PDA

View Full Version : reDirect virus...please help to immunize



nguyenpj
2010-06-16, 18:21
Thank-you in advance for everyone's help....

I have a redirect virus that affects both firefox and IE and I cannot access microsoft update...I have tried numerous "fixes;" I am currently running the following:

Symantec AV
Microsoft Essentials

Additionally, I have ran the following programs:
SuperAntispyware
Malwarebytes

If anyone can help with this problem please, the following is the latest log for Malwarebytes, RootRepeal, and DDS

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org (http://www.malwarebytes.org)

Database version: 4153

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

6/14/2010 6:13:30 AM
mbam-log-2010-06-14 (06-13-30).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 198448
Time elapsed: 52 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2010/06/14 07:49
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0xA0EA7000 Size: 49152 File Visible: No Signed: -
Status: -

SSDT
-------------------
#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0xe21f6ea0

==EOF==

DDS (Ver_10-03-17.01) - NTFSx86
Run by Patrick at 7:50:51.92 on Mon 06/14/2010
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.642 [GMT -7:00]

AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}

============== Running Processes ===============

C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\svchost -k DcomLaunch
C:\Windows\system32\svchost -k rpcss
C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
C:\Windows\System32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Windows\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Windows\Explorer.EXE
C:\Program Files\IObit\IObit Security 360\IS360srv.exe
C:\Windows\system32\ltmsg.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Windows\vVX3000.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Essentials\msseces.exe
C:\Windows\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\Wcescomm.exe
C:\Program Files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\System32\alg.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Windows\System32\svchost.exe -k HTTPFilter
C:\Windows\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Patrick\Desktop\Downloads\Safer_NetworkingForums\3_DDS_bu_sUBs\dds.scr
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/ig?hl=en
uInternet Connection Wizard,ShellNext = iexplore
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Google Gears Helper: {e0fefe40-fbf9-42ae-ba58-794ca7e3fb53} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\Wcescomm.exe"
uRun: [SmartRAM] "c:\program files\iobit\advanced systemcare 3\Sup_SmartRAM.exe" /m
uRun: [Google Update] "c:\documents and settings\patrick\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [LTWinModem1] ltmsg.exe 9
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [vptray] c:\progra~1\symant~1\VPTray.exe
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [VX3000] c:\windows\vVX3000.exe
mRun: [LifeCam] "c:\program files\microsoft lifecam\LifeExp.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSSE] "c:\program files\microsoft security essentials\msseces.exe" -hide -runkey
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobe acrobat speed launcher.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-100000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
uPolicies-explorer: ForceActiveDesktopOn = 0 (0x0)
mPolicies-explorer: NoResolveTrack = 1 (0x1)
mPolicies-explorer: NoFileAssociate = 0 (0x0)
mPolicies-system: NoDispSettingsPage = 0 (0x0)
IE: {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - {0B4350D1-055F-47A3-B112-5F2F2B0D6F08} - c:\program files\google\google gears\internet explorer\0.5.36.0\gears.dll
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll
Notify: NavLogon - c:\windows\system32\NavLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Notification Packages = scecli scecli

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\patrick\applic~1\mozilla\firefox\profiles\ffl1jfeg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - component: c:\program files\google\google gears\firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\patrick\application data\mozilla\firefox\profiles\ffl1jfeg.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\patrick\application data\mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\patrick\local settings\application data\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.17\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

---- FIREFOX POLICIES ----
FF - user.js: browser.blink_allowed - true
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.urlbar.autoFill - true
FF - user.js: browser.urlbar.hideGoButton - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: layout.spellcheckDefault - 1
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: network.prefetch-next - true
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32);
c:\program files\mozilla firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.debug", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5);
c:\program files\mozilla firefox\greprefs\all.js - pref("html5.enable", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugin", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20);

============= SERVICES / DRIVERS ===============

R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2009-12-2 149040]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2009-11-11 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-11-11 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2010-6-3 18816]
R1 SAVRT;SAVRT;c:\program files\symantec antivirus\savrt.sys [2004-2-9 301200]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2004-6-9 255096]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2004-6-9 242808]
R2 IS360service;IS360service;c:\program files\iobit\iobit security 360\is360srv.exe [2010-6-4 311568]
R2 SAVRTPEL;SAVRTPEL;c:\program files\symantec antivirus\Savrtpel.sys [2004-2-9 37008]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [2009-12-10 14976]
R2 Symantec AntiVirus;Symantec AntiVirus;c:\program files\symantec antivirus\Rtvscan.exe [2004-10-6 1275216]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20100612.003\naveng.sys [2010-6-13 85552]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20100612.003\navex15.sys [2010-6-13 1347504]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-7-24 133104]
S2 pouxybxl;pouxybxl;\??\c:\windows\system32\drivers\fjghyeloy.sys --> c:\windows\system32\drivers\fjghyeloy.sys [?]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [2010-4-19 16194]
S3 ccPwdSvc;Symantec Password Validation;c:\program files\common files\symantec shared\ccPwdSvc.exe [2004-6-9 87160]
S3 cpuz128;cpuz128;\??\c:\docume~1\patrick\locals~1\temp\cpuz_x32.sys --> c:\docume~1\patrick\locals~1\temp\cpuz_x32.sys [?]
S3 DfSdkS;Defragmentation-Service;c:\program files\ashampoo\ashampoo winoptimizer 2010 advanced\DfSdkS.exe [2009-12-17 406016]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\7f.tmp --> c:\windows\system32\7F.tmp [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-22 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-22 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2007-6-18 23680]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\patrick\locals~1\temp\00000edd.nmc\nse\bin\ndiskio.sys --> c:\docume~1\patrick\locals~1\temp\00000edd.nmc\nse\bin\ndiskio.sys [?]
S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;c:\windows\system32\drivers\wg511nd5.sys --> c:\windows\system32\drivers\wg511nd5.sys [?]
S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-11-11 12872]
S3 SavRoam;SAVRoam;c:\program files\symantec antivirus\SavRoam.exe [2004-10-6 173392]
S3 ZD1211U(WLAN);IEEE 802.11g USB Wireless LAN Driver(WLAN);c:\windows\system32\drivers\ZD1211U.sys [2008-3-11 273408]
UnknownUnknown rootrepeal;rootrepeal; [x]

=============== Created Last 30 ================

2010-06-13 19:55:53 0 dc----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2010-06-11 07:50:02 64512 ----a-w- c:\windows\system32\drivers\hatozsiw.sys
2010-06-11 03:28:55 64512 ----a-w- c:\windows\system32\drivers\kaybqagu.sys
2010-06-11 02:13:24 0 d-----w- c:\program files\Microsoft Security Essentials
2010-06-04 08:40:08 43088 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-03 07:47:35 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-06-03 06:46:39 0 d-----w- c:\program files\Sophos
2010-05-31 02:16:16 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-31 02:08:55 0 dc----w- c:\docume~1\alluse~1\applic~1\Hitman Pro
2010-05-31 02:08:54 0 d-----w- c:\program files\Hitman Pro 3.5
2010-05-29 05:28:52 0 d-----w- c:\program files\CCleaner

==================== Find3M ====================

2010-05-01 19:30:54 2932 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-29 22:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-13 00:29:19 411368 ----a-w- c:\windows\system32\deployJava1.dll
2009-05-20 23:03:56 245760 -csha-w- c:\windows\system32\config\systemprofile\ietldcache\index.dat
2009-02-07 22:04:41 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009020720090208\index.dat

[I]Edit: FYI :) "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

shelf life
2010-06-20, 17:37
hi,

Your post is a few days old. If you still need help with the re-directs simply reply to my post.

nguyenpj
2010-06-22, 07:16
Hi Shelf Life,

I still need help. Please help. Current problems:

1. firefox and IE browsers have redirection problem, ie., everytime I click on a google search I get redirected to some other website. additionally, when the browser is sitting idle, a new tab will open with some advertisement website

2. also, I cannot do a windows update using either browser....i get a "failed connection/timeout - please check your internet connection" kind of error

I have installed and ran Symantec AV, SpyBot, TrojanRemover, Superantispyware and maleawarebytes. please help. Thanks.

shelf life
2010-06-23, 01:14
ok we will get two downloads to use.

1)The first is Combofix. There is a short guide to read first. Read the guide, download it to your desktop then apply the directions on your own computer. After its done it will produce a log. Save the log then run #2 below:

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

2)Right after using combofix download and run TDSSkiller. Link and directions:


Please download TDSS Killer.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your desktop
Extract the zip file to your desktop then double click it to start the utility

When its finished press any key to continue.
If prompted please reboot your computer
The report will be generated in your root drive C:

Post the Combofix log and the TDSSkiller log in your reply.

After using both above please check Malwarebytes for updates and run it.

nguyenpj
2010-06-23, 10:01
Hi Shelflife,

Thanks in advance for your help. Here are the logs you requested:

ComboFix 10-06-22.02 - Patrick 06/22/2010 22:21:28.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.634 [GMT -7:00]
Running from: h:\browserredirects\Safer_NetworkingForums\ShelfLife\ComboFix\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\92264596.ini

.
((((((((((((((((((((((((( Files Created from 2010-05-23 to 2010-06-23 )))))))))))))))))))))))))))))))
.

