Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

zero rootkit?


  • This topic is locked This topic is locked
21 replies to this topic

#1 woodstock jim

woodstock jim

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 29 January 2012 - 09:53 AM

unable to run dds or tdsskiller. below is the gmer log.....help what a mess.
Thanks,
Jim


GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-01-29 09:32:27
Windows 5.1.2600 Service Pack 3
Running: hwy1q4me.exe; Driver: C:\DOCUME~1\CLIFFW~1\LOCALS~1\Temp\pwrdyfob.sys


---- Files - GMER 1.0.15 ----

File C:\Documents and Settings\NetworkService\Application Data\Microsoft\Internet Explorer\UserData\2RFA5OHE\meebo[1].xml 96 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[2].txt 609 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@t.pointroll[2].txt 83 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@tap.rubiconproject[2].txt 84 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@tap2-cdn.rubiconproject[1].txt 509 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@us-ads.openx[2].txt 109 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@v8juice[2].txt 341 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@w55c[1].txt 1110 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt 363 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@hrblock[2].txt 227 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@www.lexus[1].txt 102 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@www.mevio[2].txt 279 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@yumenetworks[2].txt 494 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@lexus[2].txt 578 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@mevio[2].txt 926 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@pixel.rubiconproject[1].txt 452 bytes
File C:\Documents and Settings\NetworkService\Cookies\system@pointroll[1].txt 167 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3170324400 0 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816 0 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\bckfg.tmp 854 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\cfg.ini 240 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\Desktop.ini 4608 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\keywords 117 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\kwrd.dll 223744 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\L 0 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\L\pavtnywh 162816 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\lsflt7.ver 5176 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\oemid 21 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\U 0 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\U\00000001.@ 2048 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\U\00000002.@ 224768 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\U\00000004.@ 1024 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\U\80000000.@ 11264 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\U\80000004.@ 12800 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\U\80000032.@ 73216 bytes
File C:\WINDOWS\$NtUninstallKB15955$\3715883816\version 854 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:46 AM

Posted 30 January 2012 - 03:19 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 woodstock jim

woodstock jim
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 30 January 2012 - 08:36 PM

Now running combo fix for the 3rd time. 1st two times popped up that "rootkit" was present and the scan may take a few minutes longer then the computer froze. Now running for the 3rd time and has been running for 4+ hours and does not seem to be doing anything.

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:46 AM

Posted 30 January 2012 - 09:17 PM

Hello

go ahead and stop combofix and run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 woodstock jim

woodstock jim
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 30 January 2012 - 09:48 PM

tdssskiller will not run. Does not even start.

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:46 AM

Posted 30 January 2012 - 09:49 PM

Hello

I would like you to run this tool for me - fixTDSS

download it to your desktop and start the program

Follow the prompts and Ok any security prompts

when it is complete it will say the infection was cleared or no infection was found - let me know what it says

after it is complete I want you to restart the computer and try to rerun TDSSKiller for me and send me the report

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 woodstock jim

woodstock jim
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 30 January 2012 - 10:27 PM

TDSS fix says
scan results
***Infected MBR detected, I clicked repair and it says Repair succeeded.

#8 woodstock jim

woodstock jim
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 30 January 2012 - 10:44 PM

TDSS Killer run log below....seems to be getting better....shutdown and reboot was much quicker.



