Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

slow computer #2


  • This topic is locked This topic is locked
16 replies to this topic

#1 dittohead2

dittohead2

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 17 March 2012 - 12:58 AM

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Jayme Berry at 1:46:51 on 2012-03-17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.69 [GMT -4:00]
.
AV: McAfee Anti-Virus and Anti-Spyware *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled*
.
============== Running Processes ===============
.
C:\WINDOWS1\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS1\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS1\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
C:\WINDOWS1\system32\mfevtps.exe
C:\WINDOWS1\system32\nvsvc32.exe
C:\WINDOWS1\wanmpsvc.exe
C:\WINDOWS1\system32\SearchIndexer.exe
C:\WINDOWS1\Explorer.EXE
C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
C:\Program Files\Common Files\AOL\1324700994\ee\AOLSoftware.exe
C:\WINDOWS1\system32\ctfmon.exe
C:\WINDOWS1\System32\svchost.exe -k HTTPFilter
C:\WINDOWS1\system32\svchost.exe -k imgsvc
C:\WINDOWS1\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Jayme Berry\Local Settings\Temporary Internet Files\Content.IE5\R2PIF1R8\HijackThis[1].exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS1\system32\SearchProtocolHost.exe
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
C:\WINDOWS1\system32\SearchProtocolHost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.pbskids.org/
uInternet Connection Wizard,ShellNext = iexplore
BHO: RoboForm Toolbar Helper: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboForm.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\common files\mcafee\systemcore\ScriptSn.20120206220944.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
TB: &RoboForm Toolbar: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboForm.dll
uRun: [NvMediaCenter] RUNDLL32.EXE c:\windows1\system32\NVMCTRAY.DLL,NvTaskbarInit
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
mRun: [mcui_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [MSConfig] c:\windows1\pchealth\helpctr\binaries\MSConfig.exe /auto
IE: Customize Menu - file://c:\program files\siber systems\ai roboform\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: Save Forms - file://c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: Show RoboForm Toolbar - file://c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: SmarThru4 Capture Selection - c:\program files\smarthru 4\WebCapture.dll2.htm
IE: SmarThru4 Save as HTML - c:\program files\smarthru 4\WebCapture.dll1.htm
IE: SmarThru4 Save Selected Text - c:\program files\smarthru 4\WebCapture.dll.htm
IE: SmarThru4 Web Capture - c:\program files\smarthru 4\WebCapture.dll
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboForm.dll
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboForm.dll
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboForm.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://windowsupdate.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1324690850308
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1324691429277
TCP: DhcpNameServer = 192.168.7.254
TCP: Interfaces\{C14A2F37-81C3-4AF5-B033-2420EC8FB0F7} : DhcpNameServer = 192.168.7.254
AppInit_DLLs: NVDESK32.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows1\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows1\system32\drivers\mfehidk.sys [2011-10-15 464176]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows1\system32\drivers\mfetdi2k.sys [2012-2-6 84200]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows1\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-2-6 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-2-6 271480]
R2 McProxy;McAfee Proxy Service;c:\program files\common files\mcafee\mcsvchost\McSvHost.exe [2012-2-6 271480]
R2 McShield;McShield;c:\program files\common files\mcafee\systemcore\mcshield.exe [2012-2-6 171168]
R2 mfefire;McAfee Firewall Core Service;c:\program files\common files\mcafee\systemcore\mfefire.exe [2012-2-6 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows1\system32\mfevtps.exe [2012-2-6 150856]
R3 cfwids;McAfee Inc. cfwids;c:\windows1\system32\drivers\cfwids.sys [2012-2-6 56064]
R3 Linksys_adapter_H;Linksys Adapter Network Driver;c:\windows1\system32\drivers\AE1200xp.sys [2011-12-24 1034240]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows1\system32\drivers\mfeavfk.sys [2012-2-6 153280]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows1\system32\drivers\mfebopk.sys [2012-2-6 52320]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows1\system32\drivers\mfefirek.sys [2012-2-6 314088]
R3 mfendiskmp;mfendiskmp;c:\windows1\system32\drivers\mfendisk.sys [2012-2-6 88736]
S0 cerc6;cerc6; [x]
S2 SSPORT;SSPORT;\??\c:\windows1\system32\drivers\ssport.sys --> c:\windows1\system32\drivers\SSPORT.sys [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows1\system32\drivers\mfendisk.sys [2012-2-6 88736]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows1\system32\drivers\mferkdet.sys [2012-2-6 84488]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows1\system32\svchost.exe -k WINRM [2008-4-14 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows1\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
.
=============== Created Last 30 ================
.
2012-03-17 05:16:05 -------- dc----w- c:\program files\Microsoft
2012-03-17 05:15:28 -------- dc----w- c:\program files\Windows Live SkyDrive
2012-03-17 05:14:15 3426072 -c--a-w- c:\windows1\system32\d3dx9_32.dll
2012-03-17 05:13:47 -------- dc----w- c:\program files\Microsoft SQL Server Compact Edition
2012-03-17 05:10:49 74520 -c--a-w- c:\program files\common files\windows live\.cache\5128aeb81cd03fc\DSETUP.dll
2012-03-17 05:10:49 484632 -c--a-w- c:\program files\common files\windows live\.cache\5128aeb81cd03fc\DXSETUP.exe
2012-03-17 05:10:49 1670936 -c--a-w- c:\program files\common files\windows live\.cache\5128aeb81cd03fc\dsetup32.dll
2012-03-17 05:10:12 1013800 -c--a-w- c:\program files\common files\windows live\.cache\3b1fb2ec1cd03fc\WindowsXP-KB954708-x86-ENU.exe
2012-03-17 05:05:12 -------- dc----w- c:\program files\common files\Windows Live
2012-03-17 04:47:34 -------- dc----w- c:\windows1\pss
2012-03-17 04:33:35 -------- dc----w- c:\program files\Microsoft ATS
.
==================== Find3M ====================
.
2012-02-16 02:03:34 65304 -c--a-w- c:\windows1\apppatch\MATSShim.DLL
2012-02-03 09:22:18 1860096 -c--a-w- c:\windows1\system32\win32k.sys
2012-01-11 19:06:47 3072 -c----w- c:\windows1\system32\iacenc.dll
2012-01-09 23:33:11 414368 -c--a-w- c:\windows1\system32\FlashPlayerCPLApp.cpl
2012-01-09 16:20:25 139784 -c--a-w- c:\windows1\system32\drivers\rdpwd.sys
2011-12-24 04:27:24 58696 -c--a-w- c:\windows1\system32\AOLParconLink.exe
2003-11-10 17:59:44 231936 -c--a-w- c:\program files\yum.exe
.
============= FINISH: 1:49:55.07 ===============