2010-06-20 05:28 . 2010-02-28 03:46 3691384 -c--a-w- c:\documents and settings\Patrick\Application Data\Simply Super Software\Trojan Remover\scr8A.exe
2010-06-20 05:13 . 2006-06-19 19:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-06-20 05:13 . 2006-05-25 21:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-06-20 05:13 . 2005-08-26 07:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-06-20 05:13 . 2002-03-06 07:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-06-20 05:13 . 2003-02-03 02:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-06-20 05:12 . 2010-06-20 05:13 -------- d-----w- c:\program files\Trojan Remover
2010-06-20 05:12 . 2010-06-20 05:12 -------- dc----w- c:\documents and settings\Patrick\Application Data\Simply Super Software
2010-06-20 05:12 . 2010-06-20 05:12 -------- dc----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-06-17 15:39 . 2010-06-17 15:39 -------- d-----w- c:\program files\ERUNT
2010-06-17 15:16 . 2010-06-17 15:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-17 15:16 . 2010-06-17 15:31 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-16 03:52 . 2010-06-16 03:52 -------- dc----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-06-13 19:55 . 2010-06-13 19:55 -------- dc----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-06-11 07:50 . 2010-06-11 07:50 64512 ----a-w- c:\windows\system32\drivers\hatozsiw.sys
2010-06-11 04:03 . 2010-06-11 04:03 -------- dc----w- c:\documents and settings\Patrick\Local Settings\Application Data\PCHealth
2010-06-11 03:28 . 2010-06-11 03:28 64512 ----a-w- c:\windows\system32\drivers\kaybqagu.sys
2010-06-04 08:40 . 2010-06-04 08:40 43088 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-03 07:47 . 2009-06-18 19:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-06-03 06:46 . 2010-06-03 06:46 -------- d-----w- c:\program files\Sophos
2010-05-31 02:16 . 2010-06-03 07:51 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-31 02:08 . 2010-05-31 02:16 -------- dc----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-31 02:08 . 2010-05-31 02:08 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-29 06:29 . 2010-05-29 06:29 -------- dc----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-05-29 06:29 . 2010-05-29 21:23 -------- dc----w- c:\documents and settings\Patrick\Local Settings\Application Data\gcnaxehmr
2010-05-29 06:28 . 2010-05-29 06:29 -------- dc----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-28 19:56 . 2010-05-28 19:56 63488 -c--a-w- c:\documents and settings\Patrick\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-28 15:10 . 2010-05-28 15:23 -------- d-----w- c:\program files\Acronis
2010-05-27 00:01 . 2010-05-27 02:43 -------- dc----w- c:\documents and settings\Patrick\Local Settings\Application Data\mnqdidvox
2010-05-26 18:18 . 2010-05-26 18:18 503808 -c--a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-304837ba-n\msvcp71.dll
2010-05-26 18:18 . 2010-05-26 18:18 499712 -c--a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-304837ba-n\jmc.dll
2010-05-26 18:18 . 2010-05-26 18:18 348160 -c--a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-304837ba-n\msvcr71.dll
2010-05-26 18:18 . 2010-05-26 18:18 61440 -c--a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-174707bb-n\decora-sse.dll
2010-05-26 18:18 . 2010-05-26 18:18 12800 -c--a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-174707bb-n\decora-d3d.dll
2010-05-25 05:55 . 2010-05-25 06:47 -------- dc----w- c:\documents and settings\Patrick\Local Settings\Application Data\bxgfpmomu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-23 05:19 . 2009-05-21 01:08 -------- d-----w- c:\program files\Symantec AntiVirus
2010-06-20 05:29 . 2009-05-21 01:56 -------- dc--a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-17 23:50 . 2009-07-23 02:20 -------- d-----w- c:\program files\LimeWire
2010-06-14 16:04 . 2009-05-21 04:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-13 20:54 . 2009-05-20 01:40 -------- d-----w- c:\program files\Java
2010-06-05 04:24 . 2008-06-06 00:41 -------- d-----w- c:\program files\Lexi-Comp, Inc
2010-06-04 16:47 . 2008-03-13 15:35 -------- d-----w- c:\program files\AIM
2010-05-29 20:08 . 2007-03-16 04:45 50936 -c--a-w- c:\documents and settings\Patrick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-28 19:56 . 2009-11-22 21:04 117760 -c--a-w- c:\documents and settings\Patrick\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-28 15:52 . 2007-07-24 03:49 -------- d-----w- c:\program files\Common Files\InstallShield
2010-05-28 15:52 . 2009-11-12 16:28 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-05-28 15:36 . 2009-11-12 16:25 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-05-28 15:36 . 2009-11-12 16:25 -------- d-----w- c:\program files\Research In Motion
2010-05-28 15:12 . 2010-01-01 03:35 -------- d-----w- c:\program files\Common Files\Acronis
2010-05-25 17:36 . 2010-04-22 09:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-24 15:39 . 2009-11-05 00:55 -------- dc----w- c:\documents and settings\Patrick\Application Data\IObit
2010-05-22 02:45 . 2008-02-27 23:15 -------- dc----w- c:\documents and settings\Patrick\Application Data\BitTorrent
2010-05-07 19:55 . 2010-05-07 19:55 255472 -c--a-w- c:\documents and settings\Patrick\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-05-01 19:30 . 2009-12-08 06:03 2932 ----a-w- c:\windows\system32\d3d9caps.dat
2010-04-29 22:39 . 2010-04-22 09:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-04-22 09:04 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 15:36 . 2007-07-24 03:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-22 05:02 . 2010-04-22 05:02 52224 -c--a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-22 05:02 . 2010-04-22 05:02 117760 -c--a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-22 04:31 . 2010-04-22 04:31 52224 -c--a-w- c:\documents and settings\Patrick\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-13 00:29 . 2010-05-03 14:48 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-04-03 21:52 . 2009-11-09 02:37 2592 -c--a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" [2010-05-10 198864]
"Google Update"="c:\documents and settings\Patrick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-03 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTWinModem1"="ltmsg.exe 9" [X]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-10-06 161096]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"VX3000"="c:\windows\vVX3000.exe" [2009-06-26 757248]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-07-24 118640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-02-28 1165192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-9-21 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-8-30 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoFileAssociate"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Documents and Settings\\Patrick\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Patrick\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/11/2009 11:44 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 11:44 AM 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [6/3/2010 12:47 AM 18816]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [6/4/2010 8:39 AM 311568]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [12/10/2009 5:35 PM 14976]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/24/2009 8:59 AM 133104]
S2 pouxybxl;pouxybxl;\??\c:\windows\system32\drivers\fjghyeloy.sys --> c:\windows\system32\drivers\fjghyeloy.sys [?]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [4/19/2010 8:47 AM 16194]
S3 cpuz128;cpuz128;\??\c:\docume~1\Patrick\LOCALS~1\Temp\cpuz_x32.sys --> c:\docume~1\Patrick\LOCALS~1\Temp\cpuz_x32.sys [?]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 2010 Advanced\DfSdkS.exe [12/17/2009 10:40 PM 406016]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\7F.tmp --> c:\windows\system32\7F.tmp [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/22/2008 12:49 AM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/22/2008 12:49 AM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 9:18 PM 23680]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\Patrick\LOCALS~1\Temp\00000edd.nmc\nse\bin\ndiskio.sys --> c:\docume~1\Patrick\LOCALS~1\Temp\00000edd.nmc\nse\bin\ndiskio.sys [?]
S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;c:\windows\system32\DRIVERS\wg511nd5.sys --> c:\windows\system32\DRIVERS\wg511nd5.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 11:44 AM 12872]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/6/2004 3:56 PM 173392]
S3 ZD1211U(WLAN);IEEE 802.11g USB Wireless LAN Driver(WLAN);c:\windows\system32\drivers\ZD1211U.sys [3/11/2008 10:39 AM 273408]
.
Contents of the 'Scheduled Tasks' folder

2010-06-23 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2009-11-05 21:11]

2010-06-17 c:\windows\Tasks\AWC Update.job
- c:\program files\IObit\Advanced SystemCare 3\IObitUpdate.exe [2009-11-05 00:20]

2010-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-24 15:59]

2010-06-22 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-24 15:59]

2010-06-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-484763869-1708537768-1003Core.job
- c:\documents and settings\Patrick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-09 02:04]

2010-06-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-484763869-1708537768-1003UA.job
- c:\documents and settings\Patrick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-09 02:04]

2009-10-27 c:\windows\Tasks\Microsoft_Hardware_Launch_LifeExp_exe.job
- c:\program files\Microsoft LifeCam\LifeExp.exe [2009-07-24 20:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\Patrick\Application Data\Mozilla\Firefox\Profiles\ffl1jfeg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\Patrick\Application Data\Mozilla\Firefox\Profiles\ffl1jfeg.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\Patrick\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Patrick\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.blink_allowed - true
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.urlbar.autoFill - true
FF - user.js: browser.urlbar.hideGoButton - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: layout.spellcheckDefault - 1
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: network.prefetch-next - true
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-22 22:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\7F.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="REMOVED"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(2336)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-22 22:36:10
ComboFix-quarantined-files.txt 2010-06-23 05:36

Pre-Run: 26,625,916,928 bytes free
Post-Run: 26,620,162,048 bytes free

- - End Of File - - DFB001B53E04688389C867AFD4931EEB


22:40:56:773 0652 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
22:40:56:773 0652 ================================================================================
22:40:56:773 0652 SystemInfo:

