Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Internet problems, previous rootkit and Trojan issues


  • This topic is locked This topic is locked
47 replies to this topic

#1 Mar C

Mar C

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 19 July 2012 - 06:27 PM

Hello, as per instructions from my previous thread, I'm making this new one with my computer problems.

Before, I had rootkit problems that somewhat expanded and became rootkit plus Trojan problems. However, MalwareBytes and SuperAntiSpyware seemed to have removed most of the problems (icons not remaining in place on desktop, unable to open/run Opera, My Documents + Computer settings not saving, weird background noises when nothing is running/open, etc). While all of those problems were resolved, I recently had one issue that came up, and just last night caught on to another potential problem.

For at least a couple of weeks now, my computer has been unable to connect to the internet. I thought the problem was with Comcast or the modem itself (the light would only flash orange) and they took me through some steps, but that resolved nothing. After a while, I tried to connect with the PS3, which didn't work either initially, but it did a couple of days after.

Just last night, I tried to use a CD, but my computer did not at all acknowledge that I was putting in a CD at all. As I looked into it, I realize it said the driver was probably corrupted or damaged, and apparently my only option was to reinstall.


I followed the instructions from the guide linked from the old thread, and while both DDS and Gmer scanned my computer, there were a couple of small problems with Gmer. When I first open it, the following message appears :

LoadDriver( "C:DOCUME~1\Martina\LOCALS~1\Temp\axrdikog.sys" ) error 0xC000010E: Cannot create a stable subkey under a volatile parent key.



When I do get to Gmer's main screen, all options were greyed out as well, except for: ADS, Services, Registry, Files (and C:\ is already checked).

Here are the logs and attachment.


DDS Log :

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Martina at 14:18:11 on 2012-07-19
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.267 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
svchost.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
uExplorerRun: [Somoto Toolbar] c:\documents and settings\martina\application data\4C0F89.exe
IE: Open with WordPerfect
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
Trusted Zone: keepvid.com
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/A/7/D/A7D1EBE3-8E78-4CBE-B22B-EEECF9E3A1BC/fhg.CAB
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{8E18C219-4C22-40B0-A73D-94A8B2B1A74D} : DhcpNameServer = 75.75.75.75 75.75.76.76
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\martina\application data\mozilla\firefox\profiles\yrgob70c.default\
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-11-13 204800]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-2-17 654408]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-9 24652]
R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-17 22344]
S2 Ias;Windows NetBIOS Helper;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-6-4 32072]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-6-14 113120]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2012-6-18 50704]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2012-6-2 9472]
S3 USB200M;Linksys USB 2.0 Network Adapter ver.2;c:\windows\system32\drivers\USB200M2.sys [2008-11-1 18048]
S3 XDva225;XDva225;\??\c:\windows\system32\xdva225.sys --> c:\windows\system32\XDva225.sys [?]
.
=============== Created Last 30 ================
.
2012-07-11 16:53:46 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-09 17:00:45 -------- d-----w- c:\documents and settings\martina\application data\dBpoweramp
2012-06-26 17:32:22 -------- d-----w- c:\documents and settings\martina\application data\AccurateRip
2012-06-26 17:32:18 522928 ----a-w- c:\windows\system32\SpoonUninstall.exe
.
==================== Find3M ====================
.
2012-07-02 11:37:59 32072 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-06-19 17:52:57 294924 ----a-w- c:\windows\system32\shimg.dll
2012-06-18 09:00:21 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2012-06-18 09:00:21 281104 ----a-w- c:\windows\system32\wpcap.dll
2012-06-18 09:00:21 100880 ----a-w- c:\windows\system32\Packet.dll
2012-06-12 03:27:01 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-12 03:27:01 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-03 05:42:47 102400 ----a-w- c:\windows\RegBootClean.exe
2012-06-02 22:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 22:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 22:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 22:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 22:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 22:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 22:18:58 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 22:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-15 15:39:54 832512 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-05-02 13:46:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2012-04-23 14:46:47 78336 ----a-w- c:\windows\system32\ieencode.dll
2012-04-23 14:46:47 1830912 ----a-w- c:\windows\system32\inetcpl.cpl
2012-04-23 14:46:47 17408 ----a-w- c:\windows\system32\corpol.dll
.
============= FINISH: 14:24:29.64 ===============



Gmer Log :

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-19 15:23:43
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Martina\LOCALS~1\Temp\axrdikog.sys


---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB3559$\3043211396 0 bytes
File C:\WINDOWS\$NtUninstallKB3559$\3043211396\L 0 bytes
File C:\WINDOWS\$NtUninstallKB3559$\3043211396\U 0 bytes
File C:\WINDOWS\$NtUninstallKB3559$\4073780934 0 bytes

---- EOF - GMER 1.0.15 ----

BC AdBot (Login to Remove)

 


#2 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:24 AM

Posted 24 July 2012 - 06:30 PM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:

***************************************************

Posted Image In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/461498 <<< CLICK THIS LINK



If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.

***************************************************

Posted Image If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS and GMER log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.

