Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Google Redirect


  • This topic is locked This topic is locked
27 replies to this topic

#1 n4k

n4k

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 07 February 2012 - 02:31 AM

This problem started a few days ago. Originally, when I attempted to search from the google search bar, it would redirect through datingguru.com, but would end up at some random sites. Then it progressed to where I could not even open google.com from the main address bar. Prior to finding you guys, I ran several programs (Malwarebytes, unhackme, spybot, spyware doctor, hijackthis) and the redirect through datingguru stopped, however I still can not search from the google search in the toolbar, nor can I pull up google.com. I can use other search engines, such as yahoo, with no problem. Also, I've noticed that every few seconds, I hear that "bubble pop" sound that normally indicates I have wifi connections available and/or am connected. My internet access has not been affected, though..yet. It makes me fear something is running hidden in the background.

I do not have a recovery partition on this computer, otherwise, I would have already done a crash and burn. Purchased it second hand without realizing no recovery partition.

I typically run Firefox, but have since tried pulling up google using Google Chrome AND IE. None of them work :(

I'm not completely IT ignorant, but extremely delayed, so please break it down to me like I'm a dummy...haha

Thanks in advance for any assistance you can offer!

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_22
Run by Brittini at 0:46:37 on 2012-02-07
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.820 [GMT -6:00]
.
AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: AVG Anti-Virus Free Edition 2012 *Enabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}
.
============== Running Processes ===============
.
"C:\WINDOWS\system32\svchost.exe"
"C:\WINDOWS\system32\svchost.exe"
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\AVG\AVG2012\avgwdsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\AVG\AVG2012\avgemcx.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\UnHackMe\hackmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\UnHackMe\gwebupdate.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\PC Tools Security\pctsAuxs.exe
C:\Program Files\PC Tools Security\pctsSvc.exe
C:\Program Files\PC Tools Security\pctsGui.exe
C:\Program Files\AVG\AVG2012\avgrsx.exe
C:\Program Files\AVG\AVG2012\avgcsrvx.exe
c:\program files\common files\installshield\updateservice\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\Program Files\Common Files\Apple\Apple Application Support\distnoted.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\SyncServer.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uSearch Page =
uWindow Title = Windows Internet Explorer provided by Yahoo!
uDefault_Page_URL = hxxp://att.net
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
mSearchAssistant =
uURLSearchHooks: H - No File
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg2012\avgssie.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - No File
{e7df6bff-55a5-4eb7-a673-4ed3e9456d39}
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [UnHackMe Monitor] c:\program files\unhackme\hackmon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\stsystra.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [ISTray] "c:\program files\pc tools security\pctsGui.exe" /hideGUI
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
LSP: mswsock.dll
DPF: {31435657-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/e/2/f/e2fcec4b-6c8b-48b7-adab-ab9c403a978f/wvc1dmo.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.1.254
TCP: Interfaces\{95FB416A-44EA-4592-B015-231843A1A93B} : DhcpNameServer = 192.168.1.254
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg2012\avgpp.dll
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\10.0.6\ViProtocol.dll
Notify: igfxcui - igfxdev.dll
mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet explorer\clrtour.inf,DefaultInstall.ResetTour,,12
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\brittini\application data\mozilla\firefox\profiles\7d3d1giv.default\
FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com/mail/?tab=wm#inbox
FF - prefs.js: keyword.URL - hxxp://search.mytool.co/?babsrc=home&s=web&as=0&isid=9848&q=
FF - prefs.js: network.proxy.type - 0
FF - component: c:\documents and settings\brittini\application data\mozilla\firefox\profiles\7d3d1giv.default\extensions\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}\components\RadioWMPCore.dll
FF - component: c:\documents and settings\brittini\application data\mozilla\firefox\profiles\7d3d1giv.default\extensions\{d40b90b4-d3b1-4d6b-a5d7-dc041c1b76c0}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\brittini\application data\mozilla\firefox\profiles\7d3d1giv.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff4.dll
FF - component: c:\program files\avg\avg10\firefox4\components\avgssff5.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\avg\avg10\toolbar\firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
.
============= SERVICES / DRIVERS ===============
.
R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 23120]
R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 32592]
R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2012-2-5 239168]
R0 pctDS;PC Tools Data Store;c:\windows\system32\drivers\pctDS.sys [2012-2-5 338880]
R0 pctEFA;PC Tools Extended File Attributes;c:\windows\system32\drivers\pctEFA.sys [2012-2-5 656320]
R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-12-8 230608]
R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 40016]
R2 avgwd;AVG WatchDog;c:\program files\avg\avg2012\avgwdsvc.exe [2011-8-2 192776]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-2-5 652360]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\pc tools security\pctsAuxs.exe [2012-2-5 366840]
R2 sdCoreService;PC Tools Security Service;c:\program files\pc tools security\pctsSvc.exe [2012-2-5 1150936]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-2-5 20464]
S0 cerc6;cerc6; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-8-7 136176]
S3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-3 134608]
S3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-3 24272]
S3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-3 16720]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-8-7 136176]
S3 RegGuard;RegGuard;c:\windows\system32\drivers\regguard.sys [2012-2-5 24416]
S4 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\iobit\advanced systemcare 5\ASCService.exe [2011-12-16 494424]
S4 BackupService;BackupService;c:\documents and settings\brittini\application data\hp simplesave application\uUACTokenSvc.exe [2010-12-25 83512]
.
=============== Created Last 30 ================
.
2012-02-06 18:57:25 45056 ----a-r- c:\documents and settings\brittini\application data\microsoft\installer\{2764ca82-dfb9-4498-af85-719340bf5305}\NewShortcut1_2764CA82DFB94498AF85719340BF5305.exe
2012-02-06 18:57:17 -------- d-----w- c:\windows\system32\vmm32
2012-02-06 18:57:16 -------- d-----w- c:\program files\Dell
2012-02-06 00:15:51 656320 ----a-w- c:\windows\system32\drivers\pctEFA.sys
2012-02-06 00:15:51 338880 ----a-w- c:\windows\system32\drivers\pctDS.sys
2012-02-06 00:15:49 251560 ----a-w- c:\windows\system32\drivers\pctgntdi.sys
2012-02-06 00:15:37 239168 ----a-w- c:\windows\system32\drivers\PCTCore.sys
2012-02-06 00:15:37 160448 ----a-w- c:\windows\system32\drivers\PCTAppEvent.sys
2012-02-06 00:15:24 70536 ----a-w- c:\windows\system32\drivers\pctplsg.sys
2012-02-06 00:15:12 -------- d-----w- c:\program files\PC Tools Security
2012-02-06 00:15:12 -------- d-----w- c:\program files\common files\PC Tools
2012-02-06 00:15:12 -------- d-----w- c:\documents and settings\brittini\application data\PC Tools
2012-02-06 00:08:38 -------- d-----w- c:\documents and settings\all users\application data\PC Tools
2012-02-05 18:03:02 24416 ----a-w- c:\windows\system32\drivers\regguard.sys
2012-02-05 17:53:28 39184 ----a-w- c:\windows\system32\Partizan.exe
2012-02-05 17:53:28 35816 ----a-w- c:\windows\system32\drivers\Partizan.sys
2012-02-05 17:53:20 2 --shatr- c:\windows\winstart.bat
2012-02-05 17:53:13 12800 ----a-w- c:\windows\system32\drivers\UnHackMeDrv.sys
2012-02-05 17:53:07 -------- d-----w- c:\program files\UnHackMe
2012-02-05 16:10:46 -------- d-----w- c:\documents and settings\brittini\application data\Malwarebytes
2012-02-05 16:10:37 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2012-02-05 16:10:34 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-05 16:10:34 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-04 03:44:56 388096 ----a-r- c:\documents and settings\brittini\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-02-04 03:44:55 -------- d-----w- c:\program files\Trend Micro
2012-02-04 01:48:39 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-01-31 03:54:28 131 ----a-w- C:\DeletePrintJobs.cmd
2012-01-18 00:25:48 -------- d-----w- c:\documents and settings\all users\application data\AVG Secure Search
2012-01-18 00:25:39 -------- d-----w- c:\program files\AVG Secure Search
2012-01-12 00:36:27 -------- d-----w- c:\program files\InterActual
.
==================== Find3M ====================
.
2011-12-17 06:52:56 22 --sha-w- c:\documents and settings\brittini\application data\Sys2662.Config.Repository.bin
2011-12-15 22:16:24 90112 ----a-w- c:\windows\DUMP9f0e.tmp
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600
.
CreateFile("\\.\PHYSICALDRIVE0"): The process cannot access the file because it is being used by another process.
device: opened successfully
user: error reading MBR
.
Disk trace:
called modules: ntkrnlpa.exe >>UNKNOWN [0x882E5A0A]<<
_asm { MOV EDI, EDI; PUSH EBP; MOV EBP, ESP; PUSH EBX; MOV EBX, [EBP+0xc]; MOV EAX, [EBX+0x60]; MOV ECX, [EAX+0xc]; OR ECX, [EAX+0x10]; PUSH ESI; JNZ 0x94; MOV ESI, 0x200; CMP [EAX+0x4], ESI; JB 0x94; }
1 ntkrnlpa!IofCallDriver[0x804EEECC] -> \Device\Harddisk0\DR0[0x89DC4AB8]
\Driver\Disk[0x89DE1910] -> IRP_MJ_READ -> 0x882E5A0A
kernel: MBR read successfully
_asm { NOP ; XOR AX, AX; NOP ; MOV DS, AX; MOV ES, AX; NOP ; MOV SS, AX; MOV SP, 0x7c00; MOV SI, 0x7c00; NOP ; MOV DI, 0x600; NOP ; MOV CX, 0x80; NOP ; CLD ; REP MOVSD ; NOP ; JMP FAR 0x0:0x626; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x899962C6
IoDeviceObjectType -> ParseProcedure -> 0x882e5f0a
\Device\Harddisk0\DR0 -> ParseProcedure -> 0x882e5f0a
user != kernel MBR !!!
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.
.
============= FINISH: 0:48:35.87 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:57 PM