22:40:56:773 0652 OS Version: 5.1.2600 ServicePack: 3.0
22:40:56:773 0652 Product type: Workstation
22:40:56:773 0652 ComputerName: ROTTENTOOTH
22:40:56:773 0652 UserName: Patrick
22:40:56:773 0652 Windows directory: C:\Windows
22:40:56:773 0652 Processor architecture: Intel x86
22:40:56:773 0652 Number of processors: 1
22:40:56:783 0652 Page size: 0x1000
22:40:56:803 0652 Boot type: Normal boot
22:40:56:803 0652 ================================================================================
22:40:57:264 0652 Initialize success
22:40:57:264 0652
22:40:57:264 0652 Scanning Services ...
22:40:57:744 0652 Raw services enum returned 382 services
22:40:57:754 0652
22:40:57:754 0652 Scanning Drivers ...
22:40:58:345 0652 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\Windows\system32\drivers\ac97intc.sys
22:40:58:435 0652 ACPI (8fd99680a539792a30e97944fdaecf17) C:\Windows\system32\DRIVERS\ACPI.sys
22:40:58:485 0652 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\Windows\system32\drivers\ACPIEC.sys
22:40:58:565 0652 aec (8bed39e3c35d6a489438b8141717a557) C:\Windows\system32\drivers\aec.sys
22:40:58:646 0652 AFD (7e775010ef291da96ad17ca4b17137d7) C:\Windows\System32\drivers\afd.sys
22:40:58:696 0652 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\Windows\system32\DRIVERS\agp440.sys
22:40:58:846 0652 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\Windows\system32\DRIVERS\asyncmac.sys
22:40:58:896 0652 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\Windows\system32\DRIVERS\atapi.sys
22:40:58:996 0652 ati2mtag (83f24e252908e59c4a7ef203bf7f4c02) C:\Windows\system32\DRIVERS\ati2mtag.sys
22:40:59:046 0652 Atmarpc (9916c1225104ba14794209cfa8012159) C:\Windows\system32\DRIVERS\atmarpc.sys
22:40:59:086 0652 audstub (d9f724aa26c010a217c97606b160ed68) C:\Windows\system32\DRIVERS\audstub.sys
22:40:59:136 0652 AWINDIS5 (f62b70d3209e38a6c19a03109a25b903) C:\Windows\system32\AWINDIS5.SYS
22:40:59:186 0652 BCM43XX (e7debb46b9ef1f28932e533be4a3d1a9) C:\Windows\system32\DRIVERS\bcmwl5.sys
22:40:59:236 0652 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\Windows\system32\drivers\Beep.sys
22:40:59:357 0652 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\Windows\system32\drivers\cbidf2k.sys
22:40:59:397 0652 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\Windows\system32\DRIVERS\CCDECODE.sys
22:40:59:427 0652 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\Windows\system32\drivers\Cdaudio.sys
22:40:59:497 0652 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\Windows\system32\drivers\Cdfs.sys
22:40:59:587 0652 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\Windows\system32\DRIVERS\cdrom.sys
22:40:59:627 0652 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\Windows\system32\DRIVERS\CmBatt.sys
22:40:59:677 0652 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\Windows\system32\DRIVERS\compbatt.sys
22:40:59:837 0652 Disk (044452051f3e02e7963599fc8f4f3e25) C:\Windows\system32\DRIVERS\disk.sys
22:40:59:877 0652 dmboot (d992fe1274bde0f84ad826acae022a41) C:\Windows\system32\drivers\dmboot.sys
22:40:59:957 0652 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\Windows\system32\drivers\dmio.sys
22:40:59:987 0652 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\Windows\system32\drivers\dmload.sys
22:41:00:007 0652 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\Windows\system32\drivers\DMusic.sys
22:41:00:038 0652 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\Windows\system32\drivers\drmkaud.sys
22:41:00:098 0652 E100B (3fca03cbca11269f973b70fa483c88ef) C:\Windows\system32\DRIVERS\e100b325.sys
22:41:00:138 0652 Fastfat (38d332a6d56af32635675f132548343e) C:\Windows\system32\drivers\Fastfat.sys
22:41:00:168 0652 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\Windows\system32\DRIVERS\fdc.sys
22:41:00:188 0652 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\Windows\system32\drivers\Fips.sys
22:41:00:218 0652 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\Windows\system32\drivers\Flpydisk.sys
22:41:00:288 0652 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\Windows\system32\drivers\fltmgr.sys
22:41:00:328 0652 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\Windows\system32\drivers\Fs_Rec.sys
22:41:00:378 0652 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\Windows\system32\DRIVERS\ftdisk.sys
22:41:00:488 0652 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
22:41:00:568 0652 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\Windows\system32\DRIVERS\msgpc.sys
22:41:00:598 0652 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\Windows\system32\DRIVERS\hidusb.sys
22:41:00:648 0652 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\Windows\system32\DRIVERS\HPZid412.sys
22:41:00:698 0652 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\Windows\system32\DRIVERS\HPZipr12.sys
22:41:00:718 0652 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\Windows\system32\DRIVERS\HPZius12.sys
22:41:00:769 0652 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\Windows\system32\Drivers\HTTP.sys
22:41:00:899 0652 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\Windows\system32\DRIVERS\i8042prt.sys
22:41:00:939 0652 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\Windows\system32\DRIVERS\imapi.sys
22:41:00:999 0652 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\Windows\system32\DRIVERS\intelide.sys
22:41:01:049 0652 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\Windows\system32\DRIVERS\intelppm.sys
22:41:01:099 0652 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\Windows\system32\drivers\ip6fw.sys
22:41:01:139 0652 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\Windows\system32\DRIVERS\ipfltdrv.sys
22:41:01:169 0652 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\Windows\system32\DRIVERS\ipinip.sys
22:41:01:189 0652 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\Windows\system32\DRIVERS\ipnat.sys
22:41:01:249 0652 IPSec (23c74d75e36e7158768dd63d92789a91) C:\Windows\system32\DRIVERS\ipsec.sys
22:41:01:279 0652 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\Windows\system32\DRIVERS\irda.sys
22:41:01:309 0652 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\Windows\system32\DRIVERS\irenum.sys
22:41:01:339 0652 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\Windows\system32\DRIVERS\isapnp.sys
22:41:01:369 0652 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\Windows\system32\DRIVERS\kbdclass.sys
22:41:01:419 0652 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\Windows\system32\DRIVERS\kbdhid.sys
22:41:01:460 0652 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\Windows\system32\drivers\klmd.sys
22:41:01:530 0652 kmixer (692bcf44383d056aed41b045a323d378) C:\Windows\system32\drivers\kmixer.sys
22:41:01:590 0652 KSecDD (b467646c54cc746128904e1654c750c1) C:\Windows\system32\drivers\KSecDD.sys
22:41:01:680 0652 ltmodem5 (829ef680a308c12e2a80e5e0da0d958d) C:\Windows\system32\DRIVERS\ltmdmxp.sys
22:41:01:740 0652 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\Windows\system32\drivers\mnmdd.sys
22:41:01:750 0652 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\Windows\system32\drivers\Modem.sys
22:41:01:780 0652 motccgp (201bfc4ef8b33d02d133fbf6535e515b) C:\Windows\system32\DRIVERS\motccgp.sys
22:41:01:800 0652 motccgpfl (d0242a3832eb7c97801bb25889561e23) C:\Windows\system32\DRIVERS\motccgpfl.sys
22:41:01:820 0652 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\Windows\system32\DRIVERS\motmodem.sys
22:41:02:060 0652 motport (fe80c18ba448ddd76b7bead9eb203d37) C:\Windows\system32\DRIVERS\motport.sys
22:41:02:221 0652 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\Windows\system32\DRIVERS\mouclass.sys
22:41:02:261 0652 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\Windows\system32\DRIVERS\mouhid.sys
22:41:02:301 0652 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\Windows\system32\drivers\MountMgr.sys
22:41:02:351 0652 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\Windows\system32\DRIVERS\mrxdav.sys
22:41:02:451 0652 MRxSmb (f3aefb11abc521122b67095044169e98) C:\Windows\system32\DRIVERS\mrxsmb.sys
22:41:02:501 0652 Msfs (c941ea2454ba8350021d774daf0f1027) C:\Windows\system32\drivers\Msfs.sys
22:41:02:541 0652 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\Windows\system32\drivers\MSKSSRV.sys
22:41:02:571 0652 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\Windows\system32\drivers\MSPCLOCK.sys
22:41:02:581 0652 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\Windows\system32\drivers\MSPQM.sys
22:41:02:611 0652 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\Windows\system32\DRIVERS\mssmbios.sys
22:41:02:661 0652 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\Windows\system32\drivers\MSTEE.sys
22:41:02:691 0652 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\Windows\system32\drivers\Mup.sys
22:41:02:741 0652 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\Windows\system32\DRIVERS\NABTSFEC.sys
22:41:02:852 0652 NAVENG (83518e6cc82bdc3c3db0c12d1c9a2275) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100619.005\naveng.sys
22:41:02:922 0652 NAVEX15 (85cf37740fe06c7a2eaa7f6c81f0819c) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100619.005\navex15.sys
22:41:03:042 0652 NDIS (1df7f42665c94b825322fae71721130d) C:\Windows\system32\drivers\NDIS.sys
22:41:03:082 0652 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\Windows\system32\DRIVERS\NdisIP.sys
22:41:03:232 0652 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\Windows\system32\DRIVERS\ndistapi.sys
22:41:03:262 0652 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\Windows\system32\DRIVERS\ndisuio.sys
22:41:03:282 0652 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\Windows\system32\DRIVERS\ndiswan.sys
22:41:03:312 0652 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\Windows\system32\drivers\NDProxy.sys
22:41:03:372 0652 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\Windows\system32\DRIVERS\netbios.sys
22:41:03:432 0652 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\Windows\system32\DRIVERS\netbt.sys
22:41:03:482 0652 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\Windows\system32\drivers\Npfs.sys
22:41:03:563 0652 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\Windows\system32\drivers\Ntfs.sys
22:41:03:623 0652 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\Windows\system32\DRIVERS\NuidFltr.sys
22:41:03:643 0652 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\Windows\system32\drivers\Null.sys
22:41:03:693 0652 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\Windows\system32\DRIVERS\nwlnkflt.sys
22:41:03:703 0652 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\Windows\system32\DRIVERS\nwlnkfwd.sys
22:41:03:733 0652 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\Windows\system32\DRIVERS\parport.sys
22:41:03:753 0652 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\Windows\system32\drivers\PartMgr.sys
22:41:03:783 0652 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\Windows\system32\drivers\ParVdm.sys
22:41:03:843 0652 PCI (a219903ccf74233761d92bef471a07b1) C:\Windows\system32\DRIVERS\pci.sys
22:41:03:973 0652 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\Windows\system32\DRIVERS\pcmcia.sys
22:41:04:093 0652 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\Windows\system32\DRIVERS\raspptp.sys
22:41:04:113 0652 PSched (09298ec810b07e5d582cb3a3f9255424) C:\Windows\system32\DRIVERS\psched.sys
22:41:04:133 0652 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\Windows\system32\DRIVERS\ptilink.sys
22:41:04:173 0652 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\Windows\system32\Drivers\PxHelp20.sys
22:41:04:284 0652 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\Windows\system32\DRIVERS\rasacd.sys
22:41:04:334 0652 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\Windows\system32\DRIVERS\rasirda.sys
22:41:04:344 0652 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\Windows\system32\DRIVERS\rasl2tp.sys
22:41:04:364 0652 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\Windows\system32\DRIVERS\raspppoe.sys
22:41:04:384 0652 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\Windows\system32\DRIVERS\raspti.sys
22:41:04:454 0652 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\Windows\system32\DRIVERS\rdbss.sys
22:41:04:484 0652 RDPCDD (4912d5b403614ce99c28420f75353332) C:\Windows\system32\DRIVERS\RDPCDD.sys
22:41:04:544 0652 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\Windows\system32\DRIVERS\rdpdr.sys
22:41:04:594 0652 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\Windows\system32\drivers\RDPWD.sys
22:41:04:654 0652 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\Windows\system32\DRIVERS\redbook.sys
22:41:04:704 0652 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\Windows\system32\DRIVERS\RimSerial.sys
22:41:04:744 0652 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\Windows\system32\Drivers\RootMdm.sys
22:41:04:804 0652 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
22:41:04:824 0652 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
22:41:04:854 0652 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
22:41:04:905 0652 SAVRKBootTasks (68de5b1e82d3dd10f5f6169522c7c88a) C:\Windows\system32\SAVRKBootTasks.sys
22:41:05:005 0652 SAVRT (c8023be4dda22a52cd2f60d9cb9b3985) C:\Program Files\Symantec AntiVirus\savrt.sys
22:41:05:015 0652 SAVRTPEL (30547fd7692dc799a0b397b2b918a158) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
22:41:05:055 0652 SBKUPNT (729248b54aff21e740054acebfdbcb1c) C:\Windows\system32\Drivers\SBKUPNT.SYS
22:41:05:115 0652 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\DRIVERS\secdrv.sys
22:41:05:165 0652 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\Windows\system32\DRIVERS\serenum.sys
22:41:05:245 0652 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\Windows\system32\DRIVERS\serial.sys
22:41:05:275 0652 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\Windows\system32\DRIVERS\sfloppy.sys
22:41:05:325 0652 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\Windows\system32\DRIVERS\SLIP.sys
22:41:05:355 0652 SMCIRDA (707647a1aa0edb6cbef61b0c75c28ed3) C:\Windows\system32\DRIVERS\smcirda.sys
22:41:05:405 0652 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\Windows\system32\drivers\splitter.sys
22:41:05:465 0652 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\Windows\system32\DRIVERS\sr.sys
22:41:05:545 0652 Srv (89220b427890aa1dffd1a02648ae51c3) C:\Windows\system32\DRIVERS\srv.sys
22:41:05:596 0652 streamip (77813007ba6265c4b6098187e6ed79d2) C:\Windows\system32\DRIVERS\StreamIP.sys
22:41:05:616 0652 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\Windows\system32\DRIVERS\swenum.sys
22:41:05:636 0652 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\Windows\system32\drivers\swmidi.sys
22:41:05:716 0652 SymEvent (42123611a49c33536ab29bdd852a9f5e) C:\Program Files\Symantec\SYMEVENT.SYS
22:41:05:756 0652 SYMREDRV (8ddb430ea48468c156db872a214178fc) C:\Windows\System32\Drivers\SYMREDRV.SYS
22:41:05:846 0652 SYMTDI (ec1a39493fb104d317e8271162a74b94) C:\Windows\System32\Drivers\SYMTDI.SYS
22:41:05:946 0652 SynTP (23fe1f173996b8bad4b9ed74003676d8) C:\Windows\system32\DRIVERS\SynTP.sys
22:41:05:996 0652 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\Windows\system32\drivers\sysaudio.sys
22:41:06:106 0652 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\Windows\system32\DRIVERS\tcpip.sys
22:41:06:136 0652 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\Windows\system32\drivers\TDPIPE.sys
22:41:06:176 0652 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\Windows\system32\drivers\TDTCP.sys
22:41:06:226 0652 TermDD (88155247177638048422893737429d9e) C:\Windows\system32\DRIVERS\termdd.sys
22:41:06:266 0652 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\Windows\system32\drivers\Udfs.sys
22:41:06:327 0652 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\Windows\system32\DRIVERS\update.sys
22:41:06:387 0652 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\Windows\system32\Drivers\usbaapl.sys
22:41:06:447 0652 usbaudio (e919708db44ed8543a7c017953148330) C:\Windows\system32\drivers\usbaudio.sys
22:41:06:477 0652 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\Windows\system32\DRIVERS\usbccgp.sys
22:41:06:547 0652 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\Windows\system32\DRIVERS\usbehci.sys
22:41:06:557 0652 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\Windows\system32\DRIVERS\usbhub.sys
22:41:06:587 0652 usbohci (0daecce65366ea32b162f85f07c6753b) C:\Windows\system32\DRIVERS\usbohci.sys
22:41:06:617 0652 usbprint (a717c8721046828520c9edf31288fc00) C:\Windows\system32\DRIVERS\usbprint.sys
22:41:06:637 0652 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\Windows\system32\DRIVERS\usbscan.sys
22:41:06:667 0652 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\Windows\system32\DRIVERS\USBSTOR.SYS
22:41:06:717 0652 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\Windows\System32\drivers\vga.sys
22:41:06:767 0652 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\Windows\system32\drivers\VolSnap.sys
22:41:06:877 0652 VX3000 (42870675b4d84acd81a9da69b83f14c5) C:\Windows\system32\DRIVERS\VX3000.sys
22:41:06:988 0652 W8335XP (738244934c71118a21f8d678067d057d) C:\Windows\system32\DRIVERS\WG511v2XP.sys
22:41:07:018 0652 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\Windows\system32\DRIVERS\wanarp.sys
22:41:07:068 0652 wceusbsh (46a247f6617526afe38b6f12f5512120) C:\Windows\system32\DRIVERS\wceusbsh.sys
22:41:07:128 0652 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\Windows\system32\DRIVERS\Wdf01000.sys
22:41:07:178 0652 wdmaud (6768acf64b18196494413695f0c3a00f) C:\Windows\system32\drivers\wdmaud.sys
22:41:07:228 0652 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\Windows\system32\DRIVERS\wmiacpi.sys
22:41:07:288 0652 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\Windows\system32\DRIVERS\WSTCODEC.SYS
22:41:07:338 0652 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\Windows\system32\DRIVERS\WudfPf.sys
22:41:07:358 0652 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\Windows\system32\DRIVERS\wudfrd.sys
22:41:07:398 0652 ZD1211U(WLAN) (4fee08bf688aaf439709ac767947119e) C:\Windows\system32\DRIVERS\zd1211u.sys
22:41:07:458 0652 ZDPNDIS5 (29c917279d79848b3dd94909fc00e2a8) C:\WINDOWS\system32\ZDPNDIS5.SYS
22:41:07:468 0652
22:41:07:468 0652 Completed
22:41:07:468 0652
22:41:07:468 0652 Results:
22:41:07:468 0652 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
22:41:07:468 0652 File objects infected / cured / cured on reboot: 0 / 0 / 0
22:41:07:468 0652
22:41:07:468 0652 KLMD(ARK) unloaded successfully