2:29:29.0453 3400 TDSS rootkit removing tool 2.7.8.0 Jan 30 2012 16:39:36
22:29:29.0953 3400 ============================================================
22:29:29.0953 3400 Current date / time: 2012/01/30 22:29:29.0953
22:29:29.0953 3400 SystemInfo:
22:29:29.0953 3400
22:29:29.0953 3400 OS Version: 5.1.2600 ServicePack: 3.0
22:29:29.0953 3400 Product type: Workstation
22:29:29.0953 3400 ComputerName: TOSHIBA-USER
22:29:29.0953 3400 UserName: Cliff Wagner
22:29:29.0953 3400 Windows directory: C:\WINDOWS
22:29:29.0953 3400 System windows directory: C:\WINDOWS
22:29:29.0953 3400 Processor architecture: Intel x86
22:29:29.0953 3400 Number of processors: 2
22:29:29.0953 3400 Page size: 0x1000
22:29:29.0953 3400 Boot type: Normal boot
22:29:29.0953 3400 ============================================================
22:29:33.0937 3400 Drive \Device\Harddisk0\DR0 - Size: 0x1BF2976000 (111.79 Gb), SectorSize: 0x200, Cylinders: 0x3901, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
22:29:33.0937 3400 \Device\Harddisk0\DR0:
22:29:33.0937 3400 MBR used
22:29:33.0937 3400 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0xDF15F62
22:29:33.0984 3400 Initialize success
22:29:33.0984 3400 ============================================================
22:29:40.0031 2868 ============================================================
22:29:40.0031 2868 Scan started
22:29:40.0031 2868 Mode: Manual;
22:29:40.0031 2868 ============================================================
22:29:40.0968 2868 Abiosdsk - ok
22:29:41.0406 2868 abp480n5 - ok
22:29:42.0000 2868 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
22:29:42.0093 2868 ACPI - ok
22:29:42.0546 2868 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
22:29:42.0546 2868 ACPIEC - ok
22:29:43.0000 2868 adpu160m - ok
22:29:43.0531 2868 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
22:29:43.0609 2868 aec - ok
22:29:44.0093 2868 AegisP (12dafd934641dcf61e446313bc261ec2) C:\WINDOWS\system32\DRIVERS\AegisP.sys
22:29:44.0093 2868 AegisP - ok
22:29:44.0656 2868 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS\System32\drivers\afd.sys
22:29:44.0687 2868 AFD - ok
22:29:45.0906 2868 AgereSoftModem (b3192376c7a3814b5341efc2202022f8) C:\WINDOWS\system32\DRIVERS\AGRSM.sys
22:29:46.0500 2868 AgereSoftModem - ok
22:29:46.0937 2868 Aha154x - ok
22:29:47.0375 2868 aic78u2 - ok
22:29:47.0812 2868 aic78xx - ok
22:29:48.0250 2868 AliIde - ok
22:29:48.0687 2868 amsint - ok
22:29:49.0421 2868 AR5211 (98256238aba03e13dbe550496ede60b0) C:\WINDOWS\system32\DRIVERS\ar5211.sys
22:29:49.0687 2868 AR5211 - ok
22:29:50.0265 2868 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
22:29:50.0296 2868 Arp1394 - ok
22:29:50.0734 2868 asc - ok
22:29:51.0156 2868 asc3350p - ok
22:29:51.0593 2868 asc3550 - ok
22:29:52.0078 2868 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
22:29:52.0093 2868 AsyncMac - ok
22:29:52.0609 2868 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
22:29:52.0609 2868 atapi - ok
22:29:53.0078 2868 Atdisk - ok
22:29:53.0578 2868 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
22:29:53.0609 2868 Atmarpc - ok
22:29:54.0062 2868 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
22:29:54.0078 2868 audstub - ok
22:29:54.0625 2868 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
22:29:54.0640 2868 Beep - ok
22:29:54.0781 2868 catchme - ok
22:29:55.0250 2868 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
22:29:55.0265 2868 cbidf2k - ok
22:29:55.0718 2868 cd20xrnt - ok
22:29:56.0171 2868 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
22:29:56.0171 2868 Cdaudio - ok
22:29:56.0687 2868 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
22:29:56.0687 2868 Cdfs - ok
22:29:57.0265 2868 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
22:29:57.0312 2868 Cdrom - ok
22:29:57.0734 2868 Changer - ok
22:29:58.0218 2868 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
22:29:58.0234 2868 CmBatt - ok
22:29:58.0656 2868 CmdIde - ok
22:29:59.0140 2868 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
22:29:59.0156 2868 Compbatt - ok
22:29:59.0593 2868 Cpqarray - ok
22:30:00.0031 2868 dac2w2k - ok
22:30:00.0468 2868 dac960nt - ok
22:30:00.0937 2868 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
22:30:00.0953 2868 Disk - ok
22:30:01.0875 2868 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
22:30:02.0296 2868 dmboot - ok
22:30:02.0968 2868 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
22:30:03.0046 2868 dmio - ok
22:30:03.0500 2868 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
22:30:03.0515 2868 dmload - ok
22:30:04.0015 2868 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
22:30:04.0046 2868 DMusic - ok
22:30:04.0484 2868 dpti2o - ok
22:30:04.0921 2868 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
22:30:04.0921 2868 drmkaud - ok