***************************************************

We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


We also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows, you should not bother creating a GMER log.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice


Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#3 HelpBot

HelpBot

    Bleepin' Binary Bot


  • Bots
  • 12,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:24 AM

Posted 29 July 2012 - 06:35 PM

Hello again!

I haven't heard from you in 5 days. Therefore, I am going to assume that you no longer need our help, and close this topic.

If you do still need help, please send a Private Message to any Moderator within the next five days. Be sure to include a link to your topic in your Private Message.

Thank you for using Bleeping Computer, and have a great day!

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:24 PM

Posted 30 July 2012 - 03:20 AM

This topic has been re-opened at the request of the person who originally posted.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,721 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:24 AM

Posted 31 July 2012 - 01:01 PM

Greetings Mar C and :welcome: to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum.

My name is Oh My! and I am here to help you!

Thank you for your admirable patience! Things are quite busy these days but now we will be working on your computer together.


===================================================


Ground Rules:

  • First, I would like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please try to match our commitment to you with your patience toward us. If this was easy we would never have met. :)
  • Please do not run any tools or take any steps other than those I will provide for you while we work on your computer together. I need to be certain about the state of your computer in order to provide appropriate and effective steps for you to take. Most often "well intentioned" (and usually panic driven!) independent efforts can make things much worse for both of us. If at any point you would prefer to take your own steps please let me know, I will not be offended. I would be happy to focus on the many others who are waiting in line for assistance.
  • Please perform all steps in the order they are listed in each set of instructions. Some steps are a bit complicated. If things are not clear, be sure to stop and let me know. We need to work on this together with confidence.
  • Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems simply stop and tell me about it.
  • When you post your reply, do not use the Posted Image button but use the Posted Image button instead.
  • In the upper right hand corner of the topic you will see the Posted Image button. Click on this then choose Immediate E-Mail notification and then Proceed and you will be sent an email once I have posted a response.
  • If you do not reply to your topic after 5 days we assume it has been abandoned and I will close it.
  • When your computer is clean I will alert you of such. I will also provide for you detailed information about how you can combat future infections.
  • I would like to remind you to make no further changes to your computer unless I direct you to do so.

===================================================


Helping me Help You

Now that I am assisting you, you can expect that I will be very responsive to your situation. If you are able, I would request you check this thread at least once per day so that we can try to resolve your issues effectively and efficiently. If you are going to be delayed please be considerate and post that information so that I know you are still with me. Unfortunately, there are many people waiting to be assisted and not enough of us at BleepingComputer to go around. I appreciate your understanding and diligence.


===================================================


Additional Information

  • If you have since resolved the original problem you were having, I would appreciate you letting me know.
  • If you are unable to create a log because your computer cannot start up successfully please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and I will guide you.
    • Explain as best you can what happens with your computer, i.e. it beeps three times, the the black screen starts then goes blank, etc
  • Please tell me if you have your original Windows CD/DVD available.
  • If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • Upon completing the steps below I will review your topic an do my best to resolve your issues.
  • If you have already posted a DDS log, please do so again, as your situation may have changed.

===================================================


Create DDS.txt and Attach.txt

I need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from one of the following links if you no longer have it available. Save it to your desktop.

    DDS.scr
    DDS.pif

  • Double click on the Posted Image icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Please copy and paste the contents of both results in your post.
  • Close the program window, and delete the program from your desktop.
You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control HERE


===================================================


Create GMER log

I also need a new log from the GMER anti-rootkit Scanner.

Please note that if you are running a 64-bit version of Windows you will not be able to run GMER and you may skip this step.

Please first disable any CD emulation programs using the steps found in this topic:

Why we request you disable CD Emulation when receiving Malware Removal Advice

Then create another GMER log and post it as an attachment to the reply where you post your new DDS log. Instructions on how to properly create a GMER log can be found here:

How to create a GMER log


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • DDS.txt
  • Attach.txt
  • GMER log

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#6 Mar C

Mar C
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 31 July 2012 - 06:24 PM

Hello. Thank you to Budapest for re-opening the topic, and thank you, Oh My, for helping me.

I do have the Windows CD still, and just in case, I'll re-iterate/paraphrase my problem again. :')


Currently, I am unable to connect to the internet, and my CD Rom driver does not register when a CD is inserted at all (whether it's blank, written, any CD type).

I have both logs, however, I still get the same message as from above when I try to use Gmer. And while I definitely can check in on this topic every day, I probably will not be able to post often (especially logs). Since I use my PS3 right now to connect, access is very limited.

I'll go ahead and post the logs now~.