Posted 07 February 2012 - 02:32 AM

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • please Do not Attach logs or put in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can help also.
  • Do not run anything while running a fix.
  • Do not run any other tool untill instructed to do so!


Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 n4k

n4k
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 07 February 2012 - 09:28 AM

Gringo,

Thank you so much for your speedy attention. I'm working a crazy shift this week, so for the next day or so my response time will be delayed. Please bear with me and do not take my lack of action or response as an indication of thanklessness or problem resolution. I am in this 100% and can't fully express my gratitude to you.

I am heading out right now but will follow your above directions and post the requested info tonight when I return from work.

Much appreciation,
Tracy

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:57 PM

Posted 07 February 2012 - 09:35 AM

No problem and see you later tonight. :thumbup2:
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 n4k

n4k
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 08 February 2012 - 02:12 AM

Hmm, not going so well.

First, I turned off all the malware programs that were running. There were several.

Next, there was a program running that was "PC Doctor" or something on that line (I can no longer find it to positively identify it). I disabled it and it began doing some type extraction or removal and then I crashed and got a BSOD. BSOD stop error was XF4 (0x00000003, 0X89CFEA90, OX89CFEC04, OX8CFD115E).

I rebooted and came up to the desktop recovery screen. Active desktop would NOT recover. I rebooted again and got the same results. I went ahead and downloaded Combofix and attempted to extract it. About 3/4 of the way through extraction, I got another BSOD with a "Bad Pool Caller" message and a Stop x2. I rebooted again and retried. This time Combofix extracted completely, the extraction box went away and two second later, another BSOD.

I rebooted into safe mode and attempted Combofix again. About 30 seconds after extraction box cleared, another BSOD. I rebooted and am now running in regular mode with bad desktop.

On each reboot, there is a program that loads on startup called "RegRun Reanimator" It tells me I have multiple viruses and wants to fix them. I keep canceling it, but it comes back up with each reboot.

Also probably worth mentioning is that months ago, I was getting a BSOD and loaded some program that "fixed" it. It may have been the program that I turned off that started the BSOD again? I don't want to turn anything on until I hear back from you. There is a program on the computer called "Advanced System Care" and "Quick care" that I think MAY be the same program I disabled that started the BSOD, but I'm not 100% sure.

Should I go through and remove all the malware programs and the other anti-virus and pc "fix" programs?

Thanks,
Tracy

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:57 PM

Posted 08 February 2012 - 05:08 PM

Hello

I would like you to download these programs if you don't have them yet to the desktop and have them ready to use .

RKill - exeHelper - Malwarebytes' Anti-Malware
Unhide.exe


After you have them on your desktop restart your computer and as soon as you can start with RKill

:Rkill:

  • Double click on Rkill.
  • A command window will open then disappear upon completion, this is normal.
  • Please leave Rkill on the Desktop until otherwise advised.
Note: You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message. Run rkill repeatedly until it's able to do it's job. This may take a few tries. You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.

Once the tool has run, do NOT reboot the machine,
If for some reason the machine reboots, repeat the process. Again, try not to restart the machine.

Scan with exeHelper:

Please download exeHelper to your desktop.

  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)

Note: If the window shows a message that says "Error deleting file", please re-run the program


Next I want you to run the unhide.exe program just double click to run it.

: Malwarebytes' Anti-Malware :

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is Checked (ticked) except items in the C:\System Volume Information folder and click on Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.


Let me have these logs and let me know how the computer is doing

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 n4k

n4k
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 09 February 2012 - 02:13 AM

Gringo,
Thanks. First, I have to tell you that my husband did a no-no. I work 7 days on/7 off, evening shift and he works day shift, so we basically "tag team" the week I'm working. I'd mentioned my computer problems to him and he came home this evening and in an attempt to "help" he messed with my laptop. He did two things: 1. He did a restore and reset the computer back a week. 2. Probably worst of all, he ran Advanced SystemCare 5 on it. I imagine the latter greatly changed the logs I posted previously?

