Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Microsoft outlook opens 30+ times


  • This topic is locked This topic is locked
58 replies to this topic

#1 Who?

Who?

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 27 December 2011 - 04:02 PM

and IE doesnt work at all..

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Me at 9:52:36 on 2011-12-26
.
============== Running Processes ===============
.
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Common Files\Motive\McciCMService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\SearchFilterHost.exe
C:\Documents and Settings\Me\Desktop\dds.scr
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe -k imgsvc
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.co.nz/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7018.1622\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Go!Zilla IE Helper: {e1ff080d-12a3-439a-a2ef-4ba95a3148e8} - c:\program files\gozilla\GozCatch.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DriverFinder] c:\program files\driverfinder\DriverFinder.exe
uRun: [UpdateMyDrivers] c:\program files\smarttweak software\updatemydrivers\UpdateMyDrivers.exe -t
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [VTTimer] VTTimer.exe
mRun: [AlcxMonitor] ALCXMNTR.EXE
mRun: [AGRSMMSG] AGRSMMSG.exe
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [RestartNeroSetup] "d:\installation\Setupx.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [LanguageShortcut] "c:\program files\cyberlink\powerdvd\language\Language.exe"
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.10.115.cab
DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} - hxxp://simcity.ea.com/update/EARTPX.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180057608177
DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} - hxxp://www.nvidia.com/content/DriverDownload/nforce/NvidiaSmartScan.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C36661D7-3590-45B1-80B5-520839E94DAD} - hxxp://simcity.ea.com/update/MaxisSimCity4PatcherX.cab
DPF: {CAFEEFAC-0016-0000-0027-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_27-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.4.24.0.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{F596D307-1742-41B1-9F78-B4ED0E266848} : DhcpNameServer = 192.168.1.254
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg8\toolbar\IEToolbar.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\rose\application data\mozilla\firefox\profiles\zt3gkuqg.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.co.nz/
FF - prefs.js: network.proxy.type - 1
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
.
============= SERVICES / DRIVERS ===============
.
R? AVG Security Toolbar Service;AVG Security Toolbar Service
R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86
R? cpudrv;cpudrv
R? cpuz132;cpuz132
R? gupdate;Google Update Service (gupdate)
R? gupdatem;Google Update Service (gupdatem)
R? WinRM;Windows Remote Management (WS-Management)
R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0
S? avg8wd;AVG Free8 WatchDog
S? AvgLdx86;AVG Free AVI Loader Driver x86
S? AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86
S? AvgTdiX;AVG Free8 Network Redirector
.
=============== Created Last 30 ================
.
2073-10-26 21:55:34 1835008 ----a-w- c:\program files\microsoft games\halo custom edition\haloceded.exe
2073-10-26 21:55:34 1118208 ----a-w- c:\program files\microsoft games\halo custom edition\Strings.dll
2011-12-25 20:51:00 -------- d-----w- c:\program files\Bleeping Computer
2011-12-19 03:20:41 -------- d-----w- c:\program files\Minecraft
2011-12-18 05:12:10 -------- d-----w- C:\01f7dc8c9fed1878ec23
2011-12-16 05:12:08 -------- d-----w- c:\windows\system32\winrm
2011-12-16 05:12:01 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-12-16 05:11:43 -------- d-----w- c:\documents and settings\Me\application data\Windows Desktop Search
2011-12-16 05:10:59 -------- d-----w- c:\windows\system32\GroupPolicy
2011-12-16 05:10:59 -------- d-----w- c:\program files\Windows Desktop Search
2011-12-16 05:08:53 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2011-12-16 05:08:53 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2011-12-16 05:08:53 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2011-12-16 04:48:52 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-13 23:24:16 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-12-13 23:23:31 -------- d-----w- c:\documents and settings\all users\application data\Hitman Pro
2011-11-27 05:56:50 -------- d-----w- c:\documents and settings\Me\application data\.minecraft
2011-11-26 03:01:14 -------- d-----w- c:\documents and settings\Me\triplea
2011-11-26 03:00:07 -------- d-----w- c:\program files\TripleA
.
==================== Find3M ====================
.
2011-11-23 13:25:32 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-19 19:17:16 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-05 05:09:14 34064 ----a-w- c:\windows\system32\lhacm.acm
2011-11-04 19:20:51 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23:59 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07:10 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 22:53:09 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2011-10-28 22:53:09 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2011-10-28 05:31:48 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33:08 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52:03 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13:22 186880 ------w- c:\windows\system32\encdec.dll
2011-10-10 14:22:41 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-09-28 07:06:50 599040 ----a-w- c:\windows\system32\crypt32.dll
2006-08-14 04:08:04 74520 ----a-w- c:\program files\DSETUP.dll
2006-08-14 04:08:04 484632 ----a-w- c:\program files\DXSETUP.exe
2006-08-14 04:08:04 2248984 ----a-w- c:\program files\dsetup32.dll
.
============= FINISH: 9:53:57.01 ===============

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2011-12-27 22:38:38
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-1b WDC_WD1600JB-00REA0 rev.20.00K20
Running: bvwcde40.exe; Driver: C:\DOCUME~1\Me\LOCALS~1\Temp\uwtdipow.sys