22:30:05.0484 2868 E100B (2646883e6dd867cd872d5b51b6036710) C:\WINDOWS\system32\DRIVERS\e100b325.sys
22:30:05.0562 2868 E100B - ok
22:30:06.0125 2868 e1express (e1fa10ed8f9f700c1be1eae05a80ef57) C:\WINDOWS\system32\DRIVERS\e1e5132.sys
22:30:06.0218 2868 e1express - ok
22:30:06.0921 2868 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
22:30:06.0984 2868 Fastfat - ok
22:30:07.0453 2868 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
22:30:07.0468 2868 Fdc - ok
22:30:07.0968 2868 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
22:30:07.0968 2868 Fips - ok
22:30:08.0421 2868 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
22:30:08.0437 2868 Flpydisk - ok
22:30:08.0968 2868 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
22:30:09.0046 2868 FltMgr - ok
22:30:09.0484 2868 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
22:30:09.0484 2868 Fs_Rec - ok
22:30:10.0000 2868 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
22:30:10.0062 2868 Ftdisk - ok
22:30:10.0531 2868 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
22:30:10.0562 2868 Gpc - ok
22:30:11.0234 2868 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
22:30:11.0250 2868 HDAudBus - ok
22:30:11.0750 2868 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
22:30:11.0765 2868 HidUsb - ok
22:30:12.0234 2868 hpn - ok
22:30:12.0843 2868 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
22:30:12.0953 2868 HTTP - ok
22:30:13.0390 2868 i2omgmt - ok
22:30:13.0828 2868 i2omp - ok
22:30:14.0312 2868 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
22:30:14.0343 2868 i8042prt - ok
22:30:15.0687 2868 ialm (bc1f1ff8d5800398937966cdb0a97fdc) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
22:30:16.0406 2868 ialm - ok
22:30:17.0031 2868 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
22:30:17.0046 2868 Imapi - ok
22:30:17.0484 2868 ini910u - ok
22:30:20.0343 2868 IntcAzAudAddService (b12a9fc49cd2765a43829d834f518aed) C:\WINDOWS\system32\drivers\RtkHDAud.sys
22:30:20.0390 2868 IntcAzAudAddService - ok
22:30:20.0953 2868 IntelIde - ok
22:30:21.0437 2868 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
22:30:21.0468 2868 intelppm - ok
22:30:21.0937 2868 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
22:30:21.0953 2868 Ip6Fw - ok
22:30:22.0421 2868 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
22:30:22.0421 2868 IpFilterDriver - ok
22:30:22.0906 2868 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
22:30:22.0921 2868 IpInIp - ok
22:30:23.0468 2868 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
22:30:23.0546 2868 IpNat - ok
22:30:24.0203 2868 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
22:30:24.0250 2868 IPSec - ok
22:30:24.0703 2868 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
22:30:24.0718 2868 IRENUM - ok
22:30:25.0203 2868 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
22:30:25.0218 2868 isapnp - ok
22:30:25.0718 2868 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
22:30:25.0734 2868 Kbdclass - ok
22:30:26.0281 2868 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
22:30:26.0375 2868 kmixer - ok
22:30:26.0921 2868 KR10N (00c1ea8decf810b8eccb5c5a8186a96e) C:\WINDOWS\system32\drivers\KR10N.sys
22:30:27.0046 2868 KR10N - ok
22:30:27.0562 2868 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
22:30:27.0593 2868 KSecDD - ok
22:30:28.0156 2868 lbrtfdc - ok
22:30:28.0625 2868 MBAMProtector (b7ca8cc3f978201856b6ab82f40953c3) C:\WINDOWS\system32\drivers\mbam.sys
22:30:28.0625 2868 MBAMProtector - ok
22:30:29.0140 2868 meiudf (7efac183a25b30fb5d64cc9d484b1eb6) C:\WINDOWS\system32\Drivers\meiudf.sys
22:30:29.0187 2868 meiudf - ok
22:30:29.0656 2868 MHNDRV (7f2f1d2815a6449d346fcccbc569fbd6) C:\WINDOWS\system32\DRIVERS\mhndrv.sys
22:30:29.0671 2868 MHNDRV - ok
22:30:30.0140 2868 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
22:30:30.0140 2868 mnmdd - ok
22:30:30.0843 2868 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
22:30:30.0843 2868 Modem - ok
22:30:31.0312 2868 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
22:30:31.0328 2868 Mouclass - ok
22:30:32.0015 2868 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
22:30:32.0031 2868 mouhid - ok
22:30:32.0828 2868 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
22:30:32.0859 2868 MountMgr - ok
22:30:33.0281 2868 mraid35x - ok
22:30:33.0843 2868 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
22:30:33.0937 2868 MRxDAV - ok
22:30:34.0656 2868 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
22:30:34.0875 2868 MRxSmb - ok
22:30:35.0359 2868 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
22:30:35.0359 2868 Msfs - ok
22:30:35.0968 2868 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
22:30:35.0968 2868 MSKSSRV - ok
22:30:36.0421 2868 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
22:30:36.0437 2868 MSPCLOCK - ok
22:30:36.0890 2868 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