DDS Log :

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 7.0.5730.13
Run by Martina at 13:53:59 on 2012-07-31
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.313 [GMT -7:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Linksys\Linksys Updater\bin\LinksysUpdater.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\java.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
svchost.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
TB: {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
uExplorerRun: [Somoto Toolbar] c:\documents and settings\martina\application data\4C0F89.exe
IE: Open with WordPerfect
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
LSP: mswsock.dll
Trusted Zone: keepvid.com
DPF: {00000055-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/A/7/D/A7D1EBE3-8E78-4CBE-B22B-EEECF9E3A1BC/fhg.CAB
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} - hxxp://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://download.divx.com/player/DivXBrowserPlugin.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_29-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
TCP: Interfaces\{8E18C219-4C22-40B0-A73D-94A8B2B1A74D} : DhcpNameServer = 75.75.75.75 75.75.76.76
Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\martina\application data\mozilla\firefox\profiles\yrgob70c.default\
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_2_202_235.dll
.
============= SERVICES / DRIVERS ===============
.
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-22 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-12 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-11 116608]
R2 LinksysUpdater;Linksys Updater;c:\program files\linksys\linksys updater\bin\LinksysUpdater.exe [2008-11-13 204800]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-2-17 654408]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2008-11-9 24652]
R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-17 22344]
S2 Ias;Windows NetBIOS Helper;c:\windows\system32\svchost.exe -k netsvcs [2006-2-28 14336]
S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [2010-6-24 28256]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-6-4 32072]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-6-14 113120]
S3 NPF;WinPcap Packet Driver (NPF);c:\windows\system32\drivers\npf.sys [2012-6-18 50704]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [2012-6-2 9472]
S3 USB200M;Linksys USB 2.0 Network Adapter ver.2;c:\windows\system32\drivers\USB200M2.sys [2008-11-1 18048]
S3 XDva225;XDva225;\??\c:\windows\system32\xdva225.sys --> c:\windows\system32\XDva225.sys [?]
.
=============== Created Last 30 ================
.
2012-07-11 16:53:46 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-09 17:00:45 -------- d-----w- c:\documents and settings\martina\application data\dBpoweramp
.
==================== Find3M ====================
.
2012-07-02 11:37:59 32072 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-06-26 17:31:33 522928 ----a-w- c:\windows\system32\SpoonUninstall.exe
2012-06-19 17:52:57 294924 ----a-w- c:\windows\system32\shimg.dll
2012-06-18 09:00:21 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2012-06-18 09:00:21 281104 ----a-w- c:\windows\system32\wpcap.dll
2012-06-18 09:00:21 100880 ----a-w- c:\windows\system32\Packet.dll
2012-06-12 03:27:01 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-12 03:27:01 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-03 05:42:47 102400 ----a-w- c:\windows\RegBootClean.exe
2012-06-02 22:19:44 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 22:19:38 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 22:19:38 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 22:19:34 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 22:19:30 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 22:18:58 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-06-02 22:18:58 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 22:18:58 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-05-31 13:22:09 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-15 15:39:54 832512 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20:33 1863168 ----a-w- c:\windows\system32\win32k.sys
.
============= FINISH: 14:00:29.46 ===============





Attach Log/Text :