Attached Files


Edited by dittohead2, 17 March 2012 - 10:41 AM.


BC AdBot (Login to Remove)

 


#2 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:41 PM

Posted 17 March 2012 - 01:07 AM

Hello and Welcome to Bleeping Computer!!

My name is Gringo and I'll be glad to help you with your computer problems.

I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of us

1.Do not run any other tool untill instructed to do so!
doing so will only at best cause you unneeded worry as it finds our backups and may even list our tools
and at worst can cause conficts with our tools and lead to unforseen things to happen2.Please Do not Attach logs or put in code boxes.
besides the time it takes me to open the reports it makes it harder to find something if I need to go back to do more research and putting them in code boxes just makes them so hard to read3. After each step give me a little feedback
It does not need to be long but just something so I know how things are going it can be something like
I am still getting redirected
The computer is running as it should
Don't put things like - it is the same as before or still the same this just makes me go back and look for you last feedback as to how things are4. read every post completely before doing anything
Pay special attention to the Notes** I have put in
These are things I have found that happen allot and can be taken care of easily just by reading the Notes**

Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.


Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.

Backup The Computer!!

If you have not done it yet spend a few minutes to backup the computer. Removing malware can be unpredictable and this may save you and me allot of grief later.

There is some good info in the Preparation Guide on how to make full backups and how to restore it back if something goes wrong. Read the tutorial and print it out so you will know what to do in case the unforeseen happens.

When you have the computer backed up you may do the following.


Run Combofix:

You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)

Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<

Combofix may need to reboot your computer more than once to do its job this is normal.

You can download Combofix from one of these links.
Link 1
Link 2
Link 3
1. Close any open browsers or any other programs that are open.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.

Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following
  • Log from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now?

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#3 dittohead2

dittohead2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 17 March 2012 - 11:06 AM

I have attached the GMER log since r=the original post.

Where is the combofix output?

#4 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:41 PM

Posted 17 March 2012 - 12:55 PM

You need to run the program


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#5 dittohead2

dittohead2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 17 March 2012 - 10:25 PM

I did run the program. Where is the output? What am I missing?

#6 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:41 PM

Posted 18 March 2012 - 06:50 AM

Hello

I can't see what happens on your computer so you need to be my eyes, when you ran the program - what happened - what did you see
could you tell if the program ran - nothing happened.


tell me something - anything.


  • push the "windows key" + "R" (between the "Ctrl" button and "Alt" Button)
  • please copy and past the following into the box
C:\ComboFix.txt
  • click ok

copy and paste the report into this topic for me to review

Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#7 dittohead2

dittohead2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 19 March 2012 - 11:05 PM