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4227

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.11

6/22/2010 11:30:57 PM
mbam-log-2010-06-22 (23-30-57).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|)
Objects scanned: 200268
Time elapsed: 47 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

shelf life
2010-06-24, 00:11
ok thanks for the info. First we will use combofix again:

Click Start, then Run and type Notepad and click OK. Notepad will open.
Copy/paste the text in the code box below into notepad:



Driver::
fjghyeloy.sys



Name the Notepad file CFScript.txt and Save it to your desktop.
now locate the file you just saved and the combofix icon, both on your desktop
using your mouse drag the CFScript right on top of the combofix icon and release, combofix will run and produce a new log. Please post the new log in your reply.

nguyenpj
2010-06-24, 05:54
Hi Shelflife,

I re-ran ComboFix per your instructions. The following is the log:
ComboFix 10-06-23.02 - Patrick 06/23/2010 19:33:51.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.569 [GMT -7:00]
Running from: c:\documents and settings\Patrick\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Patrick\Desktop\CFScript.txt
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2010-05-24 to 2010-06-24 )))))))))))))))))))))))))))))))
.

2010-06-24 02:30 . 2010-06-24 02:30 -------- d-----w- c:\windows\LastGood
2010-06-20 05:28 . 2010-02-28 03:46 3691384 -c--a-w- c:\documents and settings\Patrick\Application Data\Simply Super Software\Trojan Remover\scr8A.exe
2010-06-20 05:13 . 2006-06-19 19:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-06-20 05:13 . 2006-05-25 21:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-06-20 05:13 . 2005-08-26 07:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-06-20 05:13 . 2002-03-06 07:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-06-20 05:13 . 2003-02-03 02:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-06-20 05:12 . 2010-06-20 05:13 -------- d-----w- c:\program files\Trojan Remover
2010-06-20 05:12 . 2010-06-20 05:12 -------- dc----w- c:\documents and settings\Patrick\Application Data\Simply Super Software
2010-06-20 05:12 . 2010-06-20 05:12 -------- dc----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-06-17 15:39 . 2010-06-17 15:39 -------- d-----w- c:\program files\ERUNT
2010-06-17 15:16 . 2010-06-17 15:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-17 15:16 . 2010-06-17 15:31 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-16 03:52 . 2010-06-16 03:52 -------- dc----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-06-13 19:55 . 2010-06-13 19:55 -------- dc----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-06-11 07:50 . 2010-06-11 07:50 64512 ----a-w- c:\windows\system32\drivers\hatozsiw.sys
2010-06-11 04:03 . 2010-06-11 04:03 -------- dc----w- c:\documents and settings\Patrick\Local Settings\Application Data\PCHealth
2010-06-11 03:28 . 2010-06-11 03:28 64512 ----a-w- c:\windows\system32\drivers\kaybqagu.sys
2010-06-04 08:40 . 2010-06-04 08:40 43088 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-03 07:47 . 2009-06-18 19:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-06-03 06:46 . 2010-06-03 06:46 -------- d-----w- c:\program files\Sophos
2010-05-31 02:16 . 2010-06-03 07:51 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-31 02:08 . 2010-05-31 02:16 -------- dc----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-31 02:08 . 2010-05-31 02:08 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-29 06:29 . 2010-05-29 06:29 -------- dc----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-05-29 06:29 . 2010-05-29 21:23 -------- dc----w- c:\documents and settings\Patrick\Local Settings\Application Data\gcnaxehmr
2010-05-29 06:28 . 2010-05-29 06:29 -------- dc----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-28 19:56 . 2010-05-28 19:56 63488 -c--a-w- c:\documents and settings\Patrick\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-28 15:10 . 2010-05-28 15:23 -------- d-----w- c:\program files\Acronis
2010-05-27 00:01 . 2010-05-27 02:43 -------- dc----w- c:\documents and settings\Patrick\Local Settings\Application Data\mnqdidvox
2010-05-26 18:18 . 2010-05-26 18:18 503808 -c--a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-304837ba-n\msvcp71.dll
2010-05-26 18:18 . 2010-05-26 18:18 499712 -c--a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-304837ba-n\jmc.dll
2010-05-26 18:18 . 2010-05-26 18:18 348160 -c--a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-304837ba-n\msvcr71.dll
2010-05-26 18:18 . 2010-05-26 18:18 61440 -c--a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-174707bb-n\decora-sse.dll
2010-05-26 18:18 . 2010-05-26 18:18 12800 -c--a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-174707bb-n\decora-d3d.dll
2010-05-25 05:55 . 2010-05-25 06:47 -------- dc----w- c:\documents and settings\Patrick\Local Settings\Application Data\bxgfpmomu

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-24 02:29 . 2009-05-21 01:08 -------- d-----w- c:\program files\Symantec AntiVirus
2010-06-20 05:29 . 2009-05-21 01:56 -------- dc--a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-17 23:50 . 2009-07-23 02:20 -------- d-----w- c:\program files\LimeWire
2010-06-14 16:04 . 2009-05-21 04:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-13 20:54 . 2009-05-20 01:40 -------- d-----w- c:\program files\Java
2010-06-05 04:24 . 2008-06-06 00:41 -------- d-----w- c:\program files\Lexi-Comp, Inc
2010-06-04 16:47 . 2008-03-13 15:35 -------- d-----w- c:\program files\AIM
2010-05-29 20:08 . 2007-03-16 04:45 50936 -c--a-w- c:\documents and settings\Patrick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-28 19:56 . 2009-11-22 21:04 117760 -c--a-w- c:\documents and settings\Patrick\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-28 15:52 . 2007-07-24 03:49 -------- d-----w- c:\program files\Common Files\InstallShield
2010-05-28 15:52 . 2009-11-12 16:28 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-05-28 15:36 . 2009-11-12 16:25 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-05-28 15:36 . 2009-11-12 16:25 -------- d-----w- c:\program files\Research In Motion
2010-05-28 15:12 . 2010-01-01 03:35 -------- d-----w- c:\program files\Common Files\Acronis
2010-05-25 17:36 . 2010-04-22 09:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-24 15:39 . 2009-11-05 00:55 -------- dc----w- c:\documents and settings\Patrick\Application Data\IObit
2010-05-22 02:45 . 2008-02-27 23:15 -------- dc----w- c:\documents and settings\Patrick\Application Data\BitTorrent
2010-05-07 19:55 . 2010-05-07 19:55 255472 -c--a-w- c:\documents and settings\Patrick\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-05-01 19:30 . 2009-12-08 06:03 2932 -c--a-w- c:\windows\system32\d3d9caps.dat
2010-04-29 22:39 . 2010-04-22 09:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-04-22 09:04 20952 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 15:36 . 2007-07-24 03:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-22 05:02 . 2010-04-22 05:02 52224 -c--a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-22 05:02 . 2010-04-22 05:02 117760 -c--a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-22 04:31 . 2010-04-22 04:31 52224 -c--a-w- c:\documents and settings\Patrick\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-13 00:29 . 2010-05-03 14:48 411368 -c--a-w- c:\windows\system32\deployJava1.dll
2010-04-03 21:52 . 2009-11-09 02:37 2592 -c--a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
.