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-08-26.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 11/1/2008 4:41:06 PM
System Uptime: 7/31/2012 1:50:43 PM (1 hours ago)
.
Motherboard: OEM_MB | | IVY8
Processor: AMD Athlon™ 64 X2 Dual Core Processor 4200+ | Socket AM2 | 2210/200mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 139 GiB total, 60.072 GiB free.
D: is FIXED (NTFS) - 10 GiB total, 1.404 GiB free.
G: is Removable
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV03EF\4&81F2E27&0&00
Manufacturer: NVIDIA
Name: NVIDIA nForce 10/100 Mbps Ethernet
PNP Device ID: {1A3E09BE-1E45-494B-9174-D7385B45BBF5}\NVNET_DEV03EF\4&81F2E27&0&00
Service: NVENETFD
.
Class GUID: {4D36E965-E325-11CE-BFC1-08002BE10318}
Description: CD-ROM Drive
Device ID: SCSI\CDROM&VEN_ATAPI&PROD_DVD_A__DH16A6L&REV_ZH1A\4&18252D01&0&110
Manufacturer: (Standard CD-ROM drives)
Name: ATAPI DVD A DH16A6L SCSI CdRom Device
PNP Device ID: SCSI\CDROM&VEN_ATAPI&PROD_DVD_A__DH16A6L&REV_ZH1A\4&18252D01&0&110
Service: cdrom
.
==== System Restore Points ===================
.
RP1: 7/2/2012 10:34:26 AM - System Checkpoint
RP2: 7/2/2012 2:23:13 PM - Software Distribution Service 3.0
RP3: 7/3/2012 12:45:16 PM - Software Distribution Service 3.0
RP4: 7/5/2012 8:03:11 PM - Software Distribution Service 3.0
RP5: 7/7/2012 3:53:20 PM - Software Distribution Service 3.0
RP6: 7/8/2012 9:18:11 AM - Software Distribution Service 3.0
RP7: 7/9/2012 9:55:02 AM - Software Distribution Service 3.0
RP8: 7/10/2012 11:39:24 AM - Software Distribution Service 3.0
RP9: 7/11/2012 9:41:27 AM - Software Distribution Service 3.0
RP10: 7/12/2012 10:35:36 AM - Software Distribution Service 3.0
RP11: 7/14/2012 12:09:41 PM - Software Distribution Service 3.0
RP12: 7/15/2012 10:36:54 AM - Software Distribution Service 3.0
RP13: 7/17/2012 1:36:33 PM - Software Distribution Service 3.0
RP14: 7/18/2012 1:40:48 PM - Software Distribution Service 3.0
RP15: 7/19/2012 2:17:11 PM - Software Distribution Service 3.0
RP16: 7/20/2012 11:42:12 PM - Software Distribution Service 3.0
RP17: 7/21/2012 11:38:51 AM - Software Distribution Service 3.0
RP18: 7/22/2012 3:00:17 AM - Software Distribution Service 3.0
RP19: 7/23/2012 1:03:25 PM - Software Distribution Service 3.0
RP20: 7/24/2012 6:23:26 PM - Software Distribution Service 3.0
RP21: 7/25/2012 9:06:37 PM - Software Distribution Service 3.0
RP22: 7/26/2012 11:05:03 AM - Software Distribution Service 3.0
RP23: 7/27/2012 2:12:13 PM - Software Distribution Service 3.0
RP24: 7/28/2012 1:52:00 PM - Software Distribution Service 3.0
RP25: 7/31/2012 10:48:18 AM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
µTorrent
3100_3200_3300_Help
3100_3200_3300trb
3200
Acrobat.com
Adobe AIR
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Download Manager
Adobe Flash Player 11 ActiveX
Adobe Flash Player 11 Plugin
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 9.5.1
Adobe Shockwave Player 11.5
Adobe Stock Photos 1.0
AiO_Scan_CDA
AiOSoftwareNPI
Audacity 1.2.6
BufferChm
CCleaner
CP_Package_Variety1
CP_Package_Variety2
CP_Package_Variety3
dBpoweramp FLAC Codec
dBpoweramp Music Converter
Destinations
DeviceManagementQFolder
DocProc
DriverAgent by TouchStone Software
eSupportQFolder
Express Burn
Fax_CDA
GearDrvs
High Definition Audio Driver Package - KB888111
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB2570791)
Hotfix for Windows XP (KB2633952)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Image Zone Express
HP Imaging Device Functions 5.3
HP PSC & OfficeJet 5.3.A
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
HPProductAssistant
Java Auto Updater
Java™ 6 Update 20
Java™ 6 Update 29
Java™ 6 Update 3
Linksys EasyLink Advisor
Malwarebytes Anti-Malware version 1.61.0.1400
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft WinUsb 1.0
Mozilla Firefox 13.0.1 (x86 en-US)
Mozilla Maintenance Service
MSVCRT
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 4.0 SP2 and SOAP Toolkit 3.0
MSXML 6.0 Parser (KB925673)
NewCopy_CDA
NVIDIA Drivers
Opera 12.00
ProductContextNPI
Pure Networks Platform
Readme
Realtek High Definition Audio Driver
Scan
ScannerCopy
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)
Security Update for Microsoft Windows (KB2564958)
Security Update for Windows Internet Explorer 7 (KB2183461)
Security Update for Windows Internet Explorer 7 (KB2360131)
Security Update for Windows Internet Explorer 7 (KB2416400)
Security Update for Windows Internet Explorer 7 (KB2482017)
Security Update for Windows Internet Explorer 7 (KB2497640)
Security Update for Windows Internet Explorer 7 (KB2530548)
Security Update for Windows Internet Explorer 7 (KB2544521)
Security Update for Windows Internet Explorer 7 (KB2559049)
Security Update for Windows Internet Explorer 7 (KB2586448)
Security Update for Windows Internet Explorer 7 (KB2618444)
Security Update for Windows Internet Explorer 7 (KB2647516)
Security Update for Windows Internet Explorer 7 (KB2699988)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB972260)
Security Update for Windows Internet Explorer 7 (KB974455)
Security Update for Windows Internet Explorer 7 (KB976325)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 7 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2507938)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2510581)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276-v2)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893-v2)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB2555917)
Security Update for Windows XP (KB2562937)
Security Update for Windows XP (KB2566454)
Security Update for Windows XP (KB2567053)
Security Update for Windows XP (KB2567680)
Security Update for Windows XP (KB2570222)
Security Update for Windows XP (KB2570947)
Security Update for Windows XP (KB2584146)
Security Update for Windows XP (KB2585542)
Security Update for Windows XP (KB2592799)
Security Update for Windows XP (KB2598479)
Security Update for Windows XP (KB2603381)
Security Update for Windows XP (KB2618451)
Security Update for Windows XP (KB2619339)
Security Update for Windows XP (KB2620712)
Security Update for Windows XP (KB2621440)
Security Update for Windows XP (KB2624667)
Security Update for Windows XP (KB2631813)
Security Update for Windows XP (KB2633171)
Security Update for Windows XP (KB2639417)
Security Update for Windows XP (KB2641653)
Security Update for Windows XP (KB2646524)
Security Update for Windows XP (KB2647518)
Security Update for Windows XP (KB2653956)
Security Update for Windows XP (KB2659262)
Security Update for Windows XP (KB2660465)
Security Update for Windows XP (KB2661637)
Security Update for Windows XP (KB2676562)
Security Update for Windows XP (KB2685939)
Security Update for Windows XP (KB2686509)
Security Update for Windows XP (KB2695962)
Security Update for Windows XP (KB2709162)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981349)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
Segoe UI
SolutionCenter
Spelling Dictionaries Support For Adobe Reader 9
Status
SUPERAntiSpyware
Tablet
TrayApp
Unload
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 7 (KB976749)
Update for Windows Internet Explorer 7 (KB980182)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB2541763)
Update for Windows XP (KB2607712)
Update for Windows XP (KB2616676)
Update for Windows XP (KB2641690)
Update for Windows XP (KB2718704)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
VLC media player 0.9.9
WavePad Sound Editor
WebFldrs XP
WebReg
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Messenger
Windows Media Format 11 runtime
Windows Presentation Foundation
Windows XP Service Pack 3
WinRAR archiver
XML Paper Specification Shared Components Pack 1.0
.
==== Event Viewer Messages From Past Week ========
.
7/31/2012 10:48:26 AM, error: NtServicePack [4373] - Windows XP KB2707511 installation failed.
An internal error occurred.
7/28/2012 1:52:09 PM, error: NtServicePack [4373] - Windows XP KB2707511 installation failed.
An internal error occurred.
7/27/2012 2:12:24 PM, error: NtServicePack [4373] - Windows XP KB2707511 installation failed.
An internal error occurred.
7/27/2012 2:10:59 PM, error: Print [23] - Printer LogoSmartz failed to initialize because a suitable Xerox DocuTech 135 PS2 driver could not be found.
7/26/2012 11:05:32 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x8007054f: Security Update for Windows XP (KB2707511).
7/26/2012 11:05:29 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: Cdrom Imapi redbook
7/26/2012 11:05:29 AM, error: Service Control Manager [7023] - The Windows NetBIOS Helper service terminated with the following error: The specified module could not be found.
7/26/2012 11:05:29 AM, error: Service Control Manager [7023] - The MicroSoft Team Support service terminated with the following error: The specified module could not be found.
7/26/2012 11:05:29 AM, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: The specified service does not exist as an installed service.
7/26/2012 11:05:29 AM, error: Service Control Manager [7003] - The TCP/IP NetBIOS Helper service depends on the following nonexistent service: NetBT
7/26/2012 11:05:29 AM, error: Service Control Manager [7003] - The DHCP Client service depends on the following nonexistent service: NetBT
7/26/2012 11:05:09 AM, error: NtServicePack [4373] - Windows XP KB2707511 installation failed.
An internal error occurred.
7/25/2012 9:06:49 PM, error: NtServicePack [4373] - Windows XP KB2707511 installation failed.
An internal error occurred.
7/24/2012 6:23:50 PM, error: NtServicePack [4373] - Windows XP KB2707511 installation failed.
An internal error occurred.
.
==== End Of File ===========================