22:30:36.0890 2868 MSPQM - ok
22:30:37.0359 2868 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
22:30:37.0375 2868 mssmbios - ok
22:30:37.0890 2868 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
22:30:37.0921 2868 Mup - ok
22:30:38.0500 2868 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
22:30:38.0593 2868 NDIS - ok
22:30:39.0234 2868 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
22:30:39.0234 2868 NdisTapi - ok
22:30:39.0687 2868 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
22:30:39.0703 2868 Ndisuio - ok
22:30:40.0187 2868 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
22:30:40.0234 2868 NdisWan - ok
22:30:40.0734 2868 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
22:30:40.0734 2868 NDProxy - ok
22:30:41.0234 2868 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
22:30:41.0250 2868 NetBIOS - ok
22:30:41.0921 2868 NetBT (115ab667f90023c2577e44ec1f2ef41d) C:\WINDOWS\system32\DRIVERS\netbt.sys
22:30:41.0921 2868 NetBT ( Virus.Win32.ZAccess.h ) - infected
22:30:41.0921 2868 NetBT - detected Virus.Win32.ZAccess.h (0)
22:30:42.0437 2868 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
22:30:42.0468 2868 NIC1394 - ok
22:30:42.0921 2868 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
22:30:42.0953 2868 Npfs - ok
22:30:43.0718 2868 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
22:30:44.0078 2868 Ntfs - ok
22:30:44.0546 2868 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
22:30:44.0546 2868 Null - ok
22:30:45.0031 2868 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
22:30:45.0031 2868 NwlnkFlt - ok
22:30:45.0625 2868 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
22:30:45.0640 2868 NwlnkFwd - ok
22:30:46.0109 2868 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
22:30:46.0140 2868 ohci1394 - ok
22:30:46.0656 2868 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
22:30:46.0703 2868 Parport - ok
22:30:47.0140 2868 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
22:30:47.0156 2868 PartMgr - ok
22:30:47.0609 2868 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
22:30:47.0609 2868 ParVdm - ok
22:30:48.0109 2868 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
22:30:48.0171 2868 PCI - ok
22:30:48.0609 2868 PCIDump - ok
22:30:49.0062 2868 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
22:30:49.0062 2868 PCIIde - ok
22:30:49.0578 2868 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\DRIVERS\pcmcia.sys
22:30:49.0640 2868 Pcmcia - ok
22:30:50.0062 2868 PDCOMP - ok
22:30:50.0500 2868 PDFRAME - ok
22:30:50.0937 2868 PDRELI - ok
22:30:51.0375 2868 PDRFRAME - ok
22:30:51.0812 2868 perc2 - ok
22:30:52.0250 2868 perc2hib - ok
22:30:52.0750 2868 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
22:30:52.0781 2868 PptpMiniport - ok
22:30:53.0265 2868 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
22:30:53.0296 2868 PSched - ok
22:30:53.0765 2868 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
22:30:53.0765 2868 Ptilink - ok
22:30:54.0390 2868 PxHelp20 (86724469cd077901706854974cd13c3e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
22:30:54.0406 2868 PxHelp20 - ok
22:30:54.0828 2868 ql1080 - ok
22:30:55.0265 2868 Ql10wnt - ok
22:30:55.0703 2868 ql12160 - ok
22:30:56.0140 2868 ql1240 - ok
22:30:56.0578 2868 ql1280 - ok
22:30:57.0031 2868 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
22:30:57.0046 2868 RasAcd - ok
22:30:57.0531 2868 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
22:30:57.0562 2868 Rasl2tp - ok
22:30:58.0031 2868 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
22:30:58.0046 2868 RasPppoe - ok
22:30:58.0500 2868 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
22:30:58.0515 2868 Raspti - ok
22:30:59.0062 2868 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
22:30:59.0156 2868 Rdbss - ok
22:30:59.0625 2868 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
22:30:59.0625 2868 RDPCDD - ok
22:31:00.0218 2868 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
22:31:00.0328 2868 rdpdr - ok
22:31:00.0859 2868 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
22:31:00.0906 2868 RDPWD - ok
22:31:01.0531 2868 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
22:31:01.0562 2868 redbook - ok
22:31:02.0078 2868 s24trans (1cc074e0d48383d4e9bffc6a26c2a58a) C:\WINDOWS\system32\DRIVERS\s24trans.sys
22:31:02.0078 2868 s24trans - ok
22:31:02.0609 2868 sdbus (8d04819a3ce51b9eb47e5689b44d43c4) C:\WINDOWS\system32\DRIVERS\sdbus.sys
22:31:02.0640 2868 sdbus - ok
22:31:03.0125 2868 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
22:31:03.0140 2868 Secdrv - ok
22:31:03.0765 2868 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
22:31:03.0796 2868 Serial - ok
22:31:04.0265 2868 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\DRIVERS\sfloppy.sys
22:31:04.0265 2868 Sfloppy - ok