ComboFix 12-03-16.05 - Jayme Berry 03/19/2012 0:38.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.265 [GMT -4:00]
Running from: c:\documents and settings\Jayme Berry\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Jayme Berry\WINDOWS
C:\Images
c:\images\DirCfg.ini
c:\windows1\system32\Packet.dll
c:\windows1\system32\pthreadVC.dll
c:\windows1\system32\WanPacket.dll
c:\windows1\system32\wpcap.dll
.
c:\windows1\system32\drivers\usbehci.sys . . . is missing!!
.
.
((((((((((((((((((((((((( Files Created from 2012-02-19 to 2012-03-19 )))))))))))))))))))))))))))))))
.
.
2012-03-19 02:51 . 2012-03-19 02:51 -------- dc----w- c:\windows1\LastGood
2012-03-17 05:16 . 2012-03-17 05:16 -------- dc----w- c:\program files\Microsoft
2012-03-17 05:15 . 2012-03-17 05:15 -------- dc----w- c:\program files\Windows Live SkyDrive
2012-03-17 05:14 . 2012-03-17 05:16 -------- dc----w- c:\program files\Windows Live
2012-03-17 05:14 . 2006-11-29 17:06 3426072 -c--a-w- c:\windows1\system32\d3dx9_32.dll
2012-03-17 05:13 . 2012-03-17 05:13 -------- dc----w- c:\program files\Microsoft SQL Server Compact Edition
2012-03-17 05:05 . 2012-03-17 05:05 -------- dc----w- c:\program files\Common Files\Windows Live
2012-03-17 04:33 . 2012-03-17 04:33 -------- dc----w- c:\program files\Microsoft ATS
2012-03-17 04:30 . 2012-03-17 04:30 -------- dc----w- c:\documents and settings\Administrator.JAYME
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-17 15:56 . 2012-03-17 15:56 5636901 -c--a-w- C:\ComboFix.zip
2012-03-17 15:52 . 2012-03-17 15:52 6360601 -c--a-w- C:\32788R22FWJFW.zip
2012-02-16 02:03 . 2012-03-17 04:33 65304 -c--a-w- c:\windows1\apppatch\MATSShim.DLL
2012-02-03 09:22 . 2008-04-14 07:00 1860096 -c--a-w- c:\windows1\system32\win32k.sys
2012-01-11 19:06 . 2012-02-14 22:13 3072 -c----w- c:\windows1\system32\iacenc.dll
2012-01-09 23:33 . 2012-01-09 23:33 414368 -c--a-w- c:\windows1\system32\FlashPlayerCPLApp.cpl
2012-01-09 16:20 . 2011-12-23 18:27 139784 -c--a-w- c:\windows1\system32\drivers\rdpwd.sys
2011-12-24 04:27 . 2011-12-24 04:32 58696 -c--a-w- c:\windows1\system32\AOLParconLink.exe
2003-11-10 17:59 . 2005-07-10 14:11 231936 -c--a-w- c:\program files\yum.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="c:\windows1\system32\NVMCTRAY.DLL" [2003-07-28 49152]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2012-01-26 107000]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTWinModem1]
ltmsg.exe 9 [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\1135n Scan2PC]
2011-01-21 23:30 1990144 -c--a-w- c:\windows1\twain_32\Dell\DELL1135\Scan2Pc.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 07:00 15360 -c--a-w- c:\windows1\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell PanelMgr]
2010-03-23 06:45 632128 -c--a-w- c:\windows1\Dell\PanelMgr\SSMMgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2010-03-08 07:27 41800 -c--a-w- c:\program files\Common Files\AOL\1324700994\ee\aolsoftware.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2003-07-28 20:19 4841472 -c--a-w- c:\windows1\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2003-07-28 20:19 323584 -c--a-w- c:\windows1\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\1324700994\\ee\\aolsoftware.exe"=
"c:\\Program Files\\AOL Desktop 9.7\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\TopSpeed\\3.0\\aoltpsd3.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"c:\\Program Files\\AOL Desktop 9.7\\AOLBrowser\\aolbrowser.exe"=
"c:\\WINDOWS1\\twain_32\\Dell\\DELL1135\\Scan2Pc.exe"=
"c:\\WINDOWS1\\twain_32\\Dell\\DELL1135\\Sscan2io.exe"=
"c:\\WINDOWS1\\twain_32\\Dell\\ScanMgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*:Disabled:Windows Remote Management
.
R0 cerc6;cerc6; [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows1\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 SSPORT;SSPORT;c:\windows1\system32\Drivers\SSPORT.sys [x]
R3 WinRM;Windows Remote Management (WS-Management);c:\windows1\system32\svchost.exe [2008-04-14 14336]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows1\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S3 Linksys_adapter_H;Linksys Adapter Network Driver;c:\windows1\system32\DRIVERS\AE1200xp.sys [2011-03-29 1034240]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.pbskids.org/
uInternet Connection Wizard,ShellNext = iexplore
IE: Customize Menu - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
IE: Fill Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
IE: Save Forms - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
IE: Show RoboForm Toolbar - file://c:\program files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
IE: SmarThru4 Capture Selection - c:\program files\SmarThru 4\WebCapture.dll2.htm
IE: SmarThru4 Save as HTML - c:\program files\SmarThru 4\WebCapture.dll1.htm
IE: SmarThru4 Save Selected Text - c:\program files\SmarThru 4\WebCapture.dll.htm
IE: SmarThru4 Web Capture - c:\program files\SmarThru 4\WebCapture.dll
TCP: DhcpNameServer = 192.168.7.254
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-19 00:56
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2012-03-19 01:01:34
ComboFix-quarantined-files.txt 2012-03-19 05:01
.
Pre-Run: 9,504,210,944 bytes free
Post-Run: 9,513,185,280 bytes free
.
- - End Of File - - 644C9BFA6910241E53D2B06E4850DEE0

#8 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:41 PM

Posted 19 March 2012 - 11:17 PM

Greetings

I want you to run these next,


I want you to reset the DMA you can do this by this script here - Reset DMA

If you have problems when you click on the link try to right click on the link and select "Save Target As" and then save to your desktop.
Once it is on your desktop right click on the file and select "Run"

If you still can't run it then you can go here "Reset DMA" to see what I want to do



tdsskiller:

Please read carefully and follow these steps.
  • Download TDSSKiller and save it to your Desktop.
  • doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

Please download aswMBR to your desktop.
  • Double click the aswMBR.exe icon to run it
  • it will ask to download extra definitions - ALLOW IT
  • Click the Scan button to start the scan
  • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.