I did come home to it running better, but still will NOT go to Google.com. Interestingly enough, it WILL go to mail.google.com, etc.

I apologize if his tinkering has set us back any. He has been instructed to not mess with my laptop until I tell him I am done with you.

So, I downloaded rkill and attempted to run it. First, I got an alert from AVG although I had AVG antivirus turned off. Then I got the following warning just prior to getting a BSOD. I rebooted and retried running rkill two more times. They all ended with BSOD except on the last try, I did not get the AVG warning. Here is what I did get:
Posted Image

I will wait to run the rest until you advise me farther. If, when meeting problems with the first step in your inst's, I should go on to the next in order to provide you with a log, please let me know.

Also, I DO already have malwarebytes loaded and have logs saved that I ran a couple days ago. If needed, I can post those OR I can rerun a fresh log--whichever you need.

Thank you,
Tracy

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:57 PM

Posted 09 February 2012 - 08:29 AM

Hello

if you can i want you to run this at this time

Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links. I want you to save it to the desktop and run it from there.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 n4k

n4k
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 09 February 2012 - 01:21 PM

Thanks for your patience, Gringo.

I downloaded ComboFix again from a different link. I can not get it to download to the desktop, it automatically goes into the download folder and does not give me the option to save it anywhere. I double clicked it in download folder and it began extracting (got a small black box showing different executions). Once the progress bar on the box reached the 100% mark, it went away. Ten seconds later, I got this BSOD:

Posted Image

I'm not sure if it is of any importance, but the ONLY time I'm getting BSOD's now is when I try to run these programs.

Thanks!

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:57 PM

Posted 09 February 2012 - 11:44 PM

Hello

I want you to run this tool for me next.

tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 n4k

n4k
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 10 February 2012 - 02:08 AM

I HAVE MY BELOVED GOOGLE BACK!!! Thank you!!!!!!!!!!!