22:31:04.0718 2868 Simbad - ok
22:31:05.0156 2868 Sparrow - ok
22:31:05.0609 2868 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
22:31:05.0625 2868 splitter - ok
22:31:06.0109 2868 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
22:31:06.0156 2868 sr - ok
22:31:06.0812 2868 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
22:31:06.0984 2868 Srv - ok
22:31:07.0593 2868 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
22:31:07.0593 2868 swenum - ok
22:31:08.0062 2868 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
22:31:08.0093 2868 swmidi - ok
22:31:08.0546 2868 symc810 - ok
22:31:08.0984 2868 symc8xx - ok
22:31:09.0421 2868 sym_hi - ok
22:31:09.0859 2868 sym_u3 - ok
22:31:10.0437 2868 SynTP (e295fffff3aaf9a6a40b29497901908f) C:\WINDOWS\system32\DRIVERS\SynTP.sys
22:31:10.0546 2868 SynTP - ok
22:31:11.0015 2868 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
22:31:11.0046 2868 sysaudio - ok
22:31:11.0531 2868 tbiosdrv (7147b0575bcc93a6ab7d5c90f47c0b9f) C:\WINDOWS\system32\DRIVERS\tbiosdrv.sys
22:31:11.0531 2868 tbiosdrv - ok
22:31:12.0328 2868 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
22:31:12.0484 2868 Tcpip - ok
22:31:12.0968 2868 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
22:31:12.0984 2868 TDPIPE - ok
22:31:13.0437 2868 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
22:31:13.0453 2868 TDTCP - ok
22:31:13.0937 2868 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
22:31:13.0968 2868 TermDD - ok
22:31:14.0703 2868 tifm21 (244cfbffdefb77f3df571a8cd108fc06) C:\WINDOWS\system32\drivers\tifm21.sys
22:31:14.0781 2868 tifm21 - ok
22:31:15.0218 2868 TosIde - ok
22:31:15.0703 2868 tosrfec (cc069342ee0eae55b32a0ae99cf6185c) C:\WINDOWS\system32\DRIVERS\tosrfec.sys
22:31:15.0703 2868 tosrfec - ok
22:31:16.0171 2868 TVALD (676db15ddf2e0ff6ec03068dea428b8b) C:\WINDOWS\system32\DRIVERS\NBSMI.sys
22:31:16.0171 2868 TVALD - ok
22:31:16.0656 2868 Tvs (cc6763889198ef975b143d49789bcfa9) C:\WINDOWS\system32\DRIVERS\Tvs.sys
22:31:16.0687 2868 Tvs - ok
22:31:17.0203 2868 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
22:31:17.0234 2868 Udfs - ok
22:31:17.0781 2868 ultra - ok
22:31:18.0500 2868 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
22:31:18.0703 2868 Update - ok
22:31:19.0171 2868 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
22:31:19.0218 2868 usbccgp - ok
22:31:19.0703 2868 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
22:31:19.0718 2868 usbehci - ok
22:31:20.0343 2868 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
22:31:20.0375 2868 usbhub - ok
22:31:20.0843 2868 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
22:31:20.0859 2868 usbprint - ok
22:31:21.0328 2868 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
22:31:21.0343 2868 usbscan - ok
22:31:21.0812 2868 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
22:31:21.0828 2868 USBSTOR - ok
22:31:22.0296 2868 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
22:31:22.0312 2868 usbuhci - ok
22:31:22.0765 2868 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
22:31:22.0765 2868 VgaSave - ok
22:31:23.0203 2868 ViaIde - ok
22:31:23.0703 2868 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
22:31:23.0718 2868 VolSnap - ok
22:31:25.0078 2868 w39n51 (b1f126e7e28877106d60e6ff3998d033) C:\WINDOWS\system32\DRIVERS\w39n51.sys
22:31:25.0843 2868 w39n51 - ok
22:31:26.0453 2868 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
22:31:26.0468 2868 Wanarp - ok
22:31:26.0984 2868 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS\system32\DRIVERS\wanatw4.sys
22:31:27.0000 2868 wanatw - ok
22:31:27.0421 2868 WDICA - ok
22:31:27.0937 2868 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
22:31:27.0968 2868 wdmaud - ok
22:31:28.0453 2868 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
22:31:28.0468 2868 WS2IFSL - ok
22:31:28.0562 2868 MBR (0x1B8) (09ce7397af23d4c0b331b89d0297cc7e) \Device\Harddisk0\DR0
22:31:28.0859 2868 \Device\Harddisk0\DR0 - ok
22:31:28.0875 2868 Boot (0x1200) (c885456e27f14a7231ef9fc5932be1ee) \Device\Harddisk0\DR0\Partition0
22:31:28.0875 2868 \Device\Harddisk0\DR0\Partition0 - ok
22:31:28.0875 2868 ============================================================
22:31:28.0875 2868 Scan finished
22:31:28.0875 2868 ============================================================
22:31:28.0890 3628 Detected object count: 1
22:31:28.0890 3628 Actual detected object count: 1
22:31:42.0312 3628 C:\WINDOWS\system32\DRIVERS\netbt.sys - copied to quarantine
22:31:42.0437 3628 VerifyFileNameVersionInfo: GetFileVersionInfoSizeW(C:\WINDOWS\system32\drivers\netbt.sys) error 1813
22:32:19.0593 3628 Backup copy found, using it..
22:32:19.0765 3628 C:\WINDOWS\system32\DRIVERS\netbt.sys - will be cured on reboot
22:32:54.0140 3628 NetBT ( Virus.Win32.ZAccess.h ) - User select action: Cure
22:35:07.0453 3304 Deinitialize success