Gmer Log :

GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-31 14:27:57
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Martina\LOCALS~1\Temp\axrdikog.sys


---- Files - GMER 1.0.15 ----

File C:\WINDOWS\$NtUninstallKB3559$\3043211396 0 bytes
File C:\WINDOWS\$NtUninstallKB3559$\3043211396\L 0 bytes
File C:\WINDOWS\$NtUninstallKB3559$\3043211396\U 0 bytes
File C:\WINDOWS\$NtUninstallKB3559$\4073780934 0 bytes

---- EOF - GMER 1.0.15 ----

#7 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,721 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:24 AM

Posted 31 July 2012 - 06:32 PM

Greetings Mar C,

Welcome aboard. Thank you for letting my know of your sporadic availability.

Please allow me some time to review the fresh information you provided. Just so you are aware, all of my proposed postings must be reviewed and approved by my mentor before I can offer them to you. There shouldn't be much of a delay but rest assured I am not ignoring you even if it seems like I am!

I hope to have some instructions for you tomorrow morning (Pacific time)
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#8 Mar C

Mar C
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 31 July 2012 - 07:08 PM

Hello, and thank you!

Alrighty. I'll check the thread throughout the night, tomorrow morning and afternoon as well. I probably won't be able to post any logs or certain things for a day or two though (I can post and tell you whether or not I am able to do a particular instruction at any given moment though).

Thank you very much for your time and help.

#9 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,721 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:24 AM

Posted 01 August 2012 - 09:48 AM

Greetings Mar C,

Thank you for your patience and effort, given your internet connection issues. Your logs indicate you are still infected. We will start to address that once you consider the following:


===================================================


BACKDOOR WARNING!

--------------------

One or more of the identified infections is a Backdoor Trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Please let me know if you have already noticed evedences of financial institution irregularities.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please proceed with the following steps.


===================================================


P2P Warning

--------------------

Going over your logs I noticed that you have µTorrent installed. It is pretty much certain that if you continue to use P2P programs, you will get infected again.