---- Kernel code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF91C3360, 0x24BB1D, 0xE8000020]

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\SearchIndexer.exe[552] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3884] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3884] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3884] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3884] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52F9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3884] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5364 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3884] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3884] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E522C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3884] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E542A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[3884] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E528E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4016] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4016] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4016] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4016] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4016] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4016] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E53C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4016] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E52F9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4016] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E5364 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4016] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E51CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4016] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E522C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4016] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E542A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4016] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E528E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4016] ole32.dll!CoCreateInstance 774FF1BC 5 Bytes JMP 3E2EDBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4016] ole32.dll!OleLoadFromStream 7752983B 5 Bytes JMP 3E3E572F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0x83 0x76 0x73 0xEF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{6b0e2aff-17b2-4f20-ab9f-079b91e7d94c}@Model 208
Reg HKLM\SOFTWARE\Classes\CLSID\{6b0e2aff-17b2-4f20-ab9f-079b91e7d94c}@Therad 26

Edited by Who?, 28 December 2011 - 02:30 AM.


BC AdBot (Login to Remove)

 


#2 Who?

Who?
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 29 December 2011 - 06:39 PM

Today i got a boot error and the computer wouldnt boot but its ok now and is going to happen again....
Also i couldnt open anything because whenever i tryed to open a file/folder it would be like i was holding down shift and my keys are messing with me and files are asking if i want to delete them???????
and ive got WINWORD.EXE and OUTLOOK.EXE i had a look for them and it says its from the kangero.A worm?

Edited by Who?, 30 December 2011 - 02:05 AM.


#3 Who?

Who?
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 30 December 2011 - 05:18 PM

Again it wouldn't boot for an hour i have no backup pc so if the virus completes its job im doomed :angry:

#4 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,660 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:18 PM

Posted 02 January 2012 - 08:10 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/434812 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#5 nasdaq

nasdaq

  • Malware Response Team
  • 39,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:18 PM

Posted 03 January 2012 - 10:23 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.

===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.

Please post the logs for my review.

#6 Who?

Who?
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 03 January 2012 - 04:52 PM