((((((((((((((((((((((((((((( SnapShot@2010-06-23_05.31.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-08-27 08:13 . 2008-04-14 00:12 14336 c:\windows\system32\dllcache\wship6.dll
+ 2008-08-27 08:14 . 2008-04-14 00:12 15360 c:\windows\system32\dllcache\ctfmon.exe
+ 2008-08-27 08:14 . 2008-04-14 00:12 7168 c:\windows\system32\dllcache\sensapi.dll
+ 2008-08-27 08:14 . 2008-04-14 00:12 178176 c:\windows\system32\dllcache\wbemdisp.dll
+ 2008-08-27 08:14 . 2008-04-14 00:12 195072 c:\windows\system32\dllcache\msutb.dll
+ 2008-08-27 08:14 . 2008-04-14 00:12 274944 c:\windows\system32\dllcache\mstask.dll
- 2008-11-25 16:17 . 2010-02-24 13:11 455680 c:\windows\system32\dllcache\mrxsmb.sys
+ 2008-08-27 08:13 . 2010-02-24 13:11 455680 c:\windows\system32\dllcache\mrxsmb.sys
- 2008-11-07 22:53 . 2010-02-16 13:25 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
+ 2008-08-27 08:13 . 2010-02-16 13:25 2066816 c:\windows\system32\dllcache\ntkrnlpa.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" [2010-05-10 198864]
"Google Update"="c:\documents and settings\Patrick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-03 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTWinModem1"="ltmsg.exe 9" [X]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-10-06 161096]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"VX3000"="c:\windows\vVX3000.exe" [2009-06-26 757248]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-07-24 118640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-02-28 1165192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-9-21 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-8-30 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoFileAssociate"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Documents and Settings\\Patrick\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Patrick\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/11/2009 11:44 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 11:44 AM 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [6/3/2010 12:47 AM 18816]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [6/4/2010 8:39 AM 311568]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [12/10/2009 5:35 PM 14976]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/24/2009 8:59 AM 133104]
S2 pouxybxl;pouxybxl;\??\c:\windows\system32\drivers\fjghyeloy.sys --> c:\windows\system32\drivers\fjghyeloy.sys [?]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [4/19/2010 8:47 AM 16194]
S3 cpuz128;cpuz128;\??\c:\docume~1\Patrick\LOCALS~1\Temp\cpuz_x32.sys --> c:\docume~1\Patrick\LOCALS~1\Temp\cpuz_x32.sys [?]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 2010 Advanced\DfSdkS.exe [12/17/2009 10:40 PM 406016]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\7F.tmp --> c:\windows\system32\7F.tmp [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/22/2008 12:49 AM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/22/2008 12:49 AM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 9:18 PM 23680]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\Patrick\LOCALS~1\Temp\00000edd.nmc\nse\bin\ndiskio.sys --> c:\docume~1\Patrick\LOCALS~1\Temp\00000edd.nmc\nse\bin\ndiskio.sys [?]
S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;c:\windows\system32\DRIVERS\wg511nd5.sys --> c:\windows\system32\DRIVERS\wg511nd5.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 11:44 AM 12872]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/6/2004 3:56 PM 173392]
S3 ZD1211U(WLAN);IEEE 802.11g USB Wireless LAN Driver(WLAN);c:\windows\system32\drivers\ZD1211U.sys [3/11/2008 10:39 AM 273408]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - KLMD23
*Deregistered* - klmd23
.
Contents of the 'Scheduled Tasks' folder

2010-06-23 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2009-11-05 21:11]

2010-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-24 15:59]

2010-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-24 15:59]

2010-06-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-484763869-1708537768-1003Core.job
- c:\documents and settings\Patrick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-09 02:04]

2010-06-23 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-484763869-1708537768-1003UA.job
- c:\documents and settings\Patrick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-09 02:04]

2009-10-27 c:\windows\Tasks\Microsoft_Hardware_Launch_LifeExp_exe.job
- c:\program files\Microsoft LifeCam\LifeExp.exe [2009-07-24 20:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\Patrick\Application Data\Mozilla\Firefox\Profiles\ffl1jfeg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.blink_allowed - true
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.urlbar.autoFill - true
FF - user.js: browser.urlbar.hideGoButton - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: layout.spellcheckDefault - 1
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: network.prefetch-next - true
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-23 19:44
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\7F.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="REMOVED"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(880)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(1380)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-23 19:51:08
ComboFix-quarantined-files.txt 2010-06-24 02:50
ComboFix2.txt 2010-06-23 05:36

Pre-Run: 26,597,081,088 bytes free
Post-Run: 26,593,726,464 bytes free

- - End Of File - - E3F6F8407BCEA52B233ED19483D2E884

shelf life
2010-06-25, 02:44
hi,

Lets do this: delete your copy of Combofix using this utility:

Please download OTCleanIt and save it to desktop.

http://oldtimer.geekstogo.com/OTC.exe

Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.

After the reboot download a new copy of combofix to your desktop, disable any AV or anti-malware that might be running then double click the Combofix icon and post its log in your reply. The download links are here. (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

nguyenpj
2010-06-25, 07:58
Hi Shelflife,

Here is the new log per your instructions:

ComboFix 10-06-24.01 - Patrick 06/24/2010 21:10:01.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1023.562 [GMT -7:00]
Running from: c:\documents and settings\Patrick\Desktop\ComboFix.exe
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

((((((((((((((((((((((((( Files Created from 2010-05-25 to 2010-06-25 )))))))))))))))))))))))))))))))
.

2010-06-25 03:53 . 2010-06-25 03:53 -------- d-----w- c:\windows\LastGood
2010-06-20 05:28 . 2010-02-28 03:46 3691384 -c--a-w- c:\documents and settings\Patrick\Application Data\Simply Super Software\Trojan Remover\scr8A.exe
2010-06-20 05:13 . 2006-06-19 19:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
2010-06-20 05:13 . 2006-05-25 21:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
2010-06-20 05:13 . 2005-08-26 07:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
2010-06-20 05:13 . 2002-03-06 07:00 75264 ----a-w- c:\windows\system32\unacev2.dll
2010-06-20 05:13 . 2003-02-03 02:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
2010-06-20 05:12 . 2010-06-20 05:13 -------- d-----w- c:\program files\Trojan Remover
2010-06-20 05:12 . 2010-06-20 05:12 -------- dc----w- c:\documents and settings\Patrick\Application Data\Simply Super Software
2010-06-20 05:12 . 2010-06-20 05:12 -------- dc----w- c:\documents and settings\All Users\Application Data\Simply Super Software
2010-06-17 15:39 . 2010-06-17 15:39 -------- d-----w- c:\program files\ERUNT
2010-06-17 15:16 . 2010-06-17 15:35 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-06-17 15:16 . 2010-06-17 15:31 -------- dc----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-06-16 03:52 . 2010-06-16 03:52 -------- dc----w- c:\documents and settings\NetworkService\Local Settings\Application Data\PCHealth
2010-06-13 19:55 . 2010-06-13 19:55 -------- dc----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2010-06-11 07:50 . 2010-06-11 07:50 64512 ----a-w- c:\windows\system32\drivers\hatozsiw.sys
2010-06-11 04:03 . 2010-06-11 04:03 -------- dc----w- c:\documents and settings\Patrick\Local Settings\Application Data\PCHealth
2010-06-11 03:28 . 2010-06-11 03:28 64512 ----a-w- c:\windows\system32\drivers\kaybqagu.sys
2010-06-04 08:40 . 2010-06-04 08:40 43088 ---ha-w- c:\windows\system32\mlfcache.dat
2010-06-03 07:47 . 2009-06-18 19:55 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2010-06-03 06:46 . 2010-06-03 06:46 -------- d-----w- c:\program files\Sophos
2010-05-31 02:16 . 2010-06-03 07:51 15944 ----a-w- c:\windows\system32\drivers\hitmanpro35.sys
2010-05-31 02:08 . 2010-05-31 02:16 -------- dc----w- c:\documents and settings\All Users\Application Data\Hitman Pro
2010-05-31 02:08 . 2010-05-31 02:08 -------- d-----w- c:\program files\Hitman Pro 3.5
2010-05-29 06:29 . 2010-05-29 06:29 -------- dc----w- c:\documents and settings\NetworkService\Application Data\AdobeUM
2010-05-29 06:29 . 2010-05-29 21:23 -------- dc----w- c:\documents and settings\Patrick\Local Settings\Application Data\gcnaxehmr
2010-05-29 06:28 . 2010-05-29 06:29 -------- dc----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-05-28 19:56 . 2010-05-28 19:56 63488 -c--a-w- c:\documents and settings\Patrick\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-05-28 15:10 . 2010-05-28 15:23 -------- d-----w- c:\program files\Acronis
2010-05-27 00:01 . 2010-05-27 02:43 -------- dc----w- c:\documents and settings\Patrick\Local Settings\Application Data\mnqdidvox
2010-05-26 18:18 . 2010-05-26 18:18 503808 -c--a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-304837ba-n\msvcp71.dll
2010-05-26 18:18 . 2010-05-26 18:18 499712 -c--a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-304837ba-n\jmc.dll
2010-05-26 18:18 . 2010-05-26 18:18 348160 -c--a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\46\f84c6ae-304837ba-n\msvcr71.dll
2010-05-26 18:18 . 2010-05-26 18:18 61440 -c--a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-174707bb-n\decora-sse.dll
2010-05-26 18:18 . 2010-05-26 18:18 12800 -c--a-w- c:\documents and settings\Patrick\Application Data\Sun\Java\Deployment\SystemCache\6.0\50\5535ab32-174707bb-n\decora-d3d.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-06-25 04:06 . 2009-05-21 01:08 -------- d-----w- c:\program files\Symantec AntiVirus
2010-06-20 05:29 . 2009-05-21 01:56 -------- dc--a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-06-17 23:50 . 2009-07-23 02:20 -------- d-----w- c:\program files\LimeWire
2010-06-14 16:04 . 2009-05-21 04:07 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-06-13 20:54 . 2009-05-20 01:40 -------- d-----w- c:\program files\Java
2010-06-05 04:24 . 2008-06-06 00:41 -------- d-----w- c:\program files\Lexi-Comp, Inc
2010-06-04 16:47 . 2008-03-13 15:35 -------- d-----w- c:\program files\AIM
2010-05-29 20:08 . 2007-03-16 04:45 50936 -c--a-w- c:\documents and settings\Patrick\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-05-28 19:56 . 2009-11-22 21:04 117760 -c--a-w- c:\documents and settings\Patrick\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-05-28 15:52 . 2007-07-24 03:49 -------- d-----w- c:\program files\Common Files\InstallShield
2010-05-28 15:52 . 2009-11-12 16:28 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-05-28 15:36 . 2009-11-12 16:25 -------- d-----w- c:\program files\Common Files\Research In Motion
2010-05-28 15:36 . 2009-11-12 16:25 -------- d-----w- c:\program files\Research In Motion
2010-05-28 15:12 . 2010-01-01 03:35 -------- d-----w- c:\program files\Common Files\Acronis
2010-05-25 17:36 . 2010-04-22 09:04 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-05-24 15:39 . 2009-11-05 00:55 -------- dc----w- c:\documents and settings\Patrick\Application Data\IObit
2010-05-22 02:45 . 2008-02-27 23:15 -------- dc----w- c:\documents and settings\Patrick\Application Data\BitTorrent
2010-05-07 19:55 . 2010-05-07 19:55 255472 -c--a-w- c:\documents and settings\Patrick\Application Data\Mozilla\plugins\npgoogletalk.dll
2010-05-01 19:30 . 2009-12-08 06:03 2932 -c--a-w- c:\windows\system32\d3d9caps.dat
2010-04-29 22:39 . 2010-04-22 09:04 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-04-29 22:39 . 2010-04-22 09:04 20952 -c--a-w- c:\windows\system32\drivers\mbam.sys
2010-04-29 15:36 . 2007-07-24 03:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-04-22 05:02 . 2010-04-22 05:02 52224 -c--a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-22 05:02 . 2010-04-22 05:02 117760 -c--a-w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-04-22 04:31 . 2010-04-22 04:31 52224 -c--a-w- c:\documents and settings\Patrick\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-04-13 00:29 . 2010-05-03 14:48 411368 -c--a-w- c:\windows\system32\deployJava1.dll
2010-04-03 21:52 . 2009-11-09 02:37 2592 -c--a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmartRAM"="c:\program files\IObit\Advanced SystemCare 3\Sup_SmartRAM.exe" [2010-05-10 198864]
"Google Update"="c:\documents and settings\Patrick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2009-11-03 135664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LTWinModem1"="ltmsg.exe 9" [X]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-05 688218]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2004-06-10 66680]
"vptray"="c:\progra~1\SYMANT~1\VPTray.exe" [2004-10-06 161096]
"Acrobat Assistant 7.0"="c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2008-04-23 483328]
"VX3000"="c:\windows\vVX3000.exe" [2009-06-26 757248]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-07-24 118640]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-11-11 417792]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040]
"TrojanScanner"="c:\program files\Trojan Remover\Trjscan.exe" [2010-02-28 1165192]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-26 437160]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - c:\windows\Installer\{AC76BA86-1033-0000-7760-100000000002}\SC_Acrobat.exe [2009-9-21 25214]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2009-8-30 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
"NoFileAssociate"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\helpctr.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Documents and Settings\\Patrick\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.dll"=
"c:\\Documents and Settings\\Patrick\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [11/11/2009 11:44 AM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [11/11/2009 11:44 AM 67656]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [6/3/2010 12:47 AM 18816]
R2 IS360service;IS360service;c:\program files\IObit\IObit Security 360\is360srv.exe [6/4/2010 8:39 AM 311568]
R2 SBKUPNT;SBKUPNT;c:\windows\system32\drivers\SBKUPNT.SYS [12/10/2009 5:35 PM 14976]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [7/24/2009 8:59 AM 133104]
S2 pouxybxl;pouxybxl;\??\c:\windows\system32\drivers\fjghyeloy.sys --> c:\windows\system32\drivers\fjghyeloy.sys [?]
S3 AWINDIS5;AWINDIS5 Protocol Driver;c:\windows\system32\AWINDIS5.SYS [4/19/2010 8:47 AM 16194]
S3 cpuz128;cpuz128;\??\c:\docume~1\Patrick\LOCALS~1\Temp\cpuz_x32.sys --> c:\docume~1\Patrick\LOCALS~1\Temp\cpuz_x32.sys [?]
S3 DfSdkS;Defragmentation-Service;c:\program files\Ashampoo\Ashampoo WinOptimizer 2010 Advanced\DfSdkS.exe [12/17/2009 10:40 PM 406016]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\7F.tmp --> c:\windows\system32\7F.tmp [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [8/22/2008 12:49 AM 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [8/22/2008 12:49 AM 8320]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [6/18/2007 9:18 PM 23680]
S3 NDISKIO;NDISKIO;\??\c:\docume~1\Patrick\LOCALS~1\Temp\00000edd.nmc\nse\bin\ndiskio.sys --> c:\docume~1\Patrick\LOCALS~1\Temp\00000edd.nmc\nse\bin\ndiskio.sys [?]
S3 NETGEAR_WG511_SERVICE;NETGEAR WG511T Wireless Adapter Service;c:\windows\system32\DRIVERS\wg511nd5.sys --> c:\windows\system32\DRIVERS\wg511nd5.sys [?]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [11/11/2009 11:44 AM 12872]
S3 SavRoam;SAVRoam;c:\program files\Symantec AntiVirus\SavRoam.exe [10/6/2004 3:56 PM 173392]
S3 ZD1211U(WLAN);IEEE 802.11g USB Wireless LAN Driver(WLAN);c:\windows\system32\drivers\ZD1211U.sys [3/11/2008 10:39 AM 273408]
.
Contents of the 'Scheduled Tasks' folder