If you have any problems running either one come back and let me know

please reply with the reports from TDSSKiller and aswMBR
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#9 dittohead2

dittohead2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 20 March 2012 - 09:11 AM

aswMBR version 0.9.9.1665 Copyright© 2011 AVAST Software
Run date: 2012-03-20 08:50:56
-----------------------------
08:50:56.781 OS Version: Windows 5.1.2600 Service Pack 3
08:50:56.781 Number of processors: 1 586 0x102
08:50:56.781 ComputerName: JAYME UserName:
08:50:58.390 Initialize success
08:53:38.968 AVAST engine defs: 12031700
08:53:45.406 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
08:53:45.406 Disk 0 Vendor: ST340016A 3.10 Size: 38166MB BusType: 3
08:53:45.468 Disk 0 MBR read successfully
08:53:45.484 Disk 0 MBR scan
08:53:45.578 Disk 0 Windows XP default MBR code
08:53:45.593 Disk 0 Partition 1 00 DE Dell Utility Dell 4.1 31 MB offset 63
08:53:45.687 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 38130 MB offset 64260
08:53:45.734 Disk 0 scanning sectors +78156225
08:53:46.140 Disk 0 scanning C:\WINDOWS1\system32\drivers
08:54:17.078 Service scanning
08:54:54.562 Modules scanning
08:55:20.531 Disk 0 trace - called modules:
08:55:20.546 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll intelide.sys
08:55:21.078 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x823d1ab8]
08:55:21.078 3 CLASSPNP.SYS[f8576fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x823e6030]
08:55:22.750 AVAST engine scan C:\WINDOWS1
08:55:33.812 AVAST engine scan C:\WINDOWS1\system32
09:04:29.062 AVAST engine scan C:\WINDOWS1\system32\drivers
09:04:58.375 AVAST engine scan C:\Documents and Settings\Jayme Berry
09:07:41.968 AVAST engine scan C:\Documents and Settings\All Users.WINDOWS1
09:09:02.671 Scan finished successfully
10:09:49.390 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\Jayme Berry\Desktop\MBR.dat"
10:09:49.906 The log file has been saved successfully to "C:\Documents and Settings\Jayme Berry\Desktop\aswMBR.txt"

#10 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:41 PM

Posted 20 March 2012 - 01:06 PM

did you run the other two tools?


gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#11 dittohead2

dittohead2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 20 March 2012 - 03:48 PM