10:40:23.0718 2720 TDSS rootkit removing tool 2.6.25.0 Dec 23 2011 14:51:16
10:40:25.0718 2720 ============================================================
10:40:25.0718 2720 Current date / time: 2012/01/04 10:40:25.0718
10:40:25.0718 2720 SystemInfo:
10:40:25.0718 2720
10:40:25.0718 2720 OS Version: 5.1.2600 ServicePack: 3.0
10:40:25.0718 2720 Product type: Workstation
10:40:25.0718 2720 ComputerName: HOMEPC
10:40:25.0718 2720 UserName: Me
10:40:25.0718 2720 Windows directory: C:\WINDOWS
10:40:25.0718 2720 System windows directory: C:\WINDOWS
10:40:25.0718 2720 Processor architecture: Intel x86
10:40:25.0718 2720 Number of processors: 1
10:40:25.0718 2720 Page size: 0x1000
10:40:25.0718 2720 Boot type: Normal boot
10:40:25.0718 2720 ============================================================
10:40:27.0984 2720 Initialize success
10:40:30.0921 2828 ============================================================
10:40:30.0921 2828 Scan started
10:40:30.0921 2828 Mode: Manual;
10:40:30.0921 2828 ============================================================
10:40:33.0062 2828 Abiosdsk - ok
10:40:33.0125 2828 abp480n5 - ok
10:40:33.0234 2828 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
10:40:33.0234 2828 ACPI - ok
10:40:33.0328 2828 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
10:40:33.0328 2828 ACPIEC - ok
10:40:33.0359 2828 adpu160m - ok
10:40:33.0453 2828 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
10:40:33.0468 2828 aec - ok
10:40:33.0562 2828 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
10:40:33.0562 2828 AFD - ok
10:40:33.0734 2828 AgereSoftModem (7560f465f1ce69c53bf17559ee195548) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
10:40:33.0765 2828 AgereSoftModem - ok
10:40:33.0812 2828 Aha154x - ok
10:40:33.0859 2828 aic78u2 - ok
10:40:33.0906 2828 aic78xx - ok
10:40:34.0078 2828 ALCXWDM (8d6c30e515717248e0e52b85fd7ac466) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
10:40:34.0171 2828 ALCXWDM - ok
10:40:34.0250 2828 AliIde - ok
10:40:34.0296 2828 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
10:40:34.0296 2828 AmdK7 - ok
10:40:34.0343 2828 amsint - ok
10:40:34.0437 2828 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
10:40:34.0437 2828 Arp1394 - ok
10:40:34.0484 2828 asc - ok
10:40:34.0531 2828 asc3350p - ok
10:40:34.0578 2828 asc3550 - ok
10:40:34.0703 2828 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
10:40:34.0703 2828 AsyncMac - ok
10:40:34.0781 2828 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
10:40:34.0781 2828 atapi - ok
10:40:34.0843 2828 Atdisk - ok
10:40:34.0937 2828 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
10:40:34.0937 2828 Atmarpc - ok
10:40:35.0046 2828 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
10:40:35.0046 2828 audstub - ok
10:40:35.0171 2828 AvgLdx86 (bc12f2404bb6f2b6b2ff3c4c246cb752) C:\WINDOWS\System32\Drivers\avgldx86.sys
10:40:35.0187 2828 AvgLdx86 - ok
10:40:35.0250 2828 AvgMfx86 (5903d729d4f0c5bca74123c96a1b29e0) C:\WINDOWS\System32\Drivers\avgmfx86.sys
10:40:35.0250 2828 AvgMfx86 - ok
10:40:35.0312 2828 AvgTdiX (92d8e1e8502e649b60e70074eb29c380) C:\WINDOWS\System32\Drivers\avgtdix.sys
10:40:35.0328 2828 AvgTdiX - ok
10:40:35.0406 2828 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
10:40:35.0421 2828 Beep - ok
10:40:35.0875 2828 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
10:40:35.0890 2828 cbidf2k - ok
10:40:36.0015 2828 cd20xrnt - ok
10:40:36.0343 2828 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
10:40:36.0375 2828 Cdaudio - ok
10:40:36.0578 2828 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
10:40:36.0578 2828 Cdfs - ok
10:40:36.0656 2828 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
10:40:36.0656 2828 Cdrom - ok
10:40:36.0703 2828 Changer - ok
10:40:36.0828 2828 CmdIde - ok
10:40:36.0906 2828 Cpqarray - ok
10:40:36.0968 2828 cpudrv - ok
10:40:37.0156 2828 cpuz132 - ok
10:40:37.0265 2828 dac2w2k - ok
10:40:37.0328 2828 dac960nt - ok
10:40:37.0453 2828 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
10:40:37.0453 2828 Disk - ok
10:40:37.0546 2828 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
10:40:37.0578 2828 dmboot - ok
10:40:37.0625 2828 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
10:40:37.0640 2828 dmio - ok
10:40:37.0671 2828 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
10:40:37.0671 2828 dmload - ok
10:40:37.0765 2828 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
10:40:37.0765 2828 DMusic - ok
10:40:37.0875 2828 dpti2o - ok
10:40:37.0937 2828 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
10:40:37.0953 2828 drmkaud - ok
10:40:38.0109 2828 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
10:40:38.0125 2828 Fastfat - ok
10:40:38.0187 2828 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
10:40:38.0203 2828 Fdc - ok
10:40:38.0312 2828 FET5X86V (ef88fbdbb2c2ab084dcae4388921c898) C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
10:40:38.0328 2828 FET5X86V - ok
10:40:38.0343 2828 FETND5BV (ef88fbdbb2c2ab084dcae4388921c898) C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
10:40:38.0343 2828 FETND5BV - ok
10:40:38.0421 2828 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
10:40:38.0421 2828 FETNDIS - ok
10:40:38.0484 2828 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
10:40:38.0484 2828 Fips - ok
10:40:38.0562 2828 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
10:40:38.0562 2828 Flpydisk - ok
10:40:38.0656 2828 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
10:40:38.0656 2828 FltMgr - ok
10:40:38.0781 2828 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
10:40:38.0781 2828 Fs_Rec - ok
10:40:38.0875 2828 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
10:40:38.0875 2828 Ftdisk - ok
10:40:38.0953 2828 GEARAspiWDM (4ac51459805264affd5f6fdfb9d9235f) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
10:40:38.0953 2828 GEARAspiWDM - ok
10:40:39.0046 2828 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