00:57:53.0671 2208 TDSS rootkit removing tool 2.7.11.0 Feb 9 2012 10:12:57
00:57:54.0218 2208 ============================================================
00:57:54.0218 2208 Current date / time: 2012/02/10 00:57:54.0218
00:57:54.0218 2208 SystemInfo:
00:57:54.0218 2208
00:57:54.0218 2208 OS Version: 5.1.2600 ServicePack: 2.0
00:57:54.0218 2208 Product type: Workstation
00:57:54.0218 2208 ComputerName: TRACY
00:57:54.0218 2208 UserName: Brittini
00:57:54.0218 2208 Windows directory: C:\WINDOWS
00:57:54.0218 2208 System windows directory: C:\WINDOWS
00:57:54.0218 2208 Processor architecture: Intel x86
00:57:54.0218 2208 Number of processors: 2
00:57:54.0218 2208 Page size: 0x1000
00:57:54.0218 2208 Boot type: Normal boot
00:57:54.0218 2208 ============================================================
00:57:56.0375 2208 Drive \Device\Harddisk0\DR0 - Size: 0xD9F411200 (54.49 Gb), SectorSize: 0x200, Cylinders: 0x1BC9, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
00:57:56.0375 2208 \Device\Harddisk0\DR0:
00:57:56.0375 2208 MBR used
00:57:56.0375 2208 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x6CF6189
00:57:56.0406 2208 Initialize success
00:57:56.0406 2208 ============================================================
00:58:06.0265 3496 ============================================================
00:58:06.0265 3496 Scan started
00:58:06.0265 3496 Mode: Manual;
00:58:06.0265 3496 ============================================================
00:58:06.0562 3496 Abiosdsk - ok
00:58:06.0609 3496 abp480n5 - ok
00:58:06.0703 3496 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
00:58:06.0703 3496 ACPI - ok
00:58:06.0796 3496 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
00:58:06.0796 3496 ACPIEC - ok
00:58:06.0843 3496 adpu160m - ok
00:58:06.0937 3496 aec (841f385c6cfaf66b58fbd898722bb4f0) C:\WINDOWS\system32\drivers\aec.sys
00:58:06.0937 3496 aec - ok
00:58:07.0078 3496 AegisP (023867b6606fbabcdd52e089c4a507da) C:\WINDOWS\system32\DRIVERS\AegisP.sys
00:58:07.0078 3496 AegisP - ok
00:58:07.0187 3496 AFD (5ac495f4cb807b2b98ad2ad591e6d92e) C:\WINDOWS\System32\drivers\afd.sys
00:58:07.0187 3496 AFD - ok
00:58:07.0234 3496 Aha154x - ok
00:58:07.0265 3496 aic78u2 - ok
00:58:07.0312 3496 aic78xx - ok
00:58:07.0359 3496 AliIde - ok
00:58:07.0406 3496 amsint - ok
00:58:07.0515 3496 Arp1394 (f0d692b0bffb46e30eb3cea168bbc49f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
00:58:07.0515 3496 Arp1394 - ok
00:58:07.0531 3496 asc - ok
00:58:07.0546 3496 asc3350p - ok
00:58:07.0562 3496 asc3550 - ok
00:58:07.0625 3496 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
00:58:07.0625 3496 AsyncMac - ok
00:58:07.0687 3496 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
00:58:07.0687 3496 atapi - ok
00:58:07.0718 3496 Atdisk - ok
00:58:07.0796 3496 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
00:58:07.0796 3496 Atmarpc - ok
00:58:07.0828 3496 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
00:58:07.0828 3496 audstub - ok
00:58:07.0890 3496 bcm4sbxp (cd4646067cc7dcba1907fa0acf7e3966) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
00:58:07.0890 3496 bcm4sbxp - ok
00:58:07.0937 3496 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
00:58:07.0937 3496 Beep - ok
00:58:08.0015 3496 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
00:58:08.0031 3496 cbidf2k - ok
00:58:08.0062 3496 CCDECODE (6163ed60b684bab19d3352ab22fc48b2) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
00:58:08.0062 3496 CCDECODE - ok
00:58:08.0140 3496 cd20xrnt - ok
00:58:08.0234 3496 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
00:58:08.0234 3496 Cdaudio - ok
00:58:08.0281 3496 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
00:58:08.0281 3496 Cdfs - ok
00:58:08.0375 3496 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
00:58:08.0375 3496 Cdrom - ok
00:58:08.0406 3496 cerc6 - ok
00:58:08.0531 3496 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
00:58:08.0531 3496 cercsr6 - ok
00:58:08.0546 3496 Changer - ok
00:58:08.0625 3496 CmBatt (4266be808f85826aedf3c64c1e240203) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
00:58:08.0625 3496 CmBatt - ok
00:58:08.0625 3496 CmdIde - ok
00:58:08.0640 3496 Compbatt (df1b1a24bf52d0ebc01ed4ece8979f50) C:\WINDOWS\system32\DRIVERS\compbatt.sys
00:58:08.0640 3496 Compbatt - ok
00:58:08.0671 3496 Cpqarray - ok
00:58:08.0687 3496 dac2w2k - ok
00:58:08.0703 3496 dac960nt - ok
00:58:08.0734 3496 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
00:58:08.0734 3496 Disk - ok
00:58:08.0828 3496 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
00:58:08.0875 3496 dmboot - ok
00:58:08.0921 3496 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\DRIVERS\dmio.sys
00:58:08.0921 3496 dmio - ok
00:58:08.0953 3496 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
00:58:08.0953 3496 dmload - ok
00:58:09.0031 3496 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
00:58:09.0031 3496 DMusic - ok
00:58:09.0046 3496 dpti2o - ok
00:58:09.0109 3496 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
00:58:09.0109 3496 drmkaud - ok
00:58:09.0234 3496 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
00:58:09.0250 3496 Fastfat - ok
00:58:09.0468 3496 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\drivers\Fdc.sys
00:58:09.0468 3496 Fdc - ok
00:58:09.0640 3496 FilterService (20fe03294ac1429ae88a64c2f754b0d4) C:\WINDOWS\system32\DRIVERS\lvuvcflt.sys
00:58:09.0640 3496 FilterService - ok
00:58:09.0734 3496 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
00:58:09.0734 3496 Fips - ok
00:58:09.0750 3496 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\drivers\Flpydisk.sys
00:58:09.0750 3496 Flpydisk - ok
00:58:09.0812 3496 FltMgr (157754f0df355a9e0a6f54721914f9c6) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
00:58:09.0828 3496 FltMgr - ok
00:58:09.0875 3496 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
00:58:09.0875 3496 Fs_Rec - ok
00:58:09.0906 3496 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
00:58:09.0906 3496 Ftdisk - ok
00:58:09.0953 3496 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
00:58:09.0953 3496 GEARAspiWDM - ok
00:58:10.0015 3496 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
00:58:10.0015 3496 Gpc - ok
00:58:10.0125 3496 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
00:58:10.0125 3496 HDAudBus - ok
00:58:10.0187 3496 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
00:58:10.0187 3496 HidUsb - ok
00:58:10.0250 3496 hpn - ok
00:58:10.0343 3496 HPZid412 (d03d10f7ded688fecf50f8fbf1ea9b8a) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
00:58:10.0343 3496 HPZid412 - ok
00:58:10.0437 3496 HPZipr12 (89f41658929393487b6b7d13c8528ce3) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
00:58:10.0437 3496 HPZipr12 - ok
00:58:10.0468 3496 HPZius12 (abcb05ccdbf03000354b9553820e39f8) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
00:58:10.0468 3496 HPZius12 - ok
00:58:10.0578 3496 HTCAND32 - ok
00:58:10.0671 3496 HTTP (c19b522a9ae0bbc3293397f3055e80a1) C:\WINDOWS\system32\Drivers\HTTP.sys
00:58:10.0671 3496 HTTP - ok
00:58:10.0687 3496 i2omgmt - ok
00:58:10.0703 3496 i2omp - ok