08:49:13.0234 0968 TDSS rootkit removing tool 2.7.20.0 Mar 9 2012 17:10:43
08:49:14.0000 0968 ============================================================
08:49:14.0000 0968 Current date / time: 2012/03/20 08:49:14.0000
08:49:14.0000 0968 SystemInfo:
08:49:14.0000 0968
08:49:14.0000 0968 OS Version: 5.1.2600 ServicePack: 3.0
08:49:14.0000 0968 Product type: Workstation
08:49:14.0000 0968 ComputerName: JAYME
08:49:14.0000 0968 UserName: Jayme Berry
08:49:14.0000 0968 Windows directory: C:\WINDOWS1
08:49:14.0000 0968 System windows directory: C:\WINDOWS1
08:49:14.0000 0968 Processor architecture: Intel x86
08:49:14.0000 0968 Number of processors: 1
08:49:14.0000 0968 Page size: 0x1000
08:49:14.0000 0968 Boot type: Normal boot
08:49:14.0000 0968 ============================================================
08:49:17.0843 0968 Drive \Device\Harddisk0\DR0 - Size: 0x9516AE000 (37.27 Gb), SectorSize: 0x200, Cylinders: 0x1301, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
08:49:17.0859 0968 \Device\Harddisk0\DR0:
08:49:17.0859 0968 MBR used
08:49:17.0859 0968 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0xFB04, BlocksNum 0x4A796BD
08:49:18.0093 0968 Initialize success
08:49:18.0093 0968 ============================================================
08:49:21.0015 3060 ============================================================
08:49:21.0015 3060 Scan started
08:49:21.0015 3060 Mode: Manual;
08:49:21.0015 3060 ============================================================
08:49:22.0031 3060 Abiosdsk - ok
08:49:22.0281 3060 abp480n5 - ok
08:49:22.0593 3060 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\WINDOWS1\system32\drivers\ac97intc.sys
08:49:22.0625 3060 ac97intc - ok
08:49:22.0968 3060 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS1\system32\DRIVERS\ACPI.sys
08:49:23.0015 3060 ACPI - ok
08:49:23.0312 3060 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS1\system32\drivers\ACPIEC.sys
08:49:23.0312 3060 ACPIEC - ok
08:49:23.0593 3060 adpu160m - ok
08:49:23.0937 3060 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS1\system32\drivers\aec.sys
08:49:23.0984 3060 aec - ok
08:49:24.0312 3060 AFD (1e44bc1e83d8fd2305f8d452db109cf9) C:\WINDOWS1\System32\drivers\afd.sys
08:49:24.0343 3060 AFD - ok
08:49:24.0687 3060 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS1\system32\DRIVERS\agp440.sys
08:49:24.0703 3060 agp440 - ok
08:49:24.0921 3060 Aha154x - ok
08:49:25.0140 3060 aic78u2 - ok
08:49:25.0406 3060 aic78xx - ok
08:49:25.0625 3060 AliIde - ok
08:49:25.0875 3060 amsint - ok
08:49:26.0093 3060 asc - ok
08:49:26.0312 3060 asc3350p - ok
08:49:26.0515 3060 asc3550 - ok
08:49:26.0812 3060 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS1\system32\DRIVERS\asyncmac.sys
08:49:26.0812 3060 AsyncMac - ok
08:49:27.0125 3060 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS1\system32\DRIVERS\atapi.sys
08:49:27.0140 3060 atapi - ok
08:49:27.0375 3060 Atdisk - ok
08:49:27.0671 3060 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS1\system32\DRIVERS\atmarpc.sys
08:49:27.0687 3060 Atmarpc - ok
08:49:28.0015 3060 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS1\system32\DRIVERS\audstub.sys
08:49:28.0015 3060 audstub - ok
08:49:28.0296 3060 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS1\system32\drivers\Beep.sys
08:49:28.0296 3060 Beep - ok
08:49:28.0453 3060 catchme - ok
08:49:28.0812 3060 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS1\system32\drivers\cbidf2k.sys
08:49:28.0812 3060 cbidf2k - ok
08:49:29.0046 3060 cd20xrnt - ok
08:49:29.0312 3060 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS1\system32\drivers\Cdaudio.sys
08:49:29.0312 3060 Cdaudio - ok
08:49:29.0625 3060 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS1\system32\drivers\Cdfs.sys
08:49:29.0640 3060 Cdfs - ok
08:49:29.0953 3060 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS1\system32\DRIVERS\cdrom.sys
08:49:29.0968 3060 Cdrom - ok
08:49:30.0187 3060 cerc6 - ok
08:49:30.0468 3060 cfwids (1dcb5209601a70e36c70fe8d197d62cb) C:\WINDOWS1\system32\drivers\cfwids.sys
08:49:30.0500 3060 cfwids - ok
08:49:30.0718 3060 Changer - ok
08:49:31.0031 3060 CmdIde - ok
08:49:31.0265 3060 Cpqarray - ok
08:49:31.0468 3060 dac2w2k - ok
08:49:31.0671 3060 dac960nt - ok
08:49:31.0953 3060 DgiVecp (7f19dba1a467b838ccb23124a2c55568) C:\WINDOWS1\system32\Drivers\DgiVecp.sys
08:49:31.0968 3060 DgiVecp - ok
08:49:32.0234 3060 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS1\system32\DRIVERS\disk.sys
08:49:32.0250 3060 Disk - ok
08:49:32.0609 3060 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS1\system32\drivers\dmboot.sys
08:49:32.0703 3060 dmboot - ok
08:49:33.0046 3060 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS1\system32\drivers\dmio.sys
08:49:33.0093 3060 dmio - ok
08:49:33.0343 3060 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS1\system32\drivers\dmload.sys
08:49:33.0343 3060 dmload - ok
08:49:33.0625 3060 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS1\system32\drivers\DMusic.sys
08:49:33.0640 3060 DMusic - ok
08:49:33.0937 3060 dpti2o - ok
08:49:34.0187 3060 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS1\system32\drivers\drmkaud.sys
08:49:34.0203 3060 drmkaud - ok
08:49:34.0500 3060 EL90X (653394706ff5634f4b5180b8294badb1) C:\WINDOWS1\system32\DRIVERS\el90xnd5.sys
08:49:34.0546 3060 EL90X - ok
08:49:34.0921 3060 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS1\system32\drivers\Fastfat.sys
08:49:34.0953 3060 Fastfat - ok
08:49:35.0265 3060 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS1\system32\DRIVERS\fdc.sys
08:49:35.0281 3060 Fdc - ok
08:49:35.0562 3060 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS1\system32\drivers\Fips.sys
08:49:35.0562 3060 Fips - ok
08:49:35.0859 3060 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS1\system32\DRIVERS\flpydisk.sys
08:49:35.0875 3060 Flpydisk - ok
08:49:36.0218 3060 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS1\system32\DRIVERS\fltMgr.sys
08:49:36.0265 3060 FltMgr - ok
08:49:36.0546 3060 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS1\system32\drivers\Fs_Rec.sys
08:49:36.0546 3060 Fs_Rec - ok
08:49:36.0859 3060 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS1\system32\DRIVERS\ftdisk.sys
08:49:36.0906 3060 Ftdisk - ok
08:49:37.0250 3060 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS1\system32\DRIVERS\msgpc.sys
08:49:37.0250 3060 Gpc - ok
08:49:37.0515 3060 hpn - ok
08:49:37.0828 3060 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS1\system32\Drivers\HTTP.sys
08:49:37.0906 3060 HTTP - ok
08:49:38.0234 3060 i2omgmt - ok
08:49:38.0437 3060 i2omp - ok
08:49:38.0687 3060 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS1\system32\DRIVERS\i8042prt.sys
08:49:38.0703 3060 i8042prt - ok
08:49:39.0000 3060 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS1\system32\DRIVERS\imapi.sys
08:49:39.0015 3060 Imapi - ok