10:40:39.0046 2828 Gpc - ok
10:40:39.0234 2828 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
10:40:39.0234 2828 HidUsb - ok
10:40:39.0296 2828 hpn - ok
10:40:39.0343 2828 hpt3xx - ok
10:40:39.0421 2828 HPZid412 (5faba4775d4c61e55ec669d643ffc71f) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
10:40:39.0421 2828 HPZid412 - ok
10:40:39.0468 2828 HPZipr12 (a3c43980ee1f1beac778b44ea65dbdd4) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
10:40:39.0468 2828 HPZipr12 - ok
10:40:39.0546 2828 HPZius12 (2906949bd4e206f2bb0dd1896ce9f66f) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
10:40:39.0546 2828 HPZius12 - ok
10:40:39.0656 2828 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
10:40:39.0656 2828 HTTP - ok
10:40:39.0703 2828 i2omgmt - ok
10:40:39.0750 2828 i2omp - ok
10:40:39.0812 2828 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
10:40:39.0812 2828 i8042prt - ok
10:40:39.0890 2828 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
10:40:39.0890 2828 Imapi - ok
10:40:40.0015 2828 ini910u - ok
10:40:40.0078 2828 IntelIde - ok
10:40:40.0156 2828 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
10:40:40.0156 2828 ip6fw - ok
10:40:40.0250 2828 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
10:40:40.0250 2828 IpFilterDriver - ok
10:40:40.0359 2828 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
10:40:40.0359 2828 IpInIp - ok
10:40:40.0406 2828 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
10:40:40.0406 2828 IpNat - ok
10:40:40.0500 2828 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
10:40:40.0500 2828 IPSec - ok
10:40:40.0562 2828 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
10:40:40.0562 2828 IRENUM - ok
10:40:40.0640 2828 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
10:40:40.0640 2828 isapnp - ok
10:40:40.0734 2828 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
10:40:40.0750 2828 Kbdclass - ok
10:40:40.0828 2828 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
10:40:40.0828 2828 kmixer - ok
10:40:40.0875 2828 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
10:40:40.0890 2828 KSecDD - ok
10:40:41.0046 2828 lbrtfdc - ok
10:40:41.0375 2828 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
10:40:41.0390 2828 mnmdd - ok
10:40:41.0734 2828 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
10:40:41.0750 2828 Modem - ok
10:40:41.0828 2828 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
10:40:41.0828 2828 Mouclass - ok
10:40:41.0937 2828 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
10:40:41.0937 2828 mouhid - ok
10:40:42.0015 2828 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
10:40:42.0015 2828 MountMgr - ok
10:40:42.0046 2828 mraid35x - ok
10:40:42.0125 2828 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
10:40:42.0125 2828 MRxDAV - ok
10:40:42.0234 2828 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
10:40:42.0250 2828 MRxSmb - ok
10:40:42.0375 2828 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
10:40:42.0390 2828 Msfs - ok
10:40:42.0484 2828 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
10:40:42.0484 2828 MSKSSRV - ok
10:40:42.0578 2828 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
10:40:42.0578 2828 MSPCLOCK - ok
10:40:42.0625 2828 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
10:40:42.0625 2828 MSPQM - ok
10:40:42.0750 2828 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
10:40:42.0750 2828 mssmbios - ok
10:40:42.0812 2828 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
10:40:42.0812 2828 Mup - ok
10:40:42.0906 2828 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
10:40:42.0921 2828 NDIS - ok
10:40:43.0015 2828 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
10:40:43.0015 2828 NdisTapi - ok
10:40:43.0109 2828 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
10:40:43.0109 2828 Ndisuio - ok
10:40:43.0234 2828 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
10:40:43.0250 2828 NdisWan - ok
10:40:43.0312 2828 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
10:40:43.0312 2828 NDProxy - ok
10:40:43.0359 2828 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
10:40:43.0359 2828 NetBIOS - ok
10:40:43.0437 2828 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
10:40:43.0437 2828 NetBT - ok
10:40:43.0531 2828 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
10:40:43.0546 2828 NIC1394 - ok
10:40:43.0609 2828 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
10:40:43.0609 2828 Npfs - ok
10:40:43.0671 2828 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
10:40:43.0687 2828 Ntfs - ok
10:40:43.0750 2828 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
10:40:43.0750 2828 Null - ok
10:40:43.0984 2828 nv (ba1b732c1a70cfea0c1b64f2850bf44f) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
10:40:44.0140 2828 nv - ok
10:40:44.0265 2828 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
10:40:44.0265 2828 NwlnkFlt - ok
10:40:44.0296 2828 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
10:40:44.0312 2828 NwlnkFwd - ok
10:40:44.0343 2828 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
10:40:44.0359 2828 ohci1394 - ok
10:40:44.0421 2828 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
10:40:44.0421 2828 Parport - ok
10:40:44.0515 2828 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
10:40:44.0515 2828 PartMgr - ok
10:40:44.0593 2828 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
10:40:44.0593 2828 ParVdm - ok
10:40:44.0687 2828 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
10:40:44.0687 2828 PCI - ok
10:40:44.0734 2828 PCIDump - ok
10:40:44.0796 2828 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
10:40:44.0796 2828 PCIIde - ok
10:40:44.0843 2828 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
10:40:44.0843 2828 Pcmcia - ok
10:40:44.0921 2828 PDCOMP - ok
10:40:44.0968 2828 PDFRAME - ok
10:40:44.0984 2828 PDRELI - ok
10:40:45.0031 2828 PDRFRAME - ok
10:40:45.0093 2828 perc2 - ok
10:40:45.0125 2828 perc2hib - ok