  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
I would recommend that you uninstall µTorrent, however that choice is up to you. If you choose to remove the program, you can do so via Start > Control Panel > Add/Remove Programs.

If you wish to keep it, please do not use it until we are completely done and your machine is determined to be clean and updated.


===================================================


ComboFix

When reviewing these instructions and installing Combofix keep in mind that since you do not have internet access you will not be able to install the Recovery Console which may be offered to you.

--------------------

For a more detailed explanation on running Combofix and the prompts you will be following please see here.

  • From a computer with internet access please download ComboFix from one of these locations and save it to a USB device:

    Bleepingcomputer
    ForoSpyware

  • Insert the USB device into the infected computer
  • Copy and paste Combofix.exe from your USB device to the desktop (very important) of your infected computer
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. (Click on this link to see a list of programs that should be disabled. The list is not all inclusive.)
  • Double click on Combofix.exe and follow the prompts.

    Please Note: Often times it may appear as if ComboFix has stopped working. To verify it is still running please do one of the following below. If ComboFix has stopped running please stop and advise me.
  • Check your computer clock. If it is still running then so is ComboFix
  • Open Task Manager and select the Applications Tab. If the status of AutoScan is Running, then ComboFix is running
  • Open Task Manager and select the Processes Tab. Under Image Name look for files ending in .3xe. If there are fluctuating numbers under CPU and Mem Usage then ComboFix is running
  • When finished, it will produce a log. Save the log to your USB device then include the C:\Combofix.txt log in your next reply

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Combofix.txt
  • How is your computer running now?

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#10 Mar C

Mar C
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 01 August 2012 - 01:21 PM

While I won't be able to follow the instructions until tonight, I will uninstall utorrent and use combofix. When I reinstall the OS, will I need to save my files on a usb or harddrive? (Like pictures, new fonts, etc)

And again, thank you very much.

#11 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,721 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:24 AM

Posted 01 August 2012 - 01:53 PM

Greetings Mar C,

If you are saying eventually you will be reformatting (I think that is what you mean) then yes, you will need to save all your data to a storage device. It is best to continue the cleaning process to the end before transferring the data you would like to keep. We don't want to reinfect a "clean" machine by reintroducing a "dirty" file.

Thank you for keeping me updated. That is more important to me than you pressuring yourself to complete a step. As long as I know you are still with me life is good. :thumbsup:
Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#12 Mar C

Mar C
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 02 August 2012 - 02:26 AM

Yes, I'm definitely leaning toward reformatting. I shall definitely see the cleaning through to the end, first and foremost as well. :'D

I downloaded ComboFix, and I'll be running it and following the steps tonight, and posting the log when I can tomorrow. It will probably be in the later afternoon or early evening though.

And thank you very much!

#13 Mar C

Mar C
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 02 August 2012 - 10:19 PM

Hello, again!

I ran ComboFix, and it deleted a couple of files and I saved the log. I'm still planning on reformatting my computer, though I need to buy another usb or two before I can actually be sure that I'll be able to. I have not yet tried to connect the modem or the router to the computer or reach other again, and I'll wait for your direction to do anything more. Thank you, and here's the log.


ComboFix Log :