2010-06-25 c:\windows\Tasks\AWC AutoSweep.job
- c:\program files\IObit\Advanced SystemCare 3\AutoSweep.exe [2009-11-05 21:11]

2010-06-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-24 15:59]

2010-06-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-24 15:59]

2010-06-22 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-484763869-1708537768-1003Core.job
- c:\documents and settings\Patrick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-09 02:04]

2010-06-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-861567501-484763869-1708537768-1003UA.job
- c:\documents and settings\Patrick\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2009-11-09 02:04]

2009-10-27 c:\windows\Tasks\Microsoft_Hardware_Launch_LifeExp_exe.job
- c:\program files\Microsoft LifeCam\LifeExp.exe [2009-07-24 20:05]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?hl=en
uInternet Connection Wizard,ShellNext = iexplore
FF - ProfilePath - c:\documents and settings\Patrick\Application Data\Mozilla\Firefox\Profiles\ffl1jfeg.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - prefs.js: network.proxy.type - 4
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff36\gears.dll
FF - plugin: c:\documents and settings\Patrick\Application Data\Mozilla\Firefox\Profiles\ffl1jfeg.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\documents and settings\Patrick\Application Data\Mozilla\plugins\npgoogletalk.dll
FF - plugin: c:\documents and settings\Patrick\Local Settings\Application Data\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\Google\Update\1.2.183.23\npGoogleOneClick8.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: browser.blink_allowed - true
FF - user.js: browser.cache.memory.capacity - 16000
FF - user.js: browser.chrome.favicons - false
FF - user.js: browser.display.show_image_placeholders - true
FF - user.js: browser.search.openintab - false
FF - user.js: browser.tabs.closeButtons - 1
FF - user.js: browser.tabs.opentabfor.middleclick - true
FF - user.js: browser.tabs.tabMinWidth - 100
FF - user.js: browser.turbo.enabled - true
FF - user.js: browser.urlbar.autocomplete.enabled - true
FF - user.js: browser.urlbar.autofill - true
FF - user.js: browser.urlbar.autoFill - true
FF - user.js: browser.urlbar.hideGoButton - true
FF - user.js: content.max.tokenizing.time - 3000000
FF - user.js: content.maxtextrun - 4095
FF - user.js: content.notify.backoffcount - 5
FF - user.js: content.notify.interval - 1000000
FF - user.js: content.notify.ontimer - true
FF - user.js: content.switch.threshold - 1000000
FF - user.js: dom.disable_window_status_change - true
FF - user.js: layout.spellcheckDefault - 1
FF - user.js: network.http.max-connections - 48
FF - user.js: network.http.max-connections-per-server - 16
FF - user.js: network.http.max-persistent-connections-per-proxy - 16
FF - user.js: network.http.max-persistent-connections-per-server - 8
FF - user.js: network.http.pipelining - true
FF - user.js: network.http.pipelining.firstrequest - true
FF - user.js: network.http.pipelining.maxrequests - 8
FF - user.js: network.http.proxy.pipelining - true
FF - user.js: network.http.request.max-start-delay - 0
FF - user.js: network.prefetch-next - true
FF - user.js: nglayout.initialpaint.delay - 1000
FF - user.js: plugin.expose_full_path - true
FF - user.js: ui.submenuDelay - 0
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-06-24 21:20
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\7F.tmp"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Microsoft\Environment*]
"Licence0"="REMOVED"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
c:\windows\system32\WININET.dll

- - - - - - - > 'explorer.exe'(232)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-06-24 21:26:50
ComboFix-quarantined-files.txt 2010-06-25 04:26

Pre-Run: 26,534,649,856 bytes free
Post-Run: 26,529,259,520 bytes free

- - End Of File - - F978C68AD50380CE43898ECF25DF1BEB

shelf life
2010-06-26, 04:16
ok thanks for the info. Another download to use:

Please download TDSS Killer.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your desktop
Extract the zip file to your desktop. double click to launch the utility. Follow the prompts.
Please post the report.txt that will be generated in your root drive Local Disk C:

labeled: TDSSKiller verison_date_time_log.txt

nguyenpj
2010-06-26, 19:42
09:40:36:649 2692 TDSS rootkit removing tool 2.3.2.0 May 31 2010 10:39:48
09:40:36:649 2692 ================================================================================
09:40:36:649 2692 SystemInfo:

09:40:36:649 2692 OS Version: 5.1.2600 ServicePack: 3.0
09:40:36:649 2692 Product type: Workstation
09:40:36:659 2692 ComputerName: ROTTENTOOTH
09:40:36:659 2692 UserName: Patrick
09:40:36:659 2692 Windows directory: C:\Windows
09:40:36:659 2692 Processor architecture: Intel x86
09:40:36:659 2692 Number of processors: 1
09:40:36:659 2692 Page size: 0x1000
09:40:36:679 2692 Boot type: Normal boot
09:40:36:679 2692 ================================================================================
09:40:37:550 2692 Initialize success
09:40:37:550 2692
09:40:37:550 2692 Scanning Services ...
09:40:38:121 2692 Raw services enum returned 382 services
09:40:38:131 2692
09:40:38:131 2692 Scanning Drivers ...
09:40:40:044 2692 ac97intc (0f2d66d5f08ebe2f77bb904288dcf6f0) C:\Windows\system32\drivers\ac97intc.sys
09:40:40:134 2692 ACPI (8fd99680a539792a30e97944fdaecf17) C:\Windows\system32\DRIVERS\ACPI.sys
09:40:40:204 2692 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\Windows\system32\drivers\ACPIEC.sys
09:40:40:274 2692 aec (8bed39e3c35d6a489438b8141717a557) C:\Windows\system32\drivers\aec.sys
09:40:40:334 2692 AFD (7e775010ef291da96ad17ca4b17137d7) C:\Windows\System32\drivers\afd.sys
09:40:40:354 2692 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\Windows\system32\DRIVERS\agp440.sys
09:40:40:515 2692 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\Windows\system32\DRIVERS\asyncmac.sys
09:40:40:545 2692 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\Windows\system32\DRIVERS\atapi.sys
09:40:40:625 2692 ati2mtag (83f24e252908e59c4a7ef203bf7f4c02) C:\Windows\system32\DRIVERS\ati2mtag.sys
09:40:40:705 2692 Atmarpc (9916c1225104ba14794209cfa8012159) C:\Windows\system32\DRIVERS\atmarpc.sys
09:40:40:775 2692 audstub (d9f724aa26c010a217c97606b160ed68) C:\Windows\system32\DRIVERS\audstub.sys
09:40:40:815 2692 AWINDIS5 (f62b70d3209e38a6c19a03109a25b903) C:\Windows\system32\AWINDIS5.SYS
09:40:40:885 2692 BCM43XX (e7debb46b9ef1f28932e533be4a3d1a9) C:\Windows\system32\DRIVERS\bcmwl5.sys
09:40:40:965 2692 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\Windows\system32\drivers\Beep.sys
09:40:41:075 2692 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\Windows\system32\drivers\cbidf2k.sys
09:40:41:125 2692 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\Windows\system32\DRIVERS\CCDECODE.sys
09:40:41:186 2692 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\Windows\system32\drivers\Cdaudio.sys
09:40:41:246 2692 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\Windows\system32\drivers\Cdfs.sys
09:40:41:326 2692 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\Windows\system32\DRIVERS\cdrom.sys
09:40:41:396 2692 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\Windows\system32\DRIVERS\CmBatt.sys
09:40:41:436 2692 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\Windows\system32\DRIVERS\compbatt.sys
09:40:41:506 2692 Disk (044452051f3e02e7963599fc8f4f3e25) C:\Windows\system32\DRIVERS\disk.sys
09:40:41:556 2692 dmboot (d992fe1274bde0f84ad826acae022a41) C:\Windows\system32\drivers\dmboot.sys
09:40:41:626 2692 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\Windows\system32\drivers\dmio.sys
09:40:41:666 2692 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\Windows\system32\drivers\dmload.sys
09:40:41:696 2692 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\Windows\system32\drivers\DMusic.sys
09:40:41:746 2692 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\Windows\system32\drivers\drmkaud.sys
09:40:41:796 2692 E100B (3fca03cbca11269f973b70fa483c88ef) C:\Windows\system32\DRIVERS\e100b325.sys
09:40:41:947 2692 Fastfat (38d332a6d56af32635675f132548343e) C:\Windows\system32\drivers\Fastfat.sys
09:40:42:167 2692 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\Windows\system32\DRIVERS\fdc.sys
09:40:42:207 2692 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\Windows\system32\drivers\Fips.sys
09:40:42:237 2692 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\Windows\system32\drivers\Flpydisk.sys
09:40:42:267 2692 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\Windows\system32\drivers\fltmgr.sys
09:40:42:317 2692 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\Windows\system32\drivers\Fs_Rec.sys
09:40:42:357 2692 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\Windows\system32\DRIVERS\ftdisk.sys
09:40:42:437 2692 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\Windows\system32\DRIVERS\GEARAspiWDM.sys
09:40:42:477 2692 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\Windows\system32\DRIVERS\msgpc.sys
09:40:42:527 2692 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\Windows\system32\DRIVERS\hidusb.sys
09:40:42:588 2692 HPZid412 (30ca91e657cede2f95359d6ef186f650) C:\Windows\system32\DRIVERS\HPZid412.sys
09:40:42:638 2692 HPZipr12 (efd31afa752aa7c7bbb57bcbe2b01c78) C:\Windows\system32\DRIVERS\HPZipr12.sys
09:40:42:678 2692 HPZius12 (7ac43c38ca8fd7ed0b0a4466f753e06e) C:\Windows\system32\DRIVERS\HPZius12.sys
09:40:42:738 2692 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\Windows\system32\Drivers\HTTP.sys
09:40:42:788 2692 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\Windows\system32\DRIVERS\i8042prt.sys
09:40:42:828 2692 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\Windows\system32\DRIVERS\imapi.sys
09:40:42:868 2692 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\Windows\system32\DRIVERS\intelide.sys
09:40:42:918 2692 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\Windows\system32\DRIVERS\intelppm.sys
09:40:42:958 2692 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\Windows\system32\drivers\ip6fw.sys
09:40:43:008 2692 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\Windows\system32\DRIVERS\ipfltdrv.sys
09:40:43:038 2692 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\Windows\system32\DRIVERS\ipinip.sys
09:40:43:078 2692 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\Windows\system32\DRIVERS\ipnat.sys
09:40:43:138 2692 IPSec (23c74d75e36e7158768dd63d92789a91) C:\Windows\system32\DRIVERS\ipsec.sys
09:40:43:188 2692 irda (aca5e7b54409f9cb5eed97ed0c81120e) C:\Windows\system32\DRIVERS\irda.sys
09:40:43:238 2692 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\Windows\system32\DRIVERS\irenum.sys
09:40:43:259 2692 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\Windows\system32\DRIVERS\isapnp.sys
09:40:43:289 2692 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\Windows\system32\DRIVERS\kbdclass.sys
09:40:43:369 2692 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\Windows\system32\DRIVERS\kbdhid.sys
09:40:43:419 2692 klmd23 (67e1faa88fb397b3d56909d7e04f4dd3) C:\Windows\system32\drivers\klmd.sys
09:40:43:459 2692 kmixer (692bcf44383d056aed41b045a323d378) C:\Windows\system32\drivers\kmixer.sys
09:40:43:489 2692 KSecDD (b467646c54cc746128904e1654c750c1) C:\Windows\system32\drivers\KSecDD.sys
09:40:43:569 2692 ltmodem5 (829ef680a308c12e2a80e5e0da0d958d) C:\Windows\system32\DRIVERS\ltmdmxp.sys
09:40:43:669 2692 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\Windows\system32\drivers\mnmdd.sys
09:40:43:689 2692 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\Windows\system32\drivers\Modem.sys
09:40:43:749 2692 motccgp (201bfc4ef8b33d02d133fbf6535e515b) C:\Windows\system32\DRIVERS\motccgp.sys
09:40:43:769 2692 motccgpfl (d0242a3832eb7c97801bb25889561e23) C:\Windows\system32\DRIVERS\motccgpfl.sys
09:40:43:799 2692 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\Windows\system32\DRIVERS\motmodem.sys
09:40:43:839 2692 motport (fe80c18ba448ddd76b7bead9eb203d37) C:\Windows\system32\DRIVERS\motport.sys
09:40:43:889 2692 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\Windows\system32\DRIVERS\mouclass.sys
09:40:43:950 2692 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\Windows\system32\DRIVERS\mouhid.sys
09:40:43:990 2692 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\Windows\system32\drivers\MountMgr.sys
09:40:44:040 2692 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\Windows\system32\DRIVERS\mrxdav.sys
09:40:44:120 2692 MRxSmb (f3aefb11abc521122b67095044169e98) C:\Windows\system32\DRIVERS\mrxsmb.sys
09:40:44:150 2692 Msfs (c941ea2454ba8350021d774daf0f1027) C:\Windows\system32\drivers\Msfs.sys
09:40:44:180 2692 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\Windows\system32\drivers\MSKSSRV.sys
09:40:44:200 2692 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\Windows\system32\drivers\MSPCLOCK.sys
09:40:44:230 2692 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\Windows\system32\drivers\MSPQM.sys
09:40:44:260 2692 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\Windows\system32\DRIVERS\mssmbios.sys
09:40:44:300 2692 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\Windows\system32\drivers\MSTEE.sys
09:40:44:330 2692 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\Windows\system32\drivers\Mup.sys
09:40:44:400 2692 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\Windows\system32\DRIVERS\NABTSFEC.sys
09:40:44:560 2692 NAVENG (83518e6cc82bdc3c3db0c12d1c9a2275) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100626.002\naveng.sys
09:40:44:651 2692 NAVEX15 (85cf37740fe06c7a2eaa7f6c81f0819c) C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20100626.002\navex15.sys
09:40:44:791 2692 NDIS (1df7f42665c94b825322fae71721130d) C:\Windows\system32\drivers\NDIS.sys
09:40:44:851 2692 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\Windows\system32\DRIVERS\NdisIP.sys
09:40:44:971 2692 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\Windows\system32\DRIVERS\ndistapi.sys
09:40:45:001 2692 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\Windows\system32\DRIVERS\ndisuio.sys
09:40:45:031 2692 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\Windows\system32\DRIVERS\ndiswan.sys
09:40:45:101 2692 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\Windows\system32\drivers\NDProxy.sys
09:40:45:141 2692 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\Windows\system32\DRIVERS\netbios.sys
09:40:45:191 2692 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\Windows\system32\DRIVERS\netbt.sys
09:40:45:261 2692 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\Windows\system32\drivers\Npfs.sys
09:40:45:311 2692 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\Windows\system32\drivers\Ntfs.sys
09:40:45:412 2692 NuidFltr (cf7e041663119e09d2e118521ada9300) C:\Windows\system32\DRIVERS\NuidFltr.sys
09:40:45:452 2692 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\Windows\system32\drivers\Null.sys
09:40:45:502 2692 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\Windows\system32\DRIVERS\nwlnkflt.sys
09:40:45:522 2692 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\Windows\system32\DRIVERS\nwlnkfwd.sys
09:40:45:582 2692 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\Windows\system32\DRIVERS\parport.sys
09:40:45:622 2692 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\Windows\system32\drivers\PartMgr.sys
09:40:45:652 2692 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\Windows\system32\drivers\ParVdm.sys
09:40:45:672 2692 PCI (a219903ccf74233761d92bef471a07b1) C:\Windows\system32\DRIVERS\pci.sys
09:40:45:742 2692 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\Windows\system32\DRIVERS\pcmcia.sys
09:40:45:882 2692 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\Windows\system32\DRIVERS\raspptp.sys
09:40:45:922 2692 PSched (09298ec810b07e5d582cb3a3f9255424) C:\Windows\system32\DRIVERS\psched.sys
09:40:45:962 2692 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\Windows\system32\DRIVERS\ptilink.sys
09:40:45:982 2692 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\Windows\system32\Drivers\PxHelp20.sys
09:40:46:093 2692 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\Windows\system32\DRIVERS\rasacd.sys
09:40:46:153 2692 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\Windows\system32\DRIVERS\rasirda.sys
09:40:46:183 2692 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\Windows\system32\DRIVERS\rasl2tp.sys
09:40:46:213 2692 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\Windows\system32\DRIVERS\raspppoe.sys
09:40:46:243 2692 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\Windows\system32\DRIVERS\raspti.sys
09:40:46:293 2692 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\Windows\system32\DRIVERS\rdbss.sys
09:40:46:343 2692 RDPCDD (4912d5b403614ce99c28420f75353332) C:\Windows\system32\DRIVERS\RDPCDD.sys
09:40:46:383 2692 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\Windows\system32\DRIVERS\rdpdr.sys
09:40:46:453 2692 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\Windows\system32\drivers\RDPWD.sys
09:40:46:503 2692 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\Windows\system32\DRIVERS\redbook.sys
09:40:46:573 2692 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\Windows\system32\DRIVERS\RimSerial.sys
09:40:46:633 2692 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\Windows\system32\Drivers\RootMdm.sys
09:40:46:734 2692 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
09:40:46:764 2692 SASENUM (7ce61c25c159f50f9eaf6d77fc83fa35) C:\Program Files\SUPERAntiSpyware\SASENUM.SYS
09:40:46:794 2692 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
09:40:46:864 2692 SAVRKBootTasks (68de5b1e82d3dd10f5f6169522c7c88a) C:\Windows\system32\SAVRKBootTasks.sys
09:40:46:934 2692 SAVRT (c8023be4dda22a52cd2f60d9cb9b3985) C:\Program Files\Symantec AntiVirus\savrt.sys
09:40:46:974 2692 SAVRTPEL (30547fd7692dc799a0b397b2b918a158) C:\Program Files\Symantec AntiVirus\Savrtpel.sys
09:40:47:034 2692 SBKUPNT (729248b54aff21e740054acebfdbcb1c) C:\Windows\system32\Drivers\SBKUPNT.SYS
09:40:47:104 2692 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\Windows\system32\DRIVERS\secdrv.sys
09:40:47:174 2692 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\Windows\system32\DRIVERS\serenum.sys
09:40:47:214 2692 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\Windows\system32\DRIVERS\serial.sys
09:40:47:274 2692 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\Windows\system32\DRIVERS\sfloppy.sys
09:40:47:334 2692 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\Windows\system32\DRIVERS\SLIP.sys
09:40:47:384 2692 SMCIRDA (707647a1aa0edb6cbef61b0c75c28ed3) C:\Windows\system32\DRIVERS\smcirda.sys
09:40:47:435 2692 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\Windows\system32\drivers\splitter.sys
09:40:47:465 2692 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\Windows\system32\DRIVERS\sr.sys
09:40:47:545 2692 Srv (89220b427890aa1dffd1a02648ae51c3) C:\Windows\system32\DRIVERS\srv.sys
09:40:47:595 2692 streamip (77813007ba6265c4b6098187e6ed79d2) C:\Windows\system32\DRIVERS\StreamIP.sys
09:40:47:625 2692 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\Windows\system32\DRIVERS\swenum.sys
09:40:47:655 2692 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\Windows\system32\drivers\swmidi.sys
09:40:47:785 2692 SymEvent (42123611a49c33536ab29bdd852a9f5e) C:\Program Files\Symantec\SYMEVENT.SYS
09:40:47:855 2692 SYMREDRV (8ddb430ea48468c156db872a214178fc) C:\Windows\System32\Drivers\SYMREDRV.SYS
09:40:47:925 2692 SYMTDI (ec1a39493fb104d317e8271162a74b94) C:\Windows\System32\Drivers\SYMTDI.SYS
09:40:48:045 2692 SynTP (23fe1f173996b8bad4b9ed74003676d8) C:\Windows\system32\DRIVERS\SynTP.sys
09:40:48:105 2692 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\Windows\system32\drivers\sysaudio.sys
09:40:48:166 2692 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\Windows\system32\DRIVERS\tcpip.sys
09:40:48:206 2692 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\Windows\system32\drivers\TDPIPE.sys
09:40:48:236 2692 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\Windows\system32\drivers\TDTCP.sys
09:40:48:276 2692 TermDD (88155247177638048422893737429d9e) C:\Windows\system32\DRIVERS\termdd.sys
09:40:48:316 2692 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\Windows\system32\drivers\Udfs.sys
09:40:48:386 2692 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\Windows\system32\DRIVERS\update.sys
09:40:48:476 2692 USBAAPL (1df89c499bf45d878b87ebd4421d462d) C:\Windows\system32\Drivers\usbaapl.sys
09:40:48:536 2692 usbaudio (e919708db44ed8543a7c017953148330) C:\Windows\system32\drivers\usbaudio.sys
09:40:48:596 2692 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\Windows\system32\DRIVERS\usbccgp.sys
09:40:48:656 2692 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\Windows\system32\DRIVERS\usbehci.sys
09:40:48:686 2692 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\Windows\system32\DRIVERS\usbhub.sys
09:40:48:736 2692 usbohci (0daecce65366ea32b162f85f07c6753b) C:\Windows\system32\DRIVERS\usbohci.sys
09:40:48:766 2692 usbprint (a717c8721046828520c9edf31288fc00) C:\Windows\system32\DRIVERS\usbprint.sys
09:40:48:796 2692 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\Windows\system32\DRIVERS\usbscan.sys
09:40:48:827 2692 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\Windows\system32\DRIVERS\USBSTOR.SYS
09:40:48:877 2692 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\Windows\System32\drivers\vga.sys
09:40:48:927 2692 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\Windows\system32\drivers\VolSnap.sys
09:40:49:027 2692 VX3000 (42870675b4d84acd81a9da69b83f14c5) C:\Windows\system32\DRIVERS\VX3000.sys
09:40:49:167 2692 W8335XP (738244934c71118a21f8d678067d057d) C:\Windows\system32\DRIVERS\WG511v2XP.sys
09:40:49:237 2692 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\Windows\system32\DRIVERS\wanarp.sys
09:40:49:307 2692 wceusbsh (46a247f6617526afe38b6f12f5512120) C:\Windows\system32\DRIVERS\wceusbsh.sys
09:40:49:367 2692 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\Windows\system32\DRIVERS\Wdf01000.sys
09:40:49:447 2692 wdmaud (6768acf64b18196494413695f0c3a00f) C:\Windows\system32\drivers\wdmaud.sys
09:40:49:518 2692 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\Windows\system32\DRIVERS\wmiacpi.sys
09:40:49:568 2692 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\Windows\system32\DRIVERS\WSTCODEC.SYS
09:40:49:628 2692 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\Windows\system32\DRIVERS\WudfPf.sys
09:40:49:668 2692 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\Windows\system32\DRIVERS\wudfrd.sys
09:40:49:738 2692 ZD1211U(WLAN) (4fee08bf688aaf439709ac767947119e) C:\Windows\system32\DRIVERS\zd1211u.sys
09:40:49:818 2692 ZDPNDIS5 (29c917279d79848b3dd94909fc00e2a8) C:\WINDOWS\system32\ZDPNDIS5.SYS
09:40:49:838 2692
09:40:49:838 2692 Completed
09:40:49:838 2692
09:40:49:838 2692 Results:
09:40:49:838 2692 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
09:40:49:838 2692 File objects infected / cured / cured on reboot: 0 / 0 / 0
09:40:49:838 2692
09:40:49:838 2692 KLMD(ARK) unloaded successfully