10:40:45.0312 2828 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
10:40:45.0343 2828 PptpMiniport - ok
10:40:45.0437 2828 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
10:40:45.0437 2828 Processor - ok
10:40:45.0484 2828 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
10:40:45.0484 2828 PSched - ok
10:40:45.0515 2828 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
10:40:45.0515 2828 Ptilink - ok
10:40:45.0609 2828 ql1080 - ok
10:40:45.0750 2828 Ql10wnt - ok
10:40:45.0796 2828 ql12160 - ok
10:40:45.0843 2828 ql1240 - ok
10:40:45.0890 2828 ql1280 - ok
10:40:45.0937 2828 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
10:40:45.0953 2828 RasAcd - ok
10:40:46.0062 2828 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
10:40:46.0062 2828 Rasl2tp - ok
10:40:46.0125 2828 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
10:40:46.0125 2828 RasPppoe - ok
10:40:46.0171 2828 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
10:40:46.0171 2828 Raspti - ok
10:40:46.0234 2828 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
10:40:46.0250 2828 Rdbss - ok
10:40:46.0296 2828 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
10:40:46.0296 2828 RDPCDD - ok
10:40:46.0343 2828 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
10:40:46.0343 2828 rdpdr - ok
10:40:46.0421 2828 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
10:40:46.0437 2828 RDPWD - ok
10:40:46.0531 2828 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
10:40:46.0531 2828 redbook - ok
10:40:46.0734 2828 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
10:40:46.0734 2828 Secdrv - ok
10:40:46.0859 2828 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
10:40:46.0859 2828 serenum - ok
10:40:46.0968 2828 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
10:40:46.0968 2828 Serial - ok
10:40:47.0093 2828 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
10:40:47.0093 2828 Sfloppy - ok
10:40:47.0171 2828 Simbad - ok
10:40:47.0234 2828 Sparrow - ok
10:40:47.0296 2828 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
10:40:47.0296 2828 splitter - ok
10:40:47.0390 2828 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
10:40:47.0390 2828 sr - ok
10:40:47.0484 2828 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
10:40:47.0484 2828 Srv - ok
10:40:47.0578 2828 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
10:40:47.0578 2828 swenum - ok
10:40:47.0656 2828 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
10:40:47.0656 2828 swmidi - ok
10:40:47.0718 2828 symc810 - ok
10:40:47.0765 2828 symc8xx - ok
10:40:47.0812 2828 sym_hi - ok
10:40:47.0859 2828 sym_u3 - ok
10:40:47.0937 2828 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
10:40:47.0937 2828 sysaudio - ok
10:40:48.0062 2828 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
10:40:48.0078 2828 Tcpip - ok
10:40:48.0156 2828 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
10:40:48.0156 2828 TDPIPE - ok
10:40:48.0203 2828 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
10:40:48.0218 2828 TDTCP - ok
10:40:48.0281 2828 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
10:40:48.0281 2828 TermDD - ok
10:40:48.0375 2828 TosIde - ok
10:40:48.0437 2828 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys
10:40:48.0437 2828 uagp35 - ok
10:40:48.0515 2828 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
10:40:48.0515 2828 Udfs - ok
10:40:48.0562 2828 ultra - ok
10:40:48.0656 2828 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
10:40:48.0656 2828 Update - ok
10:40:48.0765 2828 USBAAPL (c1ca131f4e3ed63d6bc89a35ffad4cda) C:\WINDOWS\system32\Drivers\usbaapl.sys
10:40:48.0765 2828 USBAAPL - ok
10:40:48.0906 2828 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
10:40:48.0906 2828 usbccgp - ok
10:40:49.0015 2828 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
10:40:49.0015 2828 usbehci - ok
10:40:49.0062 2828 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
10:40:49.0062 2828 usbhub - ok
10:40:49.0125 2828 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
10:40:49.0125 2828 usbprint - ok
10:40:49.0218 2828 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
10:40:49.0218 2828 usbscan - ok
10:40:49.0265 2828 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
10:40:49.0265 2828 USBSTOR - ok
10:40:49.0328 2828 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
10:40:49.0328 2828 usbuhci - ok
10:40:49.0375 2828 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
10:40:49.0375 2828 VgaSave - ok
10:40:49.0437 2828 viagfx (45489356501ec6cbb789dece991d393f) C:\WINDOWS\system32\DRIVERS\vtmini.sys
10:40:49.0453 2828 viagfx - ok
10:40:49.0515 2828 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
10:40:49.0515 2828 ViaIde - ok
10:40:49.0546 2828 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
10:40:49.0562 2828 VolSnap - ok
10:40:49.0656 2828 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
10:40:49.0656 2828 Wanarp - ok
10:40:49.0703 2828 WDICA - ok
10:40:49.0765 2828 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
10:40:49.0765 2828 wdmaud - ok
10:40:50.0015 2828 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
10:40:50.0015 2828 WpdUsb - ok
10:40:50.0156 2828 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
10:40:50.0171 2828 WudfPf - ok
10:40:50.0265 2828 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
10:40:50.0281 2828 WudfRd - ok
10:40:50.0390 2828 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
10:40:50.0515 2828 \Device\Harddisk0\DR0 - ok
10:40:50.0531 2828 Boot (0x1200) (54ac2b3701acb7a5cd356678ba294300) \Device\Harddisk0\DR0\Partition0
10:40:50.0531 2828 \Device\Harddisk0\DR0\Partition0 - ok
10:40:50.0546 2828 ============================================================
10:40:50.0546 2828 Scan finished
10:40:50.0546 2828 ============================================================
10:40:50.0578 3752 Detected object count: 0
10:40:50.0578 3752 Actual detected object count: 0