00:58:10.0765 3496 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
00:58:10.0765 3496 i8042prt - ok
00:58:11.0125 3496 ialm (e8c7cc369c2fb657e0792af70df529e6) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
00:58:11.0437 3496 ialm - ok
00:58:11.0468 3496 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
00:58:11.0468 3496 Imapi - ok
00:58:11.0484 3496 ini910u - ok
00:58:11.0500 3496 IntelIde - ok
00:58:11.0531 3496 intelppm (279fb78702454dff2bb445f238c048d2) C:\WINDOWS\system32\DRIVERS\intelppm.sys
00:58:11.0531 3496 intelppm - ok
00:58:11.0562 3496 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
00:58:11.0562 3496 Ip6Fw - ok
00:58:11.0625 3496 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
00:58:11.0625 3496 IpFilterDriver - ok
00:58:11.0734 3496 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
00:58:11.0734 3496 IpInIp - ok
00:58:11.0796 3496 IpNat (b5a8e215ac29d24d60b4d1250ef05ace) C:\WINDOWS\system32\DRIVERS\ipnat.sys
00:58:11.0796 3496 IpNat - ok
00:58:11.0843 3496 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
00:58:11.0843 3496 IPSec - ok
00:58:11.0921 3496 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
00:58:11.0921 3496 IRENUM - ok
00:58:12.0031 3496 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
00:58:12.0031 3496 isapnp - ok
00:58:12.0125 3496 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
00:58:12.0125 3496 Kbdclass - ok
00:58:12.0203 3496 kbdhid (e182fa8e49e8ee41b4adc53093f3c7e6) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
00:58:12.0203 3496 kbdhid - ok
00:58:12.0296 3496 kmixer (d93cad07c5683db066b0b2d2d3790ead) C:\WINDOWS\system32\drivers\kmixer.sys
00:58:12.0296 3496 kmixer - ok
00:58:12.0328 3496 KSecDD (eb7ffe87fd367ea8fca0506f74a87fbb) C:\WINDOWS\system32\drivers\KSecDD.sys
00:58:12.0328 3496 KSecDD - ok
00:58:12.0375 3496 lbrtfdc - ok
00:58:12.0468 3496 lvpopflt (af280405c10f0d20f37670b7432e5c2f) C:\WINDOWS\system32\DRIVERS\lvpopflt.sys
00:58:12.0468 3496 lvpopflt - ok
00:58:12.0515 3496 LVRS (e52f5a2cadcf08d07f559962f807a0a2) C:\WINDOWS\system32\DRIVERS\lvrs.sys
00:58:12.0515 3496 LVRS - ok
00:58:12.0953 3496 LVUVC (c3d02260beb2b48dea1efdfca91e4b69) C:\WINDOWS\system32\DRIVERS\lvuvc.sys
00:58:13.0328 3496 LVUVC - ok
00:58:13.0406 3496 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
00:58:13.0406 3496 mnmdd - ok
00:58:13.0468 3496 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
00:58:13.0468 3496 Modem - ok
00:58:13.0515 3496 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
00:58:13.0515 3496 Mouclass - ok
00:58:13.0640 3496 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
00:58:13.0640 3496 mouhid - ok
00:58:13.0734 3496 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
00:58:13.0734 3496 MountMgr - ok
00:58:13.0765 3496 mraid35x - ok
00:58:13.0843 3496 MRxDAV (46edcc8f2db2f322c24f48785cb46366) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
00:58:13.0843 3496 MRxDAV - ok
00:58:13.0937 3496 MRxSmb (1fd607fc67f7f7c633c3da65bfc53d18) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
00:58:13.0937 3496 MRxSmb - ok
00:58:14.0031 3496 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
00:58:14.0031 3496 Msfs - ok
00:58:14.0109 3496 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
00:58:14.0109 3496 MSKSSRV - ok
00:58:14.0203 3496 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
00:58:14.0203 3496 MSPCLOCK - ok
00:58:14.0296 3496 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
00:58:14.0296 3496 MSPQM - ok
00:58:14.0359 3496 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
00:58:14.0359 3496 mssmbios - ok
00:58:14.0437 3496 MSTEE (bf13612142995096ab084f2db7f40f77) C:\WINDOWS\system32\drivers\MSTEE.sys
00:58:14.0437 3496 MSTEE - ok
00:58:14.0546 3496 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
00:58:14.0578 3496 Mup - ok
00:58:14.0640 3496 NABTSFEC (5c8dc6429c43dc6177c1fa5b76290d1a) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
00:58:14.0640 3496 NABTSFEC - ok
00:58:14.0734 3496 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
00:58:14.0734 3496 NDIS - ok
00:58:14.0781 3496 NdisIP (520ce427a8b298f54112857bcf6bde15) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
00:58:14.0781 3496 NdisIP - ok
00:58:14.0812 3496 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
00:58:14.0812 3496 NdisTapi - ok
00:58:14.0906 3496 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
00:58:14.0906 3496 Ndisuio - ok
00:58:15.0203 3496 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
00:58:15.0234 3496 NdisWan - ok
00:58:15.0281 3496 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
00:58:15.0281 3496 NDProxy - ok
00:58:15.0343 3496 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
00:58:15.0343 3496 NetBIOS - ok
00:58:15.0406 3496 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
00:58:15.0406 3496 NetBT - ok
00:58:15.0718 3496 NETw4x32 (88100ebdd10309fbd445ef8e42452eae) C:\WINDOWS\system32\DRIVERS\NETw4x32.sys
00:58:15.0828 3496 NETw4x32 - ok
00:58:15.0921 3496 NIC1394 (5c5c53db4fef16cf87b9911c7e8c6fbc) C:\WINDOWS\system32\DRIVERS\nic1394.sys
00:58:15.0937 3496 NIC1394 - ok
00:58:16.0062 3496 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
00:58:16.0062 3496 Npfs - ok
00:58:16.0140 3496 Ntfs (b78be402c3f63dd55521f73876951cdd) C:\WINDOWS\system32\drivers\Ntfs.sys
00:58:16.0171 3496 Ntfs - ok
00:58:16.0312 3496 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\WINDOWS\system32\DRIVERS\NuidFltr.sys
00:58:16.0312 3496 NuidFltr - ok
00:58:16.0390 3496 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
00:58:16.0390 3496 Null - ok
00:58:16.0500 3496 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
00:58:16.0500 3496 NwlnkFlt - ok
00:58:16.0609 3496 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
00:58:16.0625 3496 NwlnkFwd - ok
00:58:16.0703 3496 ohci1394 (0951db8e5823ea366b0e408d71e1ba2a) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
00:58:16.0703 3496 ohci1394 - ok
00:58:16.0781 3496 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\drivers\Parport.sys
00:58:16.0781 3496 Parport - ok
00:58:16.0859 3496 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
00:58:16.0859 3496 PartMgr - ok
00:58:16.0921 3496 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
00:58:16.0921 3496 ParVdm - ok
00:58:16.0953 3496 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
00:58:16.0953 3496 PCI - ok
00:58:16.0953 3496 PCIDump - ok
00:58:16.0968 3496 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
00:58:16.0968 3496 PCIIde - ok
00:58:17.0046 3496 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
00:58:17.0046 3496 Pcmcia - ok
00:58:17.0062 3496 PDCOMP - ok
00:58:17.0062 3496 PDFRAME - ok
00:58:17.0078 3496 PDRELI - ok
00:58:17.0093 3496 PDRFRAME - ok
00:58:17.0109 3496 perc2 - ok
00:58:17.0125 3496 perc2hib - ok
00:58:17.0187 3496 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
00:58:17.0187 3496 PptpMiniport - ok
00:58:17.0203 3496 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
00:58:17.0203 3496 PSched - ok
00:58:17.0218 3496 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
00:58:17.0218 3496 Ptilink - ok
00:58:17.0250 3496 PxHelp20 (40f2031bd9148d3194353ea7dec97a07) C:\WINDOWS\system32\Drivers\PxHelp20.sys
