PM 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [11/28/2011 4:12 PM 656320]
R0 SmartDefragDriver;SmartDefragDriver;c:\windows\system32\drivers\SmartDefragDriver.sys [6/15/2011 2:24 PM 13496]
R1 c2scsi;c2scsi;c:\windows\system32\drivers\c2scsi.sys [1/30/2007 11:30 PM 241664]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 AdvancedSystemCareService;Advanced SystemCare Service;c:\program files\IObit\Advanced SystemCare 4\ASCService.exe [6/15/2011 2:31 PM 328536]
R2 ASKUpgrade;ASKUpgrade;c:\program files\AskBarDis\bar\bin\ASKUpgrade.exe [10/5/2009 11:03 AM 234888]
R2 cbVSCService;Cobian Backup 10 Volume Shadow Copy service;c:\program files\Cobian Backup 10\cbVSCService.exe [11/28/2011 5:11 PM 67584]
R2 LBeepKE;LBeepKE;c:\windows\system32\drivers\LBeepKE.sys [6/18/2009 9:20 AM 10384]
R2 ubsbm;Unibrain 1394 SBM Driver;c:\windows\system32\drivers\UBSBM.sys [7/27/2005 5:25 PM 14080]
R2 ubumapi;Unibrain 1394 FireAPI Driver;c:\windows\system32\drivers\UBUMAPI.sys [7/27/2005 5:25 PM 36352]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/27/2011 11:27 PM 22216]
R3 ubohci;Unibrain 1394 OHCI Driver;c:\windows\system32\drivers\ubohci.sys [7/27/2005 5:25 PM 77056]
S1 MpKsl0315ab4d;MpKsl0315ab4d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{207EA161-5EAB-4FE3-BB47-C7CE1DA3BE4B}\MpKsl0315ab4d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{207EA161-5EAB-4FE3-BB47-C7CE1DA3BE4B}\MpKsl0315ab4d.sys [?]
S1 MpKsl79593073;MpKsl79593073;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C83A4B9A-799E-4B8C-8701-C5E3BC43CE08}\MpKsl79593073.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{C83A4B9A-799E-4B8C-8701-C5E3BC43CE08}\MpKsl79593073.sys [?]
S1 MpKsl8b54b2a3;MpKsl8b54b2a3;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{10245551-3F07-43F8-8B20-6B02EE24D487}\MpKsl8b54b2a3.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{10245551-3F07-43F8-8B20-6B02EE24D487}\MpKsl8b54b2a3.sys [?]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [11/27/2011 11:27 PM 366152]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [12/18/2009 9:58 AM 11336]
S3 CrucialSMBusScan;CrucialSMBusScan; [x]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [11/16/2010 12:26 AM 24576]
S3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys --> c:\windows\system32\drivers\mbamswissarmy.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\PC Tools Security\pctsAuxs.exe [11/28/2011 4:11 PM 366840]
S3 SMSIVZAM5;SMSIVZAM5 NDIS Protocol Driver;c:\progra~1\VERIZO~1\VZACCE~1\SMSIVZAM5.SYS [5/25/2009 3:43 PM 32408]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [9/6/2006 11:06 AM 643072]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-05 c:\windows\Tasks\ASC4_PerformanceMonitor.job
- c:\program files\IObit\Advanced SystemCare 4\PMonitor.exe [2011-06-15 20:40]
.
2011-12-04 c:\windows\Tasks\Game_Booster_Startup.job
- c:\program files\IObit\Game Booster\gbtray.exe [2011-06-07 20:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
uStart Page = hxxp://yahoo.com/
uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe" //mailurl:mailto:feedback@livingsocial.com
uInternet Settings,ProxyOverride = *.local;<local>
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
TCP: DhcpNameServer = 68.87.68.166 68.87.74.166
FF - ProfilePath - c:\documents and settings\Rian\Application Data\Mozilla\Firefox\Profiles\t786d2az.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-&p=
FF - prefs.js: network.proxy.type - 0
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: content.max.tokenizing.time - 2250000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 750000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 750000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: network.http.max-connections - 32
FF - user.js: network.http.max-connections-per-server - 8
FF - user.js: network.http.max-persistent-connections-per-proxy - 8
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: nglayout.initialpaint.delay - 750
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-12-05 02:55
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST9120821AS rev.8.03 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
sectors 231496648 (+255): user != kernel
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(940)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\common files\logishrd\bluetooth\LBTWlgn.dll
c:\program files\common files\logishrd\bluetooth\LBTServ.dll
.
- - - - - - - > 'explorer.exe'(4824)
c:\windows\system32\WININET.dll
c:\program files\Common Files\PC Tools\Lsp\PCTLsp.dll
c:\documents and settings\Rian\Application Data\Dropbox\bin\DropboxExt.14.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\dfshim.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-12-05 03:14:47
ComboFix-quarantined-files.txt 2011-12-05 08:14
ComboFix2.txt 2011-12-05 06:30
ComboFix3.txt 2011-12-04 18:58
.
Pre-Run: 6,326,353,920 bytes free
Post-Run: 6,302,744,576 bytes free
.
- - End Of File - - 26EEB88C439ECFBE3A625CD4654A85A2