aswMBR version 0.9.9.1124 Copyrightę 2011 AVAST Software
Run date: 2012-01-04 10:33:44
-----------------------------
10:33:44.281 OS Version: Windows 5.1.2600 Service Pack 3
10:33:44.281 Number of processors: 1 586 0xA00
10:33:44.281 ComputerName: HOMEPC UserName: Me
10:33:56.187 Initialize success
10:34:25.546 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-1b
10:34:25.546 Disk 0 Vendor: WDC_WD1600JB-00REA0 20.00K20 Size: 152627MB BusType: 3
10:34:25.562 Disk 0 MBR read successfully
10:34:25.562 Disk 0 MBR scan
10:34:25.562 Disk 0 Windows XP default MBR code
10:34:25.562 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 131059 MB offset 63
10:34:25.562 Disk 0 scanning sectors +268410240
10:34:25.687 Disk 0 scanning C:\WINDOWS\system32\drivers
10:34:33.359 Service scanning
10:34:37.453 Modules scanning
10:34:45.546 Disk 0 trace - called modules:
10:34:45.562 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys viaide.sys PCIIDEX.SYS
10:34:45.562 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x827dd030]
10:34:45.562 3 CLASSPNP.SYS[f9992fd7] -> nt!IofCallDriver -> \Device\00000061[0x827cf9a0]
10:34:45.921 5 ACPI.sys[f98e9620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-1b[0x827cfb58]
10:34:45.921 Scan finished successfully
10:35:12.562 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Me\Desktop\MBR.dat"
10:35:12.562 The log file has been saved successfully to "C:\Documents and Settings\Me\Desktop\aswMBR.txt"