#9 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:46 AM

Posted 30 January 2012 - 11:30 PM

lets run combofix now


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#10 woodstock jim

woodstock jim
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 31 January 2012 - 09:17 AM

results from combo fix


ComboFix 12-01-30.02 - Cliff Wagner 01/31/2012 6:07.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.305 [GMT -5:00]
Running from: c:\documents and settings\Cliff Wagner\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\WINDOWS
c:\documents and settings\All Users\Application Data\~WyRcp88LtVZbd7
c:\documents and settings\All Users\Application Data\~WyRcp88LtVZbd7r
c:\documents and settings\All Users\Application Data\WyRcp88LtVZbd7
c:\documents and settings\Cliff Wagner\Start Menu\Programs\System Check
c:\documents and settings\Cliff Wagner\Start Menu\Programs\System Check\System Check.lnk
c:\documents and settings\Cliff Wagner\Start Menu\Programs\System Check\Uninstall System Check.lnk
c:\documents and settings\Cliff Wagner\WINDOWS
c:\documents and settings\Default User\WINDOWS
c:\windows\kb913800.exe
c:\windows\system32\config\systemprofile\WINDOWS
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_NETWORKLOG
-------\Service_6to4
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-31 )))))))))))))))))))))))))))))))
.
.
2012-01-31 03:31 . 2012-01-31 03:31 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-28 19:23 . 2012-01-28 19:24 -------- d--h--w- c:\windows\system32\GroupPolicy
2012-01-24 08:03 . 2012-01-24 08:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-01-23 02:48 . 2012-01-23 02:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-08 00:51 . 2012-01-08 00:51 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 03:35 . 2006-02-15 14:03 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-12-10 20:24 . 2011-10-08 00:36 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57 . 2006-02-15 14:04 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2006-02-15 14:04 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2006-02-15 14:03 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2006-02-15 14:04 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2006-02-15 14:03 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-03 15:28 . 2006-02-15 14:03 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2006-02-15 14:03 1292288 ----a-w- c:\windows\system32\quartz.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-03-11 73728]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"IVPServiceMgr"="c:\toshiba\ivp\ism\ivpsvmgr.exe" [2003-10-20 475136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-02-16 98304]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/7/2011 7:36 PM 652872]
R2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe [1/15/2007 6:11 PM 73728]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/7/2011 7:36 PM 20464]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-276596442-1548659472-3993135447-1005Core.job
- c:\documents and settings\Cliff Wagner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-01-25 00:50]
.
2012-01-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-276596442-1548659472-3993135447-1005UA.job
- c:\documents and settings\Cliff Wagner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-01-25 00:50]
.
2006-07-09 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-02-15 00:12]
.
2006-07-09 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-02-15 00:12]
.
2006-07-09 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-02-15 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
TCP: DhcpNameServer = 192.168.0.1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-PadTouch - c:\program files\TOSHIBA\Touch and Launch\PadExe.exe
HKLM-Run-QQfNWmaeHNTPm.exe - c:\documents and settings\All Users\Application Data\QQfNWmaeHNTPm.exe
SafeBoot-99122593.sys
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-31 06:27
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3784)
c:\program files\ScanSoft\OmniPageSE2.0\ophookSE2.dll
c:\windows\system32\TDispVol.dll
c:\windows\system32\TPwrCfg.DLL
c:\windows\system32\TPwrReg.dll
c:\windows\system32\TPSTrace.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\windows\system32\DVDRAMSV.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\toshiba\IVP\swupdate\swupdtmr.exe
c:\program files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
c:\windows\ehome\mcrdsvc.exe
c:\windows\system32\TDispVol.exe
c:\windows\AGRSMMSG.exe
c:\windows\system32\TPSMain.exe
c:\windows\system32\TPSBattM.exe
c:\windows\system32\wscntfy.exe
c:\windows\eHome\ehmsas.exe
.
**************************************************************************
.
Completion time: 2012-01-31 06:33:45 - machine was rebooted
ComboFix-quarantined-files.txt 2012-01-31 11:33
.
Pre-Run: 107,059,380,224 bytes free
Post-Run: 107,317,952,512 bytes free
.
- - End Of File - - 023F0554623538FB17F9AC0EB9EB09AD

#11 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:46 AM

Posted 31 January 2012 - 01:17 PM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#12 woodstock jim

woodstock jim
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 31 January 2012 - 06:40 PM

here is the log, seems to be working ok. Did not have any problems running the program