00:58:17.0250 3496 PxHelp20 - ok
00:58:17.0265 3496 ql1080 - ok
00:58:17.0281 3496 Ql10wnt - ok
00:58:17.0296 3496 ql12160 - ok
00:58:17.0312 3496 ql1240 - ok
00:58:17.0312 3496 ql1280 - ok
00:58:17.0359 3496 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
00:58:17.0375 3496 RasAcd - ok
00:58:17.0437 3496 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
00:58:17.0437 3496 Rasl2tp - ok
00:58:17.0453 3496 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
00:58:17.0453 3496 RasPppoe - ok
00:58:17.0468 3496 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
00:58:17.0468 3496 Raspti - ok
00:58:17.0515 3496 Rdbss (29d66245adba878fff574cd66abd2884) C:\WINDOWS\system32\DRIVERS\rdbss.sys
00:58:17.0531 3496 Rdbss - ok
00:58:17.0609 3496 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
00:58:17.0609 3496 RDPCDD - ok
00:58:17.0687 3496 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
00:58:17.0687 3496 rdpdr - ok
00:58:17.0765 3496 RDPWD (d4f5643d7714ef499ae9527fdcd50894) C:\WINDOWS\system32\drivers\RDPWD.sys
00:58:17.0765 3496 RDPWD - ok
00:58:17.0812 3496 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
00:58:17.0812 3496 redbook - ok
00:58:17.0890 3496 s24trans (c26a053e4db47f6cdd8653c83aaf22ee) C:\WINDOWS\system32\DRIVERS\s24trans.sys
00:58:17.0890 3496 s24trans - ok
00:58:18.0000 3496 sdbus (02fc71b020ec8700ee8a46c58bc6f276) C:\WINDOWS\system32\DRIVERS\sdbus.sys
00:58:18.0000 3496 sdbus - ok
00:58:18.0046 3496 Secdrv (d26e26ea516450af9d072635c60387f4) C:\WINDOWS\system32\DRIVERS\secdrv.sys
00:58:18.0046 3496 Secdrv - ok
00:58:18.0109 3496 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\drivers\Serial.sys
00:58:18.0125 3496 Serial - ok
00:58:18.0140 3496 sffdisk (1d9f1bec651815741f088a8fb88e17ee) C:\WINDOWS\system32\DRIVERS\sffdisk.sys
00:58:18.0140 3496 sffdisk - ok
00:58:18.0203 3496 sffp_sd (586499fd312ffd7f78553f408e71682e) C:\WINDOWS\system32\DRIVERS\sffp_sd.sys
00:58:18.0203 3496 sffp_sd - ok
00:58:18.0265 3496 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
00:58:18.0281 3496 Sfloppy - ok
00:58:18.0343 3496 Simbad - ok
00:58:18.0406 3496 SLIP (5caeed86821fa2c6139e32e9e05ccdc9) C:\WINDOWS\system32\DRIVERS\SLIP.sys
00:58:18.0406 3496 SLIP - ok
00:58:18.0453 3496 Sparrow - ok
00:58:18.0578 3496 splitter (8e186b8f23295d1e42c573b82b80d548) C:\WINDOWS\system32\drivers\splitter.sys
00:58:18.0593 3496 splitter - ok
00:58:18.0671 3496 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
00:58:18.0703 3496 sr - ok
00:58:18.0828 3496 Srv (20b7e396720353e4117d64d9dcb926ca) C:\WINDOWS\system32\DRIVERS\srv.sys
00:58:18.0828 3496 Srv - ok
00:58:19.0031 3496 STHDA (951801dfb54d86f611f0af47825476f9) C:\WINDOWS\system32\drivers\sthda.sys
00:58:19.0046 3496 STHDA - ok
00:58:19.0140 3496 streamip (284c57df5dc7abca656bc2b96a667afb) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
00:58:19.0140 3496 streamip - ok
00:58:19.0234 3496 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
00:58:19.0234 3496 swenum - ok
00:58:19.0296 3496 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
00:58:19.0296 3496 swmidi - ok
00:58:19.0343 3496 symc810 - ok
00:58:19.0375 3496 symc8xx - ok
00:58:19.0421 3496 sym_hi - ok
00:58:19.0515 3496 sym_u3 - ok
00:58:19.0609 3496 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
00:58:19.0609 3496 sysaudio - ok
00:58:19.0640 3496 Tcpip (9f4b36614a0fc234525ba224957de55c) C:\WINDOWS\system32\DRIVERS\tcpip.sys
00:58:19.0656 3496 Tcpip - ok
00:58:19.0703 3496 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
00:58:19.0703 3496 TDPIPE - ok
00:58:19.0734 3496 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
00:58:19.0734 3496 TDTCP - ok
00:58:19.0812 3496 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
00:58:19.0812 3496 TermDD - ok
00:58:19.0843 3496 TosIde - ok
00:58:19.0937 3496 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
00:58:19.0937 3496 Udfs - ok
00:58:19.0953 3496 ultra - ok
00:58:20.0015 3496 Update (aff2e5045961bbc0a602bb6f95eb1345) C:\WINDOWS\system32\DRIVERS\update.sys
00:58:20.0015 3496 Update - ok
00:58:20.0078 3496 USBAAPL (83cafcb53201bbac04d822f32438e244) C:\WINDOWS\system32\Drivers\usbaapl.sys
00:58:20.0093 3496 USBAAPL - ok
00:58:20.0203 3496 usbaudio (45a0d14b26c35497ad93bce7e15c9941) C:\WINDOWS\system32\drivers\usbaudio.sys
00:58:20.0203 3496 usbaudio - ok
00:58:20.0250 3496 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
00:58:20.0250 3496 usbccgp - ok
00:58:20.0328 3496 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
00:58:20.0343 3496 usbehci - ok
00:58:20.0421 3496 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
00:58:20.0421 3496 usbhub - ok
00:58:20.0500 3496 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
00:58:20.0500 3496 usbprint - ok
00:58:20.0546 3496 usbscan (a6bc71402f4f7dd5b77fd7f4a8ddba85) C:\WINDOWS\system32\DRIVERS\usbscan.sys
00:58:20.0546 3496 usbscan - ok
00:58:20.0640 3496 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
00:58:20.0640 3496 USBSTOR - ok
00:58:20.0781 3496 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
00:58:20.0781 3496 usbuhci - ok
00:58:20.0875 3496 usbvideo (8968ff3973a883c49e8b564200f565b9) C:\WINDOWS\system32\Drivers\usbvideo.sys
00:58:20.0875 3496 usbvideo - ok
00:58:20.0984 3496 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
00:58:20.0984 3496 VgaSave - ok
00:58:21.0031 3496 ViaIde - ok
00:58:21.0109 3496 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
00:58:21.0109 3496 VolSnap - ok
00:58:21.0171 3496 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
00:58:21.0171 3496 Wanarp - ok
00:58:21.0343 3496 Wdf01000 (4769596d7cc0f5fa447d2babc239672a) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
00:58:21.0343 3496 Wdf01000 - ok
00:58:21.0375 3496 WDICA - ok
00:58:21.0453 3496 wdmaud (2797f33ebf50466020c430ee4f037933) C:\WINDOWS\system32\drivers\wdmaud.sys
00:58:21.0453 3496 wdmaud - ok
00:58:21.0593 3496 WSTCODEC (d5842484f05e12121c511aa93f6439ec) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
00:58:21.0593 3496 WSTCODEC - ok
00:58:21.0640 3496 MBR (0x1B8) (8284b453e6b0f6a3e48a91387252c375) \Device\Harddisk0\DR0
00:58:21.0671 3496 \Device\Harddisk0\DR0 ( Rootkit.Boot.Wistler.a ) - infected
00:58:21.0671 3496 \Device\Harddisk0\DR0 - detected Rootkit.Boot.Wistler.a (0)
00:58:21.0671 3496 Boot (0x1200) (2196882b4b6958f509a9aa73053e1d9b) \Device\Harddisk0\DR0\Partition0
00:58:21.0687 3496 \Device\Harddisk0\DR0\Partition0 - ok
00:58:21.0687 3496 ============================================================
00:58:21.0687 3496 Scan finished
00:58:21.0687 3496 ============================================================
00:58:21.0703 1092 Detected object count: 1
00:58:21.0703 1092 Actual detected object count: 1
00:58:38.0500 1092 \Device\Harddisk0\DR0\# - copied to quarantine
00:58:38.0500 1092 \Device\Harddisk0\DR0 - copied to quarantine
00:58:38.0515 1092 \Device\Harddisk0\DR0 ( Rootkit.Boot.Wistler.a ) - will be cured on reboot
00:58:38.0515 1092 \Device\Harddisk0\DR0 - ok
00:58:38.0515 1092 \Device\Harddisk0\DR0 ( Rootkit.Boot.Wistler.a ) - User select action: Cure
00:58:41.0656 3848 Deinitialize success