Nothing.....

Attached Files

  • Attached File  MBR.zip   499bytes   0 downloads

Edited by Who?, 03 January 2012 - 04:54 PM.


#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:18 PM

Posted 03 January 2012 - 07:36 PM

These instructions are for a Windows XP Operating system.
If your system is not XP do not execute and let me know what you have and if 32 or 64 bit.


Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall

#8 Who?

Who?
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 04 January 2012 - 02:57 PM

ComboFix 12-01-03.08 - Me 04/01/2012 20:54:25.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.110 [GMT 13:00]
Running from: c:\documents and settings\Me\My Documents\Downloads\ComboFix.exe
AV: AVG Anti-Virus Free *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\EventSystem.log
c:\windows\iun6002.exe
c:\windows\jestertb.dll
c:\windows\ST6UNST.000
.
.
((((((((((((((((((((((((( Files Created from 2011-12-04 to 2012-01-04 )))))))))))))))))))))))))))))))
.
.
2012-01-02 01:49 . 2012-01-02 19:30 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-01-02 01:49 . 2012-01-02 01:49 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-12-29 14:13 . 2011-12-29 14:14 -------- d-----w- c:\documents and settings\Me\Local Settings\Application Data\Philips-Songbird
2011-12-29 14:13 . 2011-12-29 14:13 -------- d-----w- c:\documents and settings\Me\Application Data\Philips-Songbird
2011-12-29 14:09 . 2011-01-25 08:48 11264 ----a-w- c:\windows\system32\rockusbCoInstaller.dll
2011-12-29 14:08 . 2011-12-29 14:08 -------- d-----w- c:\documents and settings\All Users\Application Data\{F0489EF2-D393-4114-85BA-A94D71D89543}
2011-12-29 14:08 . 2011-12-29 14:09 -------- d-----w- c:\program files\Philips
2011-12-26 07:42 . 2011-12-26 07:42 -------- d-----w- c:\documents and settings\Me\Application Data\Windows Search
2011-12-25 20:51 . 2012-01-03 05:07 -------- d-----w- c:\program files\Bleeping Computer
2011-12-20 05:04 . 2011-12-21 08:45 -------- d-----w- c:\documents and settings\Me\Application Data\uTorrent
2011-12-19 05:36 . 2011-12-19 05:36 -------- d-sh--w- c:\documents and settings\Not me\PrivacIE
2011-12-19 05:35 . 2011-12-19 05:35 -------- d-----w- c:\documents and settings\Not me\Local Settings\Application Data\Google
2011-12-19 05:32 . 2011-12-19 05:32 -------- d-----w- c:\documents and settings\Not me\Application Data\Windows Desktop Search
2011-12-19 03:20 . 2012-01-01 21:40 -------- d-----w- c:\program files\Minecraft
2011-12-19 01:40 . 2011-12-19 01:40 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2011-12-18 05:25 . 2011-12-18 05:25 -------- d-----w- c:\program files\Microsoft.NET
2011-12-18 05:12 . 2011-12-18 05:12 -------- d-----w- C:\01f7dc8c9fed1878ec23
2011-12-16 05:12 . 2011-12-16 05:12 -------- d-----w- c:\windows\system32\winrm
2011-12-16 05:12 . 2011-12-16 05:12 -------- dc-h--w- c:\windows\$968930Uinstall_KB968930$
2011-12-16 05:11 . 2011-12-16 05:11 -------- d-----w- c:\documents and settings\Me\Application Data\Windows Desktop Search
2011-12-16 05:10 . 2011-12-17 20:27 -------- d-----w- c:\program files\Windows Desktop Search
2011-12-16 05:10 . 2011-12-16 05:10 -------- d-----w- c:\windows\system32\GroupPolicy
2011-12-16 05:08 . 2008-03-07 17:02 98304 -c----w- c:\windows\system32\dllcache\nlhtml.dll
2011-12-16 05:08 . 2008-03-07 17:02 29696 -c----w- c:\windows\system32\dllcache\mimefilt.dll
2011-12-16 05:08 . 2008-03-07 17:02 192000 -c----w- c:\windows\system32\dllcache\offfilt.dll
2011-12-16 04:48 . 2011-08-31 04:00 22216 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-14 19:58 . 2011-12-14 19:58 -------- d-----w- c:\documents and settings\Steven\Application Data\E4468
2011-12-13 23:24 . 2011-12-13 23:24 23624 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2011-12-13 23:23 . 2011-12-13 23:23 -------- d-----w- c:\documents and settings\All Users\Application Data\Hitman Pro
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-04 03:52 . 2010-03-21 05:06 43520 ----a-w- c:\windows\system32\CmdLineExt03.dll
2011-11-23 13:25 . 2001-08-23 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-19 19:17 . 2011-06-20 03:09 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-11-05 05:09 . 2011-11-05 05:09 34064 ----a-w- c:\windows\system32\lhacm.acm
2011-11-04 19:20 . 2001-08-23 12:00 916992 ----a-w- c:\windows\system32\wininet.dll
2011-11-04 19:20 . 2001-08-23 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-11-04 19:20 . 2001-08-23 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-11-04 11:23 . 2007-05-25 01:58 385024 ----a-w- c:\windows\system32\html.iec
2011-11-01 16:07 . 2001-08-23 12:00 1288704 ----a-w- c:\windows\system32\ole32.dll
2011-10-28 22:53 . 2011-10-28 22:53 409600 ----a-w- c:\windows\system32\wrap_oal.dll
2011-10-28 22:53 . 2011-10-28 22:53 114688 ----a-w- c:\windows\system32\OpenAL32.dll
2011-10-28 05:31 . 2001-08-23 12:00 33280 ----a-w- c:\windows\system32\csrsrv.dll
2011-10-25 13:33 . 2001-08-23 12:00 2192768 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-10-25 12:52 . 2001-08-17 13:48 2069376 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-10-18 11:13 . 2007-05-25 01:58 186880 ------w- c:\windows\system32\encdec.dll
2011-10-10 14:22 . 2007-05-25 01:36 692736 ----a-w- c:\windows\system32\inetcomm.dll
2006-08-14 04:08 . 2006-08-14 04:08 74520 ----a-w- c:\program files\DSETUP.dll
2006-08-14 04:08 . 2006-08-14 04:08 484632 ----a-w- c:\program files\DXSETUP.exe
2006-08-14 04:08 . 2006-08-14 04:08 2248984 ----a-w- c:\program files\dsetup32.dll
2011-11-21 04:04 . 2011-12-19 02:14 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{A3BC75A2-1F87-4686-AA43-5347D756017C}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2011-05-29 2495816]
.
[HKEY_CLASSES_ROOT\clsid\{a3bc75a2-1f87-4686-aa43-5347d756017c}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2011-05-29 23:33 2495816 ----a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2011-05-29 2495816]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{CCC7A320-B3CA-4199-B1A6-9F516DD69829}"= "c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll" [2011-05-29 2495816]
.
[HKEY_CLASSES_ROOT\clsid\{ccc7a320-b3ca-4199-b1a6-9f516dd69829}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-12-23 143360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-17 68856]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-01-26 2144088]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2004-10-21 53248]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 57344]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 88363]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2006-11-23 56928]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2006-12-05 54832]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2011-10-18 2042208]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 1622016]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2006-10-22 86016]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2011-06-09 254696]
"Philips Device Listener"="c:\program files\Philips\Philips Songbird Resources\Autolauncher\PhilipsDeviceListener.exe" [2011-01-25 380416]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Me\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2011-11-11 225280]
PowerReg Scheduler.exe [2010-9-3 256000]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-5-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-5-29 53248]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Windows Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2008-5-26 123904]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-12-08 21:30 11952 ----a-w- c:\windows\system32\avgrsstx.dll
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"UpdateMyDrivers"=c:\program files\SmartTweak Software\UpdateMyDrivers\UpdateMyDrivers.exe -t
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\Bohemia Interactive\\Arma Cold War Assault\\ColdWarAssault_Server.exe"=
"c:\\Program Files\\Codemasters\\Operation Flashpoint\\OFPR_Server.exe"=
"c:\\Program Files\\Microsoft Games\\Age of Mythology\\aomx.exe"=
"c:\\Program Files\\Infogrames Interactive\\Monopoly Tycoon\\mc.exe"=
"c:\\Program Files\\Atari\\Risk II\\RiskII.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Codemasters\\Operation Flashpoint\\OperationFlashpoint.exe"=
"c:\\Program Files\\Codemasters\\Operation Flashpoint\\FlashpointResistance.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\patriots.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\javaw.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=