shelf life
2010-06-27, 03:05
ok. good. Whats the status of the re-directs you were having? Gone now?

nguyenpj
2010-06-27, 17:56
Hi ShelfLife,

I am not sure what you did but the redirects problem and windows update problem seem to have been taken care of...thank you thank you thank you, but today, when I turned on my laptop, my Symantec AV notification came up with the following:

Scan type: Auto-Protect Scan
Event: Threat Found!
Threat: Backdoor.Tidserv!inf
File: C:\System Volume Information\_restore{DDA893E8-5DC8-4CCE-950E-B2A1DCC61DCF}\RP453\A0210245.sys
Location: C:\System Volume Information\_restore{DDA893E8-5DC8-4CCE-950E-B2A1DCC61DCF}\RP453
Computer: ROTTENTOOTH
User: SYSTEM
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Saturday, June 26, 2010 4:44:26 PM

any thoughts? Also, I am running Symantec AV and Spybot-Search-and-destroy...any thoughts of any AV/Malware/Spyware programs I should always have installed and running to protect my laptop? thanks again in advance for all your help.

shelf life
2010-06-27, 22:05
ok good. Your welcome. Looks like you ran Combofix twice, the first time from a removable drive. In any case Norton AV is flagging a file in your system restore archive which we will remove.
You can remove combofix like this:
go to start>run and type in
combofix /uninstall
click ok or enter
Note: there is a space between the x and the /

Note that malwarebytes must be updated manually and a scan started manually.
You can delete the TDSSkiller file form your desktop.

Making a new restore point: The how and the why:

One of the features of Windows XP,Vista and Windows7 is the System Restore option, however if malware infects a computer it is possible that the malware could be backed up in the System Restore archive. Therefore, clearing the restore points is a good idea after malware is removed and your computer appears to be functioning ok.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(creates a new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

And last if all is good. Some tips to help you remain malware free:

10 Tips for Reducing/Preventing Your Risk To Malware:

In no special order

1) It is essential to keep your OS (http://update.microsoft.com/microsoftupdate/v6/default.aspx?ln=en-us),(Windows) browser (IE, FireFox) and other software up to date to "patch" vulnerabilities that could be exploited. Visit Windows Update frequently or use the Windows auto-update feature. Staying updated is also necessary for web based applications like Java, Adobe Flash/Reader, QuickTime etc. Check there current version status here. (http://secunia.com/vulnerability_scanning/online/)

2) Know what you are installing to your computer. Alot of software can come bundled with unwanted add-ons, like adware, toolbars and malware. More and more legitimate software is installing useless toolbars if not unchecked first. Do not install any files from ads, popups or random links. Do not fall for fake warnings about virus and trojans being found on your computer and you are then prompted to install software to remedy this. See also the signs (http://www.virusvault.us/signs1.html)that you may have malware on your computer.

3) Install and keep updated: one antivirus and two or three anti-malware applications. If not updated they will soon be worthless. If either of these frequently find malware then its time to *review your computer habits*. *There is no reason why your computer can not stay malware free.*

4) Refrain from clicking on links or attachments via E-Mail, IM, IRC, Chat Rooms, Blogs or Social Networking Sites, no matter how tempting or legitimate the message may seem. See also E-mail phishing Tricks (http://www.fraud.org/tips/internet/phishing.htm).

5) Do not click on ads/pop ups or offers from websites requesting that you need to install software to your computer--*for any reason*. Use the Alt+F4 keys to close the window.

6) Don't click on offers to "scan" your computer. Install ActiveX Objects with care. Do you trust the website to install components?

7) Consider the use of limited (non-privileged) accounts for everyday use, rather than administrator accounts. Limited accounts (http://www.microsoft.com/protect/computer/advanced/useraccount.mspx) can help prevent *malware from installing and lessen its potential impact.* This is exactly what user account control (UAC) in Windows Vista and Windows 7 attempts to address.

8) Install and understand the *limitations* of a software firewall.

9) A tool (http://nsslabs.com/general/ie8-hardening-tool.html)for automatically hardening and securing Internet Explorer 8.0. Requires site registration for downloading. Changes some of the default settings of IE 8.0, Read the FAQ's. Or see a slide show Here (http://threatpost.com/en_us/slideshow/How%20to%20configure%20Internet%20Explorer%20for%20secure%20surfing) and do it yourself.

10) Warez, cracks etc are very popular for carrying all kinds of malware payloads. If you look for these you will encounter malware. If you download/install files via p2p networks, then you are also much more likely to encounter malicious code in a downloaded file. Can you really trust the source of the file? Do you really need another malware source?

Longer version in links below.

Happy Safe Surfing.