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:57 PM

Posted 10 February 2012 - 02:42 AM

ok now lets try and run combofix again


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 n4k

n4k
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 10 February 2012 - 05:18 AM

Whew..that was stressful :D

Got a warning that spyware doctor was running, but I could not find it ANYWHERE. Is it the same program as Advanced SystemCare/QuickCare? I think I got it disabled if so.

Combofix Log:

ComboFix 12-02-07.01 - Brittini 02/10/2012 3:47.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1687 [GMT -6:00]
Running from: c:\documents and settings\Brittini\My Documents\Downloads\ComboFix.exe
AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\$NtUninstallKB13601$
c:\windows\$NtUninstallKB13601$\3219969829
c:\windows\$NtUninstallKB13601$\663753393\@
c:\windows\$NtUninstallKB13601$\663753393\bckfg.tmp
c:\windows\$NtUninstallKB13601$\663753393\cfg.ini
c:\windows\$NtUninstallKB13601$\663753393\Desktop.ini
c:\windows\$NtUninstallKB13601$\663753393\keywords
c:\windows\$NtUninstallKB13601$\663753393\kwrd.dll
c:\windows\$NtUninstallKB13601$\663753393\L\iijixmba
c:\windows\$NtUninstallKB13601$\663753393\lsflt7.ver
c:\windows\$NtUninstallKB13601$\663753393\U\00000001.@
c:\windows\$NtUninstallKB13601$\663753393\U\00000002.@
c:\windows\$NtUninstallKB13601$\663753393\U\00000004.@
c:\windows\$NtUninstallKB13601$\663753393\U\80000000.@
c:\windows\$NtUninstallKB13601$\663753393\U\80000004.@
c:\windows\$NtUninstallKB13601$\663753393\U\80000032.@
c:\windows\$NtUninstallKB51934$
c:\windows\$NtUninstallKB51934$\4082680733
c:\windows\system32\Cache
c:\windows\system32\Cache\241f9934c28a2cdf.fb
c:\windows\system32\Cache\272512937d9e61a4.fb
c:\windows\system32\Cache\287204568329e189.fb
c:\windows\system32\Cache\28bc8f716fd76a47.fb
c:\windows\system32\Cache\2c53092c95605355.fb
c:\windows\system32\Cache\3917078cb68ec657.fb
c:\windows\system32\Cache\590ba23ce359fd0c.fb
c:\windows\system32\Cache\610289e025a3ee9a.fb
c:\windows\system32\Cache\651c5d3cdbfb8bd1.fb
c:\windows\system32\Cache\6c59ac5e7e7a3ad0.fb
c:\windows\system32\Cache\a8556537add6dfc5.fb
c:\windows\system32\Cache\ad10a52aff5e038d.fb
c:\windows\system32\Cache\c4d28dca2e7648be.fb
c:\windows\system32\Cache\c691d9d2d2ba3211.fb
c:\windows\system32\Cache\d201ef9910cd39de.fb
c:\windows\system32\Cache\d2e94710a5708128.fb
c:\windows\system32\Cache\d79b9dfe81484ec4.fb
c:\windows\system32\Cache\e0de16f883bea794.fb
.
.
((((((((((((((((((((((((( Files Created from 2012-01-10 to 2012-02-10 )))))))))))))))))))))))))))))))
.
.
2012-02-10 06:58 . 2012-02-10 06:58 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-09 09:10 . 2012-02-09 09:10 -------- d-----w- c:\program files\MSXML 6.0
2012-02-08 19:11 . 2004-08-04 04:58 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2012-02-08 19:11 . 2004-08-04 04:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-02-08 19:08 . 2012-02-08 19:08 -------- d-----w- c:\documents and settings\Brittini\Application Data\PokerCreations
2012-02-08 19:08 . 2012-02-08 19:08 -------- d-----w- c:\documents and settings\Brittini\Application Data\NLOP
2012-02-08 19:06 . 2012-02-08 19:08 -------- d-----w- c:\documents and settings\Brittini\Local Settings\Application Data\NLOP
2012-02-08 18:58 . 2012-02-08 19:01 -------- d-----w- C:\$WINDOWS.~BT
2012-02-06 00:15 . 2012-02-08 19:02 -------- d-----w- c:\program files\PC Tools Security
2012-02-06 00:15 . 2012-02-08 19:02 -------- d-----w- c:\program files\Common Files\PC Tools
2012-02-06 00:08 . 2012-02-08 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-02-05 17:53 . 2012-02-08 19:02 -------- d-----w- c:\program files\UnHackMe
2012-02-05 16:38 . 2012-02-05 16:38 54016 ----a-w- c:\windows\system32\drivers\ptbdapwb.sys
2012-02-05 16:10 . 2012-02-05 16:10 -------- d-----w- c:\documents and settings\Brittini\Application Data\Malwarebytes
2012-02-05 16:10 . 2012-02-08 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-05 16:10 . 2012-02-05 16:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-05 16:10 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-04 03:44 . 2012-02-04 03:44 -------- d-----w- c:\program files\Trend Micro
2012-01-31 03:54 . 2012-01-31 03:54 131 ----a-w- C:\DeletePrintJobs.cmd
2012-01-18 00:25 . 2012-02-09 07:26 -------- d-----w- c:\program files\AVG Secure Search
2012-01-12 00:36 . 2012-01-12 00:36 -------- d-----w- c:\program files\InterActual
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-17 06:52 . 2011-12-17 06:52 22 --sha-w- c:\documents and settings\Brittini\Application Data\Sys2662.Config.Repository.bin
2011-12-15 22:16 . 2010-12-25 11:44 90112 ----a-w- c:\windows\DUMP9f0e.tmp
2012-02-02 00:02 . 2011-08-13 18:15 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"ROC_roc_dec12"="c:\program files\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-29 928096]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 5]
2011-12-16 07:31 619352 ----a-w- c:\program files\IObit\Advanced SystemCare 5\ASCTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AdvancedSystemCareService5"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"vToolbarUpdater"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SamSs"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RasMan"=3 (0x3)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"BITS"=2 (0x2)
"BackupService"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
S0 cerc6;cerc6; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/7/2011 10:06 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/7/2011 10:06 PM 136176]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys --> c:\windows\system32\Drivers\ANDROIDUSB.sys [?]
S4 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [12/16/2011 1:24 AM 494424]
S4 BackupService;BackupService;c:\documents and settings\Brittini\Application Data\HP SimpleSave Application\uUACTokenSvc.exe [12/25/2010 6:29 PM 83512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2004-08-10 11:00 99840 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-02-10 c:\windows\Tasks\ASC5_AutoClean.job
- c:\program files\IObit\Advanced SystemCare 5\AutoSweep.exe [2011-12-16 23:59]
.
2012-02-08 c:\windows\Tasks\ASC5_AutoUpdate.job
- c:\program files\IObit\Advanced SystemCare 5\AutoUpdate.exe [2011-12-16 21:41]
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-08 04:06]
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-08 04:06]
.
2012-02-10 c:\windows\Tasks\User_Feed_Synchronization-{9F841C11-870D-46B4-A444-731F6668781E}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 12:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Brittini\Application Data\Mozilla\Firefox\Profiles\7d3d1giv.default\
FF - prefs.js: browser.startup.homepage - hxxps://mail.google.com/mail/?tab=wm#inbox
FF - prefs.js: keyword.URL - hxxp://search.mytool.co/?babsrc=home&s=web&as=0&isid=9848&q=
FF - prefs.js: network.proxy.type - 0
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-10 04:03
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(924)
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'explorer.exe'(3980)
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\shdoclc.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\locator.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2012-02-10 04:14:03 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-10 10:13
.
Pre-Run: 21,566,672,896 bytes free
Post-Run: 21,764,739,072 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noexecute=optout
.
- - End Of File - - 36D76E72FD3F71692C676BCFB6C5DEFC


Going to catch a few hours sleep before work again. Will check back ASAP. Much thanks to you!