08:49:39.0250 3060 ini910u - ok
08:49:39.0500 3060 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS1\system32\DRIVERS\intelide.sys
08:49:39.0500 3060 IntelIde - ok
08:49:39.0765 3060 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS1\system32\DRIVERS\Ip6Fw.sys
08:49:39.0781 3060 Ip6Fw - ok
08:49:40.0062 3060 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS1\system32\DRIVERS\ipfltdrv.sys
08:49:40.0078 3060 IpFilterDriver - ok
08:49:40.0359 3060 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS1\system32\DRIVERS\ipinip.sys
08:49:40.0375 3060 IpInIp - ok
08:49:40.0687 3060 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS1\system32\DRIVERS\ipnat.sys
08:49:40.0734 3060 IpNat - ok
08:49:41.0015 3060 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS1\system32\DRIVERS\ipsec.sys
08:49:41.0031 3060 IPSec - ok
08:49:41.0281 3060 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS1\system32\DRIVERS\irenum.sys
08:49:41.0296 3060 IRENUM - ok
08:49:41.0593 3060 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS1\system32\DRIVERS\isapnp.sys
08:49:41.0593 3060 isapnp - ok
08:49:41.0875 3060 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS1\system32\DRIVERS\kbdclass.sys
08:49:41.0875 3060 Kbdclass - ok
08:49:42.0187 3060 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS1\system32\drivers\kmixer.sys
08:49:42.0234 3060 kmixer - ok
08:49:42.0531 3060 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS1\system32\drivers\KSecDD.sys
08:49:42.0562 3060 KSecDD - ok
08:49:42.0859 3060 lbrtfdc - ok
08:49:43.0437 3060 Linksys_adapter_H (bcdf72dce41874b3ad9143d537b493b2) C:\WINDOWS1\system32\DRIVERS\AE1200xp.sys
08:49:43.0781 3060 Linksys_adapter_H - ok
08:49:44.0218 3060 ltmodem5 (63dd59fa7e685ea274f56da5774f2f3b) C:\WINDOWS1\system32\DRIVERS\ltmdmxp.sys
08:49:44.0390 3060 ltmodem5 - ok
08:49:44.0796 3060 mfeapfk (36b47b1e9c537f8f2b4481084b8f7d22) C:\WINDOWS1\system32\drivers\mfeapfk.sys
08:49:44.0828 3060 mfeapfk - ok
08:49:45.0187 3060 mfeavfk (cde41293db871a75cd99eb0ce781356b) C:\WINDOWS1\system32\drivers\mfeavfk.sys
08:49:45.0250 3060 mfeavfk - ok
08:49:45.0546 3060 mfebopk (e22385f64bdf0ad81157479496e33c4a) C:\WINDOWS1\system32\drivers\mfebopk.sys
08:49:45.0562 3060 mfebopk - ok
08:49:45.0937 3060 mfefirek (215666a8a85023ef019b510cbb67f678) C:\WINDOWS1\system32\drivers\mfefirek.sys
08:49:46.0031 3060 mfefirek - ok
08:49:46.0421 3060 mfehidk (56d330981866a72f061dd16cc5004513) C:\WINDOWS1\system32\drivers\mfehidk.sys
08:49:46.0562 3060 mfehidk - ok
08:49:46.0875 3060 mfendisk (62acda4e958e2a392557ba3c6c754a58) C:\WINDOWS1\system32\DRIVERS\mfendisk.sys
08:49:46.0890 3060 mfendisk - ok
08:49:46.0937 3060 mfendiskmp (62acda4e958e2a392557ba3c6c754a58) C:\WINDOWS1\system32\DRIVERS\mfendisk.sys
08:49:46.0953 3060 mfendiskmp - ok
08:49:47.0234 3060 mferkdet (89b564d63c53fc0c6782ab07eea63acf) C:\WINDOWS1\system32\drivers\mferkdet.sys
08:49:47.0250 3060 mferkdet - ok
08:49:47.0562 3060 mfetdi2k (922e64ca38e38106498fb3435a8e399d) C:\WINDOWS1\system32\drivers\mfetdi2k.sys
08:49:47.0593 3060 mfetdi2k - ok
08:49:47.0875 3060 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS1\system32\drivers\mnmdd.sys
08:49:47.0875 3060 mnmdd - ok
08:49:48.0171 3060 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS1\system32\drivers\Modem.sys
08:49:48.0187 3060 Modem - ok
08:49:48.0453 3060 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS1\system32\drivers\MODEMCSA.sys
08:49:48.0453 3060 MODEMCSA - ok
08:49:48.0734 3060 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS1\system32\DRIVERS\mouclass.sys
08:49:48.0734 3060 Mouclass - ok
08:49:49.0015 3060 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS1\system32\drivers\MountMgr.sys
08:49:49.0031 3060 MountMgr - ok
08:49:49.0250 3060 mraid35x - ok
08:49:49.0609 3060 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS1\system32\DRIVERS\mrxdav.sys
08:49:49.0656 3060 MRxDAV - ok
08:49:50.0046 3060 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS1\system32\DRIVERS\mrxsmb.sys
08:49:50.0187 3060 MRxSmb - ok
08:49:50.0562 3060 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS1\system32\drivers\Msfs.sys
08:49:50.0578 3060 Msfs - ok
08:49:50.0859 3060 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS1\system32\drivers\MSKSSRV.sys
08:49:50.0875 3060 MSKSSRV - ok
08:49:51.0156 3060 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS1\system32\drivers\MSPCLOCK.sys
08:49:51.0156 3060 MSPCLOCK - ok
08:49:51.0421 3060 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS1\system32\drivers\MSPQM.sys
08:49:51.0437 3060 MSPQM - ok
08:49:51.0718 3060 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS1\system32\DRIVERS\mssmbios.sys
08:49:51.0718 3060 mssmbios - ok
08:49:52.0000 3060 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS1\system32\drivers\Mup.sys
08:49:52.0031 3060 Mup - ok
08:49:52.0375 3060 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS1\system32\drivers\NDIS.sys
08:49:52.0421 3060 NDIS - ok
08:49:52.0734 3060 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS1\system32\DRIVERS\ndistapi.sys
08:49:52.0734 3060 NdisTapi - ok
08:49:53.0015 3060 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS1\system32\DRIVERS\ndisuio.sys
08:49:53.0015 3060 Ndisuio - ok
08:49:53.0343 3060 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS1\system32\DRIVERS\ndiswan.sys
08:49:53.0359 3060 NdisWan - ok
08:49:53.0687 3060 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS1\system32\drivers\NDProxy.sys
08:49:53.0703 3060 NDProxy - ok
08:49:54.0015 3060 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS1\system32\DRIVERS\netbios.sys
08:49:54.0031 3060 NetBIOS - ok
08:49:54.0359 3060 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS1\system32\DRIVERS\netbt.sys
08:49:54.0406 3060 NetBT - ok
08:49:54.0812 3060 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS1\system32\drivers\Npfs.sys
08:49:54.0828 3060 Npfs - ok
08:49:55.0296 3060 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS1\system32\drivers\Ntfs.sys
08:49:55.0500 3060 Ntfs - ok
08:49:55.0828 3060 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS1\system32\drivers\Null.sys
08:49:55.0828 3060 Null - ok
08:49:56.0437 3060 nv (1685a86ce8dc5a70d307dca625fb50e7) C:\WINDOWS1\system32\DRIVERS\nv4_mini.sys
08:49:56.0765 3060 nv - ok
08:49:57.0171 3060 nv4 (1685a86ce8dc5a70d307dca625fb50e7) C:\WINDOWS1\system32\DRIVERS\nv4_mini.sys
08:49:57.0203 3060 nv4 - ok
08:49:57.0515 3060 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS1\system32\DRIVERS\nwlnkflt.sys
08:49:57.0531 3060 NwlnkFlt - ok
08:49:57.0812 3060 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS1\system32\DRIVERS\nwlnkfwd.sys
08:49:57.0812 3060 NwlnkFwd - ok
08:49:58.0140 3060 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS1\system32\DRIVERS\parport.sys
08:49:58.0156 3060 Parport - ok
08:49:58.0468 3060 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS1\system32\drivers\PartMgr.sys