#11 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:03 AM

Posted 05 December 2011 - 02:41 PM

Please do this now:

Click Start > Run or Press Windows Key + R and copy/paste the following single-line command into the Run box and click OK:

"%userprofile%\Desktop\MBRCheck.exe" -s 0 -d mbrdump.dat
This will place a file named mbrdump.dat on your desktop. Zip the mbrdump.dat file at add it as an attachment to your next reply.

Please include the following in your next post:
  • Attach the zipped mbrdump.dat file

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#12 BattleRidden

BattleRidden
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 05 December 2011 - 10:57 PM

mbrdump.dat zipped file attached...

Attached Files



#13 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:03 AM

Posted 05 December 2011 - 11:20 PM

Please do this now:

Posted Image Click Start > Run or press Windows Key + R copy/paste the following into the run box that opens and press OK:

"%userprofile%\Desktop\MBRCheck.exe" -s 0 -f 0
A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop. Reboot your PC and post the contents of the log

This will place a file named mbrdump.dat on your desktop. Zip the mbrdump.dat file at add it as an attachment to your next reply.

Please include the following in your next post:
  • MBRCheck log

Edited by RPMcMurphy, 05 December 2011 - 11:20 PM.

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif


#14 BattleRidden

BattleRidden
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:02:03 AM

Posted 05 December 2011 - 11:40 PM

Below is the copy of the MBRcheck.txt log

"This will place a file named mbrdump.dat on your desktop. Zip the mbrdump.dat file at add it as an attachment to your next reply."

Did you mean to include this portion in your last post or not? If so, I have no new .dat file that appeared after reboot or run... but there is a .bak file that is on the desktop now. Is that what you want??? And should I be deleting some of these files/applications after sending want you need? Thanks.


MBRCheck, version 1.2.3
© 2010, AD

Command-line: -s 0 -f 0
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000c