omboFix 12-01-30.02 - Cliff Wagner 01/31/2012 17:05:59.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.306 [GMT -5:00]
Running from: c:\documents and settings\Cliff Wagner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Cliff Wagner\Desktop\CFScript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-12-28 to 2012-01-31 )))))))))))))))))))))))))))))))
.
.
2012-01-31 03:31 . 2012-01-31 03:31 -------- d-----w- C:\TDSSKiller_Quarantine
2012-01-28 19:23 . 2012-01-28 19:24 -------- d--h--w- c:\windows\system32\GroupPolicy
2012-01-24 08:03 . 2012-01-24 08:03 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2012-01-23 02:48 . 2012-01-23 02:48 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-01-08 00:51 . 2012-01-08 00:51 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-31 03:35 . 2006-02-15 14:03 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2011-12-10 20:24 . 2011-10-08 00:36 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-11-25 21:57 . 2006-02-15 14:04 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2006-02-15 14:04 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2006-02-15 14:03 60416 ----a-w- c:\windows\system32\packager.exe
2011-11-16 14:21 . 2006-02-15 14:04 354816 ----a-w- c:\windows\system32\winhttp.dll
2011-11-16 14:21 . 2006-02-15 14:03 152064 ----a-w- c:\windows\system32\schannel.dll
2011-11-03 15:28 . 2006-02-15 14:03 386048 ----a-w- c:\windows\system32\qdvd.dll
2011-11-03 15:28 . 2006-02-15 14:03 1292288 ----a-w- c:\windows\system32\quartz.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2004-12-30 65536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TFncKy"="TFncKy.exe" [BU]
"TDispVol"="TDispVol.exe" [2005-03-11 73728]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-11-28 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-11-28 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-11-28 118784]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-01-05 352256]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2005-12-16 82009]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2005-12-16 761945]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2004-08-18 184320]
"AGRSMMSG"="AGRSMMSG.exe" [2005-10-15 88203]
"Tvs"="c:\program files\Toshiba\Tvs\TvsTray.exe" [2005-11-30 73728]
"TPSMain"="TPSMain.exe" [2005-06-01 282624]
"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-04-27 122880]
"Pinger"="c:\toshiba\ivp\ism\pinger.exe" [2005-03-18 151552]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-05 667718]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-11-28 602182]
"IVPServiceMgr"="c:\toshiba\ivp\ism\ivpsvmgr.exe" [2003-10-20 475136]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2006-02-16 98304]
"OpwareSE2"="c:\program files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-12-24 460872]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 36040]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
RAMASST.lnk - c:\windows\system32\RAMASST.exe [2006-2-15 155648]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\TOSHIBA\\ivp\\NetInt\\Netint.exe"=
"c:\\TOSHIBA\\Ivp\\ISM\\pinger.exe"= c:\\TOSHIBA\\IVP\\ISM\\pinger.exe
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\QuickTime\\QuickTimePlayer.exe"=
.
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/7/2011 7:36 PM 652872]
R2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;c:\windows\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe [1/15/2007 6:11 PM 73728]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/7/2011 7:36 PM 20464]
.
Contents of the 'Scheduled Tasks' folder
.
2012-01-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-276596442-1548659472-3993135447-1005Core.job
- c:\documents and settings\Cliff Wagner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-01-25 00:50]
.
2012-01-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-276596442-1548659472-3993135447-1005UA.job
- c:\documents and settings\Cliff Wagner\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2012-01-25 00:50]
.
2006-07-09 c:\windows\Tasks\Registration reminder 1.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-02-15 00:12]
.
2006-07-09 c:\windows\Tasks\Registration reminder 2.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-02-15 00:12]
.
2006-07-09 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2006-02-15 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.foxnews.com/
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Easy-WebPrint Add To Print List - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
IE: Easy-WebPrint High Speed Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
IE: Easy-WebPrint Preview - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
IE: Easy-WebPrint Print - c:\program files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
TCP: DhcpNameServer = 192.168.0.1
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-01-31 17:15
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-01-31 17:19:11
ComboFix-quarantined-files.txt 2012-01-31 22:19
ComboFix2.txt 2012-01-31 11:33
.
Pre-Run: 107,295,645,696 bytes free
Post-Run: 107,298,549,760 bytes free
.
- - End Of File - - 8B7CB2E9D446E4A371D8BA4D751F49AB

#13 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:46 AM

Posted 31 January 2012 - 06:59 PM

Hello

I would ike to see a report that combofix makes.

extra combofix report

  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\Qoobox\Add-Remove Programs.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#14 woodstock jim