08:49:58.0468 3060 PartMgr - ok
08:49:58.0796 3060 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS1\system32\drivers\ParVdm.sys
08:49:58.0796 3060 ParVdm - ok
08:49:59.0109 3060 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS1\system32\DRIVERS\pci.sys
08:49:59.0140 3060 PCI - ok
08:49:59.0390 3060 PCIDump - ok
08:49:59.0609 3060 PCIIde - ok
08:49:59.0953 3060 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS1\system32\drivers\Pcmcia.sys
08:49:59.0984 3060 Pcmcia - ok
08:50:00.0359 3060 PDCOMP - ok
08:50:00.0578 3060 PDFRAME - ok
08:50:00.0781 3060 PDRELI - ok
08:50:01.0078 3060 PDRFRAME - ok
08:50:01.0296 3060 perc2 - ok
08:50:01.0500 3060 perc2hib - ok
08:50:01.0812 3060 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS1\system32\DRIVERS\raspptp.sys
08:50:01.0828 3060 PptpMiniport - ok
08:50:02.0187 3060 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS1\system32\DRIVERS\processr.sys
08:50:02.0203 3060 Processor - ok
08:50:02.0531 3060 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS1\system32\DRIVERS\psched.sys
08:50:02.0562 3060 PSched - ok
08:50:02.0859 3060 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS1\system32\DRIVERS\ptilink.sys
08:50:02.0875 3060 Ptilink - ok
08:50:03.0140 3060 ql1080 - ok
08:50:03.0375 3060 Ql10wnt - ok
08:50:03.0593 3060 ql12160 - ok
08:50:03.0812 3060 ql1240 - ok
08:50:04.0031 3060 ql1280 - ok
08:50:04.0281 3060 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS1\system32\DRIVERS\rasacd.sys
08:50:04.0281 3060 RasAcd - ok
08:50:04.0562 3060 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS1\system32\DRIVERS\rasl2tp.sys
08:50:04.0578 3060 Rasl2tp - ok
08:50:04.0906 3060 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS1\system32\DRIVERS\raspppoe.sys
08:50:04.0921 3060 RasPppoe - ok
08:50:05.0187 3060 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS1\system32\DRIVERS\raspti.sys
08:50:05.0187 3060 Raspti - ok
08:50:05.0546 3060 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS1\system32\DRIVERS\rdbss.sys
08:50:05.0593 3060 Rdbss - ok
08:50:05.0906 3060 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS1\system32\DRIVERS\RDPCDD.sys
08:50:05.0906 3060 RDPCDD - ok
08:50:06.0265 3060 RDPWD (5b3055daa788bd688594d2f5981f2a83) C:\WINDOWS1\system32\drivers\RDPWD.sys
08:50:06.0296 3060 RDPWD - ok
08:50:06.0609 3060 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS1\system32\DRIVERS\redbook.sys
08:50:06.0625 3060 redbook - ok
08:50:07.0031 3060 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS1\system32\DRIVERS\secdrv.sys
08:50:07.0046 3060 Secdrv - ok
08:50:07.0359 3060 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS1\system32\DRIVERS\serenum.sys
08:50:07.0359 3060 serenum - ok
08:50:07.0640 3060 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS1\system32\DRIVERS\serial.sys
08:50:07.0671 3060 Serial - ok
08:50:08.0062 3060 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS1\system32\drivers\Sfloppy.sys
08:50:08.0062 3060 Sfloppy - ok
08:50:08.0343 3060 Simbad - ok
08:50:08.0609 3060 Sparrow - ok
08:50:08.0859 3060 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS1\system32\drivers\splitter.sys
08:50:08.0859 3060 splitter - ok
08:50:09.0203 3060 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS1\system32\DRIVERS\sr.sys
08:50:09.0234 3060 sr - ok
08:50:09.0609 3060 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS1\system32\DRIVERS\srv.sys
08:50:09.0718 3060 Srv - ok
08:50:10.0000 3060 SSPORT - ok
08:50:10.0281 3060 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS1\system32\DRIVERS\swenum.sys
08:50:10.0281 3060 swenum - ok
08:50:10.0593 3060 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS1\system32\drivers\swmidi.sys
08:50:10.0609 3060 swmidi - ok
08:50:10.0859 3060 symc810 - ok
08:50:11.0078 3060 symc8xx - ok
08:50:11.0281 3060 sym_hi - ok
08:50:11.0484 3060 sym_u3 - ok
08:50:11.0765 3060 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS1\system32\drivers\sysaudio.sys
08:50:11.0796 3060 sysaudio - ok
08:50:12.0187 3060 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS1\system32\DRIVERS\tcpip.sys
08:50:12.0296 3060 Tcpip - ok
08:50:12.0593 3060 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS1\system32\drivers\TDPIPE.sys
08:50:12.0593 3060 TDPIPE - ok
08:50:12.0875 3060 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS1\system32\drivers\TDTCP.sys
08:50:12.0875 3060 TDTCP - ok
08:50:13.0171 3060 TermDD (88155247177638048422893737429d9e) C:\WINDOWS1\system32\DRIVERS\termdd.sys
08:50:13.0187 3060 TermDD - ok
08:50:13.0500 3060 TosIde - ok
08:50:13.0781 3060 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS1\system32\drivers\Udfs.sys
08:50:13.0796 3060 Udfs - ok
08:50:14.0062 3060 ultra - ok
08:50:14.0437 3060 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS1\system32\DRIVERS\update.sys
08:50:14.0578 3060 Update - ok
08:50:14.0890 3060 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS1\system32\DRIVERS\usbhub.sys
08:50:14.0906 3060 usbhub - ok
08:50:15.0187 3060 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS1\system32\DRIVERS\usbuhci.sys
08:50:15.0187 3060 usbuhci - ok
08:50:15.0515 3060 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS1\System32\drivers\vga.sys
08:50:15.0515 3060 VgaSave - ok
08:50:15.0734 3060 ViaIde - ok
08:50:15.0968 3060 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS1\system32\drivers\VolSnap.sys
08:50:15.0984 3060 VolSnap - ok
08:50:16.0328 3060 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS1\system32\DRIVERS\wanarp.sys
08:50:16.0328 3060 Wanarp - ok
08:50:16.0578 3060 wanatw (0a716c08cb13c3a8f4f51e882dbf7416) C:\WINDOWS1\system32\DRIVERS\wanatw4.sys
08:50:16.0593 3060 wanatw - ok
08:50:16.0828 3060 WDICA - ok
08:50:17.0109 3060 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS1\system32\drivers\wdmaud.sys
08:50:17.0125 3060 wdmaud - ok
08:50:17.0578 3060 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS1\System32\drivers\ws2ifsl.sys
08:50:17.0593 3060 WS2IFSL - ok
08:50:17.0921 3060 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS1\system32\DRIVERS\WudfPf.sys
08:50:17.0937 3060 WudfPf - ok
08:50:18.0390 3060 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS1\system32\DRIVERS\wudfrd.sys
08:50:18.0406 3060 WudfRd - ok
08:50:18.0546 3060 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
08:50:18.0859 3060 \Device\Harddisk0\DR0 - ok
08:50:18.0890 3060 Boot (0x1200) (6911688b4901d40450ce6e2b63e18cf3) \Device\Harddisk0\DR0\Partition0
08:50:18.0890 3060 \Device\Harddisk0\DR0\Partition0 - ok
08:50:18.0906 3060 ============================================================
08:50:18.0906 3060 Scan finished
08:50:18.0906 3060 ============================================================
08:50:18.0937 2872 Detected object count: 0
08:50:18.0937 2872 Actual detected object count: 0
08:50:23.0718 2524 Deinitialize success