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:03:57 PM

Posted 10 February 2012 - 06:16 AM

Greetings

Good That cleaned up some bad guys but I see some other stuff that we need to go after, so I want you to run this custom script for me.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

KillAll::

File::
c:\windows\system32\drivers\ptbdapwb.sys

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 n4k

n4k
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:01:57 PM

Posted 10 February 2012 - 02:14 PM

ComboFix 12-02-07.01 - Brittini 02/10/2012 12:53:30.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2038.1436 [GMT -6:00]
Running from: c:\documents and settings\Brittini\My Documents\Downloads\ComboFix.exe
Command switches used :: c:\documents and settings\Brittini\Desktop\CFScript.txt
AV: Spyware Doctor with AntiVirus *Enabled/Updated* {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
.
FILE ::
"c:\windows\system32\drivers\ptbdapwb.sys"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\system32\drivers\ptbdapwb.sys
.
.
((((((((((((((((((((((((( Files Created from 2012-01-10 to 2012-02-10 )))))))))))))))))))))))))))))))
.
.
2012-02-10 18:41 . 2012-02-10 18:41 -------- d-----w- c:\windows\system32\CatRoot_bak
2012-02-10 06:58 . 2012-02-10 06:58 -------- d-----w- C:\TDSSKiller_Quarantine
2012-02-09 09:10 . 2012-02-09 09:10 -------- d-----w- c:\program files\MSXML 6.0
2012-02-08 19:11 . 2004-08-04 04:58 14848 -c--a-w- c:\windows\system32\dllcache\kbdhid.sys
2012-02-08 19:11 . 2004-08-04 04:58 14848 ----a-w- c:\windows\system32\drivers\kbdhid.sys
2012-02-08 19:08 . 2012-02-08 19:08 -------- d-----w- c:\documents and settings\Brittini\Application Data\PokerCreations
2012-02-08 19:08 . 2012-02-08 19:08 -------- d-----w- c:\documents and settings\Brittini\Application Data\NLOP
2012-02-08 19:06 . 2012-02-08 19:08 -------- d-----w- c:\documents and settings\Brittini\Local Settings\Application Data\NLOP
2012-02-08 18:58 . 2012-02-08 19:01 -------- d-----w- C:\$WINDOWS.~BT
2012-02-06 00:15 . 2012-02-08 19:02 -------- d-----w- c:\program files\PC Tools Security
2012-02-06 00:15 . 2012-02-08 19:02 -------- d-----w- c:\program files\Common Files\PC Tools
2012-02-06 00:08 . 2012-02-08 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\PC Tools
2012-02-05 17:53 . 2012-02-08 19:02 -------- d-----w- c:\program files\UnHackMe
2012-02-05 16:10 . 2012-02-05 16:10 -------- d-----w- c:\documents and settings\Brittini\Application Data\Malwarebytes
2012-02-05 16:10 . 2012-02-08 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-05 16:10 . 2012-02-05 16:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-05 16:10 . 2011-12-10 21:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-04 03:44 . 2012-02-04 03:44 -------- d-----w- c:\program files\Trend Micro
2012-01-31 03:54 . 2012-01-31 03:54 131 ----a-w- C:\DeletePrintJobs.cmd
2012-01-18 00:25 . 2012-02-09 07:26 -------- d-----w- c:\program files\AVG Secure Search
2012-01-12 00:36 . 2012-01-12 00:36 -------- d-----w- c:\program files\InterActual
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-12-17 06:52 . 2011-12-17 06:52 22 --sha-w- c:\documents and settings\Brittini\Application Data\Sys2662.Config.Repository.bin
2011-12-15 22:16 . 2010-12-25 11:44 90112 ----a-w- c:\windows\DUMP9f0e.tmp
2012-02-02 00:02 . 2011-08-13 18:15 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2011-10-24 421888]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-10-08 995328]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-10-08 1101824]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-11-02 59240]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe" [2011-11-02 59240]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-03-31 138008]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-03-31 162584]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-03-31 138008]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\stsystra.exe" [2007-05-10 405504]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-12-08 421736]
"ROC_roc_dec12"="c:\program files\AVG Secure Search\ROC_roc_dec12.exe" [2012-01-29 928096]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Advanced SystemCare 5]
2011-12-16 07:31 619352 ----a-w- c:\program files\IObit\Advanced SystemCare 5\ASCTray.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AdvancedSystemCareService5"=2 (0x2)
"WebClient"=2 (0x2)
"W32Time"=2 (0x2)
"vToolbarUpdater"=2 (0x2)
"TermService"=3 (0x3)
"TapiSrv"=3 (0x3)
"SamSs"=2 (0x2)
"RemoteRegistry"=2 (0x2)
"RasMan"=3 (0x3)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"BITS"=2 (0x2)
"BackupService"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"wscsvc"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
.
S0 cerc6;cerc6; [x]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [8/7/2011 10:06 PM 136176]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [8/7/2011 10:06 PM 136176]
S3 HTCAND32;HTC Device Driver;c:\windows\system32\Drivers\ANDROIDUSB.sys --> c:\windows\system32\Drivers\ANDROIDUSB.sys [?]
S4 AdvancedSystemCareService5;Advanced SystemCare Service 5;c:\program files\IObit\Advanced SystemCare 5\ASCService.exe [12/16/2011 1:24 AM 494424]
S4 BackupService;BackupService;c:\documents and settings\Brittini\Application Data\HP SimpleSave Application\uUACTokenSvc.exe [12/25/2010 6:29 PM 83512]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1FF-37FF-4bFF-8CFF-4F3A747040FF}]
2004-08-10 11:00 99840 ----a-w- c:\windows\system32\advpack.dll
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 22:57]
.
2012-02-10 c:\windows\Tasks\ASC5_AutoClean.job
- c:\program files\IObit\Advanced SystemCare 5\AutoSweep.exe [2011-12-16 23:59]
.
2012-02-08 c:\windows\Tasks\ASC5_AutoUpdate.job
- c:\program files\IObit\Advanced SystemCare 5\AutoUpdate.exe [2011-12-16 21:41]
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-08 04:06]
.
2012-02-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-08 04:06]
.
2012-02-10 c:\windows\Tasks\User_Feed_Synchronization-{9F841C11-870D-46B4-A444-731F6668781E}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 12:31]
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
mStart Page = about:blank
uInternet Settings,ProxyOverride = *.local
uSearchAssistant =
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\documents and settings\Brittini\Application Data\Mozilla\Firefox\Profiles\7d3d1giv.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.mytool.co/?babsrc=home&s=web&as=0&isid=9848&q=
FF - prefs.js: network.proxy.type - 0
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-10 13:02
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(920)
c:\windows\system32\netprovcredman.dll
.
- - - - - - - > 'explorer.exe'(4064)
c:\windows\system32\ieframe.dll
c:\windows\system32\msi.dll
c:\windows\system32\shdoclc.dll
c:\windows\system32\netprovcredman.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\locator.exe
c:\program files\Intel\Wireless\Bin\WLKeeper.exe
c:\windows\system32\igfxsrvc.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Common Files\Java\Java Update\jucheck.exe
.
**************************************************************************
.
Completion time: 2012-02-10 13:10:06 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-10 19:10
ComboFix2.txt 2012-02-10 10:14
.
Pre-Run: 21,337,677,824 bytes free
Post-Run: 21,328,199,680 bytes free
.
- - End Of File - - 0ADB10EE1C5D7EEBF0333206C1976785


Still got the same warning prior to running ComboFix about Spyware Doctor Running. I still can NOT find this program to turn it off.

Computer seems to be running great.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users