woodstock jim
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:06:46 AM

Posted 31 January 2012 - 07:06 PM

here it is


Adobe Flash Player 11 ActiveX
Adobe Reader 7.0
Adobe Shockwave Player
Canon MP Navigator 2.0
Canon MP150
Canon Utilities Easy-PhotoPrint
CCleaner
CD/DVD Drive Acoustic Silencer
DVD-RAM Driver
Easy-WebPrint
Google Chrome
High Definition Audio Driver Package - KB888111
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
Intel® Graphics Media Accelerator Driver
Intel® PRO Network Connections Drivers
Intel® PROSet/Wireless Software
InterVideo WinDVD for TOSHIBA
J2SE Runtime Environment 5.0 Update 4
Malwarebytes Anti-Malware version 1.60.0.1800
mCore
mDrWiFi
Metamail (Toshiba Registration Utility)
mHelp
Microsoft .NET Framework 1.0 Hotfix (KB2572066)
Microsoft .NET Framework 1.0 Hotfix (KB953295)
Microsoft .NET Framework 1.0 Hotfix (KB979904)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2656353)
Microsoft .NET Framework 1.1 Security Update (KB979906)
Microsoft Office OneNote 2003
Microsoft Office Standard Edition 2003
Microsoft Works
mIWA
mLogView
mMHouse
mPfMgr
mPfWiz
mProSafe
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
mWlsSafe
mXML
mZConfig
Office 2003 Trial Assistant
OmniPage SE 2.0
QuickTime
Realtek High Definition Audio Driver
SD Secure Module
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2183461)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360131)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2416400)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2482017)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2491683)
Security Update for Windows XP (KB2497640)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2530548)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544521)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618444)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969897)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972260)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974455)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB976325)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982381)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Sonic Encoders
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TIPCI
TOSHIBA Controls
TOSHIBA Hotkey Utility
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA SD Memory Card Format
TOSHIBA Software Modem
TOSHIBA Software Upgrades
TOSHIBA Speech System Applications
TOSHIBA Speech System SR Engine(U.S.) Version1.0
TOSHIBA Speech System TTS Engine(U.S.) Version1.0
TOSHIBA TouchPad ON/Off Utility
TOSHIBA Virtual Sound
TOSHIBA Zooming Utility
Update for Windows Media Player 10 (KB910393)
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Update for Windows XP (KB976749)
Update for Windows XP (KB978207)
Update for Windows XP (KB980182)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
WebFldrs XP
WildTangent Web Driver
Windows Media Format Runtime
Windows XP Media Center Edition 2005 KB2502898
Windows XP Media Center Edition 2005 KB2619340
Windows XP Media Center Edition 2005 KB2628259
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB894553
Windows XP Media Center Edition 2005 KB895678
Windows XP Media Center Edition 2005 KB908250
Windows XP Media Center Edition 2005 KB973768
Windows XP Service Pack 3

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:46 AM

Posted 31 January 2012 - 07:27 PM

These logs are looking allot better. But we still have some work to do.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps..

uninstall some programs

NOTE** Because of the cleanup process some of the programs I have listed may not be in add/remove anymore this is fine just move to the next item on the list.

You can remove these programs using add/remove or you can use the free uninstaller from Revo (Revo does allot better of a job)

Programs to remove

Adobe Reader 7.0
J2SE Runtime Environment 5.0 Update 4
[/list]


  • Please download and install Revo Uninstaller Free
  • Double click Revo Uninstaller to run it.
  • From the list of programs double click on The Program to remove
  • When prompted if you want to uninstall click Yes.
  • Be sure the Moderate option is selected then click Next.
  • The program will run, If prompted again click Yes
  • when the built-in uninstaller is finished click on Next.
  • Once the program has searched for leftovers click Next.
  • Check/tick the bolded items only on the list then click Delete
  • when prompted click on Yes and then on next.
  • put a check on any folders that are found and select delete
  • when prompted select yes then on next
  • Once done click Finish.
.

Update Adobe Reader

Recently there have been vulnerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version.

You can download it from http://www.adobe.com/products/acrobat/readstep2.html
After installing the latest Adobe Reader, uninstall all previous versions.
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

If you don't like Adobe Reader (53 MB), you can download Foxit PDF Reader(7 MB) from here. It's a much smaller file to download and uses a lot less resources than Adobe Reader.

Note: When installing FoxitReader, be careful not to install anything to do with AskBar.
[/list]

Install Java:

Please go here to install Java

  • click on the Free Java Download Button
  • click on Agree and start Free download
  • click on Run
  • click on run again
  • click on install
  • when install is complete click on close

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.
Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.

: Malwarebytes' Anti-Malware :

  • I would like you to rerun MBAM
  • Double-click mbam icon
  • go to the update tab at the top
  • click on check for updates
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
  • If you accidentally close it, the log file is saved here and will be named like this:
  • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Download HijackThis

If you have any problems running Hijackthis see NOTE** below (Host file not read, blank notepad ...)

  • Go Here to download HijackThis Installer
  • Save HijackThis Installer to your desktop.
  • Double-click on the HijackThis Installer icon on your desktop. (Vista and Win 7 right click and run as admin)
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Once installed it will launch Hijackthis.
  • Click on the Do a system scan and save a log file button. It will scan and the log should open in notepad.
  • Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT use the Analyze This button its findings are dangerous if misinterpreted.
  • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

NOTE**
sometimes we have to run it like this To run HijackThis as an administrator, right-click HijackThis.exe
(located: C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe)<--32bit
(located: C:\Program Files(86)\Trend Micro\HiJackThis\HiJackThis.exe)<--64bit
and select to run as administrator

"information and logs"

  • In your next post I need the following

  • Log From MBAM
  • report from Hijackthis
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users