#12 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:41 PM

Posted 20 March 2012 - 10:33 PM

Hello


I want you to reset the DMA you can do this by this script here - Reset DMA

If you have problems when you click on the link try to right click on the link and select "Save Target As" and then save to your desktop.
Once it is on your desktop right click on the file and select "Run"

If you still can't run it then you can go here "Reset DMA" to see what I want to do


SystemLook:

Please download SystemLook from one of the links below and save it to your Desktop.

Download Mirror #1
Download Mirror #2

  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
:filefind
usbehci.sys
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt







Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#13 dittohead2

dittohead2
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 21 March 2012 - 09:54 PM

SystemLook 30.07.11 by jpshortstuff
Log created at 22:45 on 21/03/2012 by Jayme Berry
Administrator - Elevation successful

========== filefind ==========

Searching for "usbehci.sys"
No files found.

-= EOF =-

#14 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:41 PM

Posted 21 March 2012 - 10:02 PM

Greetings

At this time I would like you to run this script for me and it is a good time to check out the computer to see if there is anything else that needs to be addressed.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

ClearJavaCache::

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note 2: If you recieve an error "Illegal operation attempted on a registery key that has been marked for deletion." Please restart the computer

"information and logs"

  • In your next post I need the following

  • report from Combofix
  • let me know of any problems you may have had
  • How is the computer doing now after running the script?

Gringo

I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University

#15 gringo_pr

gringo_pr

    Bleepin Gringo


  • Malware Response Team
  • 136,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto rico
  • Local time:06:41 PM

Posted 23 March 2012 - 11:40 PM

Hello


Just checking in on you as it has been a couple of days since I have heard from you.

Are you having any troubles or just need more time?




Gringo
I Close My Topics If You Have Not Replied In 5 Days If You Will Be Longer Please Let Me Know

If I Have Not Replied To One Of My Topics In 48 Hrs Please Bump The Topic



My help is free, however, if you wish to make a small donation to show your appreciation or to help me continue the fight against Malware, then click here -->btn_donate_SM.gif<-- Don't worry every little bit helps.

Proud Graduate Of Malware Removal University




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users