ComboFix 12-07-31.03 - Martina 08/02/2012 15:12:51.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.572 [GMT -7:00]
Running from: c:\documents and settings\Martina\Desktop\ComboFix.exe
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\BA8D791DD6.sys
c:\documents and settings\All Users\Application Data\D81EDBF9-D167-4011-B77D-211DF920EB80
c:\documents and settings\Martina\Application Data\291BCF.dat
c:\windows\assembly\GAC\Desktop.ini
c:\windows\Installer\{0b02cc5a-e857-da07-f499-e3c17d0585a5}\@
c:\windows\Installer\{0b02cc5a-e857-da07-f499-e3c17d0585a5}\L\00000004.@
c:\windows\Installer\{0b02cc5a-e857-da07-f499-e3c17d0585a5}\L\1afb2d56
c:\windows\Installer\{0b02cc5a-e857-da07-f499-e3c17d0585a5}\L\201d3dde
c:\windows\Installer\{0b02cc5a-e857-da07-f499-e3c17d0585a5}\U\00000004.@
c:\windows\Installer\{0b02cc5a-e857-da07-f499-e3c17d0585a5}\U\000000cb.@
c:\windows\Installer\{0b02cc5a-e857-da07-f499-e3c17d0585a5}\U\80000032.@
c:\windows\system32\dllcache\dlimport.exe
c:\windows\system32\drivers\etc\hosts.ics
c:\windows\system32\drivers\npf.sys
c:\windows\system32\Packet.dll
c:\windows\system32\shimg.dll
c:\windows\system32\wpcap.dll
c:\windows\$NtUninstallKB3559$\4073780934 . . . . Failed to delete
.
c:\windows\system32\drivers\netbt.sys was missing
Restored copy from - c:\windows\ServicePackFiles\i386\netbt.sys
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_6TO4
-------\Legacy_IAS
-------\Legacy_NETWORKLOG
-------\Legacy_NPF
-------\Service_.netbt
-------\Service_6to4
-------\Service_Ias
-------\Service_NPF
.
.
((((((((((((((((((((((((( Files Created from 2012-07-02 to 2012-08-02 )))))))))))))))))))))))))))))))
.
.
2012-08-02 22:47 . 2008-04-13 19:21 162816 -c--a-w- c:\windows\system32\dllcache\netbt.sys
2012-08-02 22:47 . 2008-04-13 19:21 162816 ----a-w- c:\windows\system32\drivers\netbt.sys
2012-07-11 16:53 . 2012-07-11 16:53 -------- d-----w- C:\TDSSKiller_Quarantine
2012-07-09 17:00 . 2012-07-09 17:00 -------- d-----w- c:\documents and settings\Martina\Application Data\dBpoweramp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-07-02 11:37 . 2012-06-05 00:30 32072 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-06-26 17:31 . 2012-06-26 17:32 522928 ----a-w- c:\windows\system32\SpoonUninstall.exe
2012-06-14 20:09 . 2012-06-14 20:09 388096 ----a-r- c:\documents and settings\Martina\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-06-12 03:27 . 2012-04-03 00:29 426184 ----a-w- c:\windows\system32\FlashPlayerApp.exe
2012-06-12 03:27 . 2011-05-13 16:13 70344 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-06-03 05:42 . 2012-06-03 05:42 102400 ----a-w- c:\windows\RegBootClean.exe
2012-06-02 22:19 . 2007-07-31 03:18 22040 ----a-w- c:\windows\system32\wucltui.dll.mui
2012-06-02 22:19 . 2008-11-01 23:37 329240 ----a-w- c:\windows\system32\wucltui.dll
2012-06-02 22:19 . 2008-11-01 23:37 219160 ----a-w- c:\windows\system32\wuaucpl.cpl
2012-06-02 22:19 . 2008-11-01 23:37 210968 ----a-w- c:\windows\system32\wuweb.dll
2012-06-02 22:19 . 2007-07-31 03:19 15384 ----a-w- c:\windows\system32\wuaucpl.cpl.mui
2012-06-02 22:19 . 2008-11-01 23:37 35864 ----a-w- c:\windows\system32\wups.dll
2012-06-02 22:19 . 2008-11-01 23:37 53784 ----a-w- c:\windows\system32\wuauclt.exe
2012-06-02 22:19 . 2007-07-31 03:19 45080 ----a-w- c:\windows\system32\wups2.dll
2012-06-02 22:19 . 2007-07-31 03:19 15384 ----a-w- c:\windows\system32\wuapi.dll.mui
2012-06-02 22:19 . 2006-02-28 12:00 97304 ----a-w- c:\windows\system32\cdm.dll
2012-06-02 22:19 . 2007-07-31 03:18 17944 ----a-w- c:\windows\system32\wuaueng.dll.mui
2012-06-02 22:19 . 2008-11-01 23:37 577048 ----a-w- c:\windows\system32\wuapi.dll
2012-06-02 22:19 . 2008-11-01 23:37 1933848 ----a-w- c:\windows\system32\wuaueng.dll
2012-06-02 22:18 . 2009-02-26 15:14 214256 ----a-w- c:\windows\system32\muweb.dll
2012-06-02 22:18 . 2009-02-26 15:14 17136 ----a-w- c:\windows\system32\mucltui.dll.mui
2012-06-02 22:18 . 2009-02-26 15:14 275696 ----a-w- c:\windows\system32\mucltui.dll
2012-05-31 13:22 . 2006-02-28 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2012-05-15 15:39 . 2006-02-28 12:00 832512 ----a-w- c:\windows\system32\wininet.dll
2012-05-15 13:20 . 2006-02-28 12:00 1863168 ----a-w- c:\windows\system32\win32k.sys
2012-06-17 20:16 . 2012-06-15 03:38 85472 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-06-23 3905408]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-09-17 13574144]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2005-5-11 282624]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Martina^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Martina\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Martina^Start Menu^Programs^Startup^PdaNet Desktop.lnk]
path=c:\documents and settings\Martina\Start Menu\Programs\Startup\PdaNet Desktop.lnk
backup=c:\windows\pss\PdaNet Desktop.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2012-01-02 18:07 843712 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2012-03-27 12:41 37296 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
2005-05-03 18:43 69632 ----a-w- c:\windows\ALCMTR.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
2005-01-08 01:07 61952 ------w- c:\windows\system32\HdAShCut.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-12 06:12 49152 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2006-02-28 12:00 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2012-04-04 22:56 462408 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-17 06:12 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
2006-02-28 12:00 59392 ----a-w- c:\windows\system32\IME\PINTLGNT\IMSCINST.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nmctxth]
2008-12-13 01:06 642856 ----a-w- c:\program files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2008-09-17 17:55 13574144 ----a-w- c:\windows\system32\nvcpl.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2008-09-17 17:55 86016 ----a-w- c:\windows\system32\nvmctray.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
2008-09-17 17:55 1657376 ----a-w- c:\windows\system32\nwiz.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
2006-02-28 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
2006-02-28 12:00 455168 ----a-w- c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
2007-10-25 11:57 16855552 ----a-w- c:\windows\RTHDCPL.EXE
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2011-06-09 20:06 254696 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
.
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 9:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 2:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 4:38 PM 116608]
R2 LinksysUpdater;Linksys Updater;c:\program files\Linksys\Linksys Updater\bin\LinksysUpdater.exe [11/13/2008 12:43 PM 204800]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [2/17/2010 12:12 PM 654408]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [11/9/2008 12:24 AM 24652]
R3 appliandMP;appliandMP;c:\windows\system32\drivers\appliand.sys [6/24/2010 1:46 PM 28256]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2/17/2010 12:11 PM 22344]
S3 appliand;Applian Network Service;c:\windows\system32\drivers\appliand.sys [6/24/2010 1:46 PM 28256]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [6/4/2012 5:30 PM 32072]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [6/14/2012 8:38 PM 113120]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 pnetmdm;PdaNet Modem;c:\windows\system32\drivers\pnetmdm.sys [6/2/2012 5:55 PM 9472]
S3 USB200M;Linksys USB 2.0 Network Adapter ver.2;c:\windows\system32\drivers\USB200M2.sys [11/1/2008 4:51 PM 18048]
S3 XDva225;XDva225;\??\c:\windows\system32\XDva225.sys --> c:\windows\system32\XDva225.sys [?]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
getPlusHelper REG_MULTI_SZ getPlusHelper
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyOverride = <local>
IE: Open with WordPerfect
Trusted Zone: keepvid.com
TCP: DhcpNameServer = 75.75.75.75 75.75.76.76
FF - ProfilePath - c:\documents and settings\Martina\Application Data\Mozilla\Firefox\Profiles\yrgob70c.default\
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-MSC - c:\program files\Microsoft Security Client\msseces.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-08-02 15:58
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1214440339-861567501-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*n0y_^’]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-1214440339-861567501-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*n0y_^’\OpenWithList]
@Class="Shell"
"a"="wmplayer.exe"
"MRUList"="a"
.
[HKEY_USERS\S-1-5-21-1214440339-861567501-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*¹0×0é0Ć0·0å0’]
@Class="Shell"
.
[HKEY_USERS\S-1-5-21-1214440339-861567501-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*¹0×0é0Ć0·0å0’\OpenWithList]
@Class="Shell"
"a"="wmplayer.exe"
"MRUList"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(424)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(184)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\Tablet.exe
c:\windows\system32\java.exe
c:\program files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
c:\windows\system32\WTablet\TabUserW.exe
c:\windows\system32\Tablet.exe
c:\program files\HP\Digital Imaging\bin\hpqSTE08.exe
c:\program files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2012-08-02 16:14:32 - machine was rebooted
ComboFix-quarantined-files.txt 2012-08-02 23:14
.
Pre-Run: 64,359,759,872 bytes free
Post-Run: 66,611,666,944 bytes free
.
- - End Of File - - 3647A30E62DABCE09FF88B720A93605A