Kernel Drivers (total 155):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0xF7B51000 \WINDOWS\system32\KDCOM.DLL
0xF7A61000 \WINDOWS\system32\BOOTVID.dll
0xF7530000 fltmgr.sys
0xF7502000 ACPI.sys
0xF7B53000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74F1000 pci.sys
0xF7651000 isapnp.sys
0xF7A65000 compbatt.sys
0xF7A69000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xF7C19000 pciide.sys
0xF78D1000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7661000 MountMgr.sys
0xF74D2000 ftdisk.sys
0xF78D9000 PartMgr.sys
0xF7671000 VolSnap.sys
0xF74BA000 atapi.sys
0xF7681000 disk.sys
0xF7691000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF74A8000 sr.sys
0xF746B000 PCTCore.sys
0xF7414000 pctDS.sys
0xF736F000 pctEFA.sys
0xF7359000 DRVMCDB.SYS
0xF76A1000 PxHelp20.sys
0xF7342000 KSecDD.sys
0xF732F000 WudfPf.sys
0xF72A2000 Ntfs.sys
0xF7275000 NDIS.sys
0xF76B1000 Combo-Fix.sys
0xF7B55000 SmartDefragDriver.sys
0xF76C1000 ohci1394.sys
0xF76D1000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF725B000 Mup.sys
0xF77D1000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7223000 \SystemRoot\system32\DRIVERS\wmiacpi.sys
0xF721F000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xF64D6000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
0xF64C2000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF649C000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xF5E4E000 \SystemRoot\system32\DRIVERS\NETw5x32.sys
0xF7999000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF5E2A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF79A1000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF77E1000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
0xF5E17000 \SystemRoot\system32\DRIVERS\ubohci.sys
0xF5E01000 \SystemRoot\system32\DRIVERS\UB1394.SYS
0xF5DED000 \SystemRoot\system32\DRIVERS\sdbus.sys
0xF77F1000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
0xF5DD9000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
0xF5D88000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
0xF7801000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF5D59000 \SystemRoot\system32\DRIVERS\SynTP.sys
0xF7BA1000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF79A9000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF79B1000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF7811000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF7821000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7831000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF5D36000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7841000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF7C2C000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7851000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF68F5000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF5D1F000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7861000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7871000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF79B9000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF5D0E000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7881000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF79C1000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF79C9000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF7891000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF5CD3000 \SystemRoot\System32\Drivers\c2scsi.SYS
0xF5CBB000 \SystemRoot\System32\Drivers\SCSIPORT.SYS
0xF7BA3000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF5C5D000 \SystemRoot\system32\DRIVERS\update.sys
0xF68E1000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF79D1000 \SystemRoot\system32\DRIVERS\omci.sys
0xF78A1000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xEBABB000 \SystemRoot\system32\drivers\sthda.sys
0xEBA97000 \SystemRoot\system32\drivers\portcls.sys
0xF7771000 \SystemRoot\system32\drivers\drmk.sys
0xEB939000 \SystemRoot\system32\drivers\monfilt.sys
0xEB8FF000 \SystemRoot\system32\DRIVERS\HSXHWAZL.sys
0xEB7F4000 \SystemRoot\system32\DRIVERS\HSX_DPV.sys
0xEB73E000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
0xF7949000 \SystemRoot\System32\Drivers\Modem.SYS
0xF5BF1000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xB95C8000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF7C05000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
0xF7C07000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB9964000 \SystemRoot\System32\Drivers\Null.SYS
0xF7C09000 \SystemRoot\System32\Drivers\Beep.SYS
0xEB714000 \SystemRoot\System32\Drivers\DLARTL_M.SYS
0xEB70C000 \SystemRoot\System32\drivers\vga.sys
0xF7C0B000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7C0D000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xEB704000 \SystemRoot\System32\Drivers\Msfs.SYS
0xEB6FC000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB95B8000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB8AC2000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB8A69000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB89AA000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB8984000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB95AC000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xB8962000 \SystemRoot\System32\drivers\afd.sys