.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"5985:TCP"= 5985:TCP:Windows Remote Management
"23:TCP"= 23:TCP:1
.
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [26/02/2009 6:21 p.m. 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [26/02/2009 6:21 p.m. 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [9/12/2009 10:30 a.m. 297752]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [18/03/2010 1:16 p.m. 130384]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [1/03/2010 2:47 p.m. 135664]
S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\AVG\AVG8\Toolbar\ToolbarBroker.exe [14/12/2010 9:55 a.m. 1025352]
S3 cpudrv;cpudrv;\??\c:\program files\SystemRequirementsLab\cpudrv.sys --> c:\program files\SystemRequirementsLab\cpudrv.sys [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [1/03/2010 2:47 p.m. 135664]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
Contents of the 'Scheduled Tasks' folder
.
2011-12-31 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-29 23:34]
.
2012-01-03 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 01:47]
.
2012-01-04 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-01 01:47]
.
2010-01-03 c:\windows\Tasks\NSSstub.job
- c:\windows\system32\Adobe\Shockwave 11\nssstub.exe [2010-01-02 07:44]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.co.nz/
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll
FF - ProfilePath - c:\documents and settings\Me\Application Data\Mozilla\Firefox\Profiles\zt3gkuqg.default\
FF - prefs.js: browser.startup.homepage - hxxp://google.co.nz/
.
- - - - ORPHANS REMOVED - - - -
.
ShellIconOverlayIdentifiers-{CDC95B92-E27C-4745-A8C5-64A52A78855D} - c:\program files\Internet Download Manager\IDMShellExt.dll
HKLM-Run-QuickTime Task - c:\program files\QuickTime\qttask.exe
HKLM-Run-RestartNeroSetup - d:\installation\Setupx.exe
AddRemove-Flashpoint - c:\program files\Codemasters\UnInstall.exe
AddRemove-Halo Combat Evolved - c:\program files\Halo Combat Evolved\Uninstal.exe
AddRemove-Halo Server - c:\program files\Microsoft Games\Halo Server\UNINSTAL.EXE
AddRemove-LSI Soft Modem - c:\windows\agrsmdel
AddRemove-MetaProducts Portable Download Manager - c:\program files\Portable Download Manager\pdownloadmanager.exe
AddRemove-Operation Flashpoint Need For Speed Pack V1.0 - c:\program files\Codemasters\Uninstal.exe

.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-04 21:13
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1220945662-1123561945-725345543-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:a7,4a,eb,0d,61,7c,0f,3e,1e,61,c1,0b,86,59,ef,36,fb,ba,52,35,ec,92,af,
32,80,10,9b,ee,ad,3d,a2,fe,92,df,cc,f6,7c,fe,56,ce,80,72,79,19,73,e4,b2,0a,\
"??"=hex:e0,09,c0,ef,97,75,0c,a1,0a,c4,63,0e,a6,83,b0,cc
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}]
@Denied: (Full) (Everyone)
"scansk"=hex(0):83,76,73,ef,8a,05,96,97,58,31,f4,6e,30,0d,c3,7c,28,0b,be,29,73,
1c,fe,a7,60,d0,b3,03,1d,12,74,f6,68,1e,2c,d3,f5,0e,53,ce,00,00,00,00,00,00,\
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{6b0e2aff-17b2-4f20-ab9f-079b91e7d94c}]
@Denied: (Full) (Everyone)
"Model"=dword:000000d0
"Therad"=dword:0000001a
.
Completion time: 2012-01-04 21:20:25
ComboFix-quarantined-files.txt 2012-01-04 08:20
.
Pre-Run: 34,072,211,456 bytes free
Post-Run: 34,776,600,576 bytes free
.
- - End Of File - - 04F83809C318D105D129729104F433DA

Edited by Who?, 04 January 2012 - 05:01 PM.


#9 nasdaq

nasdaq

  • Malware Response Team
  • 39,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:18 PM

Posted 04 January 2012 - 03:40 PM

Looking good.

Third party programs if not up to date can be the cause infiltration of an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Any remaining issues with this computer?

#10 Who?

Who?
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 04 January 2012 - 05:00 PM

Doing all that made no change...... virus is still there and has made more problems

Results of screen317's Security Check version 0.99.30
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
AVG Free 8.5
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:

Malwarebytes' Anti-Malware
Java™ 6 Update 27
Java version out of date!
Adobe Flash Player 11.1.102.55
Mozilla Firefox 8.0.1 Firefox out of Date!
````````````````````````````````
Process Check:
objlist.exe by Laurent

AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
AVG avgnsx.exe
``````````End of Log````````````

Edited by Who?, 04 January 2012 - 05:10 PM.


#11 nasdaq

nasdaq

  • Malware Response Team
  • 39,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:18 PM

Posted 05 January 2012 - 08:57 AM

From your first post.

and ive got WINWORD.EXE and OUTLOOK.EXE i had a look for them and it says its from the kangero.A worm?

Thats a bad infection.
http://www.liutilities.com/malware/computer-worm/w32-kangero-a/

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your Desktop.
  • Copy and paste that information in your next post.

try this one also.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

Keep me posted.

#12 Who?

Who?
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 05 January 2012 - 11:05 PM

kaspersky threw me a 404 and heres what eset found

C:\OldHardDrive\WINDOWS\system32\drivers\etc\hosts

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:18 PM

Posted 06 January 2012 - 10:17 AM

eset found
C:\OldHardDrive\WINDOWS\system32\drivers\etc\hosts


Your host file should be in the ETC folder. Check it out.
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\HOSTS <- file no extension.

Delete the one in the OldHardDrive.
===

The URL has changed for Kaspersky.
Free online virus scan
http://www.kaspersky.com/virusscanner#download

I hope that my instructions will help since I have not tried this new Trial version.
===

#14 Who?

Who?
  • Topic Starter

  • Members
  • 116 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:18 PM

Posted 06 January 2012 - 04:32 PM

Which one do i pick? the100mb one wouldnt be very good on a 4kbps connection....

Edited by Who?, 07 January 2012 - 01:56 AM.


#15 nasdaq

nasdaq

  • Malware Response Team
  • 39,215 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:18 PM

Posted 07 January 2012 - 10:20 AM

Yes.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users