#14 Oh My!

Oh My!

    Adware and Spyware and Malware.....


  • Malware Response Instructor
  • 37,721 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:California
  • Local time:05:24 AM

Posted 03 August 2012 - 10:31 AM

Greetings Mar C,

Thank you for the results.

I am unclear whether or not you replaced the apparently corrupted CD driver (it seems not). I am assuming your CD is still not working properly, correct?

Before starting I would like you to try to connect to the internet. If you are unable to then obviously you will need to utilize another computer for some of the steps.

Please perform the following for me.


===================================================


Running Combofix Script

-------------------

  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Open notepad and copy/paste the text below into the Notepad document

    Regnull::
    [HKEY_USERS\S-1-5-21-1214440339-861567501-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*n0y_^’]
    [HKEY_USERS\S-1-5-21-1214440339-861567501-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*¹0×0é0Ć0·0å0’
    File::
    c:\windows\$NtUninstallKB3559$\4073780934
    

  • Save this on your desktop as CFScript.txt.


    Posted Image

  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it will create a log for you at C:\ComboFix.txt. Please copy/paste the information in your next reply.

===================================================


Farbar's Service Scanner

--------------------

Please download Farbar Service Scanner, save it to your desktop, and run it.

  • Make sure the following options are checked:

    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • Combofix.txt
  • FSS.txt
  • Status of CD

Gary
 
If I do not reply within 24 hours please send me a Personal Message.

"Lord, to whom would we go? You have the words that give eternal life. We believe, and we know you are the Holy One of God."

#15 Mar C

Mar C
  • Topic Starter

  • Members
  • 55 posts
  • OFFLINE
  •  
  • Local time:04:24 AM

Posted 04 August 2012 - 04:28 PM

Alrighty, I'm going to save the steps from another computer and try it later tonight. I'll be able to reply later as well.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users