0xF3F5D000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB8940000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xEB6F4000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xB887E000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB87E6000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF3F3D000 \SystemRoot\System32\Drivers\Fips.SYS
0xB9584000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
0xEB6CA000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB5EE8000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xB4365000 \SystemRoot\System32\drivers\Dxapi.sys
0xB3245000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C67000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\ati2dvag.dll
0xBF058000 \SystemRoot\System32\ati2cqag.dll
0xBF0D3000 \SystemRoot\System32\atikvmag.dll
0xBF141000 \SystemRoot\System32\atiok3x2.dll
0xBF16E000 \SystemRoot\System32\ati3duag.dll
0xBF469000 \SystemRoot\System32\ativvaxx.dll
0xBF600000 \SystemRoot\System32\ATMFD.DLL
0xB62E1000 \??\C:\WINDOWS\system32\drivers\mbam.sys
0xB479F000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
0xB5410000 \SystemRoot\System32\DLA\DLADResM.SYS
0xB0FED000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
0xB9540000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
0xF7B8B000 \SystemRoot\System32\DLA\DLAPoolM.SYS
0xF7969000 \SystemRoot\System32\DLA\DLABMFSM.SYS
0xB6EAE000 \SystemRoot\System32\DLA\DLABOIOM.SYS
0xB0FD7000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
0xB0FC0000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
0xB5797000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xB578B000 \SystemRoot\system32\DRIVERS\s24trans.sys
0xAFE01000 \SystemRoot\system32\drivers\wdmaud.sys
0xB8DFE000 \SystemRoot\system32\drivers\sysaudio.sys
0xAFCEC000 \SystemRoot\system32\drivers\ctusfsyn.sys
0xAFCBC000 \SystemRoot\system32\DRIVERS\ctoss2k.sys
0xAFC96000 \SystemRoot\system32\DRIVERS\ctsfm2k.sys
0xF7CD6000 \SystemRoot\System32\Drivers\LBeepKE.sys
0xAF98E000 \SystemRoot\system32\DRIVERS\srv.sys
0xAFA2E000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xAF89A000 \SystemRoot\system32\DRIVERS\ubsbm.sys
0xAFD53000 \SystemRoot\system32\DRIVERS\ubumapi.sys
0xB645C000 \??\C:\DOCUME~1\Rian\LOCALS~1\Temp\catchme.sys
0xEB66A000 \SystemRoot\system32\DRIVERS\ipfltdrv.sys
0xB87C1000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 42):
0 System Idle Process
4 System
860 C:\WINDOWS\system32\smss.exe
908 csrss.exe
940 C:\WINDOWS\system32\winlogon.exe
984 C:\WINDOWS\system32\services.exe
996 C:\WINDOWS\system32\lsass.exe
1160 C:\WINDOWS\system32\ati2evxx.exe
1196 C:\WINDOWS\system32\svchost.exe
1264 svchost.exe
1380 C:\WINDOWS\system32\svchost.exe
1424 C:\WINDOWS\system32\svchost.exe
1464 C:\WINDOWS\system32\ati2evxx.exe
1656 C:\Program Files\Intel\WiFi\bin\EvtEng.exe
1684 C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
1716 C:\Program Files\Intel\WiFi\bin\WLKEEPER.exe
1932 svchost.exe
576 C:\WINDOWS\system32\spoolsv.exe
772 C:\Program Files\SUPERAntiSpyware\SASCore.exe
784 unsecapp.exe
884 C:\Program Files\IObit\Advanced SystemCare 4\ASCService.exe
1132 wmiprvse.exe
2080 C:\Program Files\AskBarDis\bar\bin\ASKUpgrade.exe
2132 C:\Program Files\Cobian Backup 10\cbVSCService.exe
2232 C:\Program Files\Java\jre6\bin\jqs.exe
2496 C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe
2572 C:\WINDOWS\system32\svchost.exe
2648 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
2764 C:\WINDOWS\system32\searchindexer.exe
3544 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
728 alg.exe
3220 C:\Program Files\Intel\WiFi\bin\ZCfgSvc.exe
904 C:\Program Files\Common Files\Intel\WirelessCommon\iFrmewrk.exe
3320 C:\Program Files\Sigmatel\C-Major Audio\WDM\stsystra.exe
3120 C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
2488 C:\WINDOWS\system32\wbem\unsecapp.exe
3024 C:\WINDOWS\system32\ctfmon.exe
4824 C:\WINDOWS\explorer.exe
532 C:\WINDOWS\system32\svchost.exe
3996 C:\Program Files\Mozilla Firefox\firefox.exe
4100 C:\Program Files\Mozilla Firefox\plugin-container.exe
4120 C:\Documents and Settings\Rian\Desktop\MBRCheck.exe

Writing Windows XP MBR code to \\.\PhysicalDrive0...
Successfully wrote new MBR code!
Please reboot your computer to complete the fix.


Done!

#15 RPMcMurphy

RPMcMurphy

    Bleeping *^#@%~


  • Malware Response Team
  • 3,970 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:03 AM

Posted 06 December 2011 - 05:00 PM

Hello,

You're correct - that line should not have appeared. Please do this next:

Posted Image You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM
  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Uncheck any entries from C:\System Volume Information or C:\Qoobox
  • Make sure that everything else is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Please include the following in your next post:
  • MBAM log

Threads are closed after 5 days of inactivity.

ASAP & UNITE Member


The help you receive here is free. If you wish to show your appreciation, then you may btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users