View Full Version : Infected again, Redirects and unwarranted installs
luckywayne
2010-08-02, 19:09
Hey, I got infected again. I thought I was being more careful, but it seems it was not so. The computer is currently being redirected on searches, adding items to my start-up and generally running slow.
DDS:
DDS (Ver_10-03-17.01) - NTFSx86
Run by Wayne at 13:02:22.59 on Mon 08/02/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1512 [GMT -4:00]
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
============== Running Processes ===============
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Wayne\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\microsoft\desktoplayer.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
uRun: [{A0B78EA2-4748-65FB-B786-CFD36DA7BE43}] "c:\documents and settings\wayne\application data\pewi\odyzl.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103470 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.gamehouse.com/realarcade-webgames/ancientsudoku/index.jsp?pread=0&pread=0&ractype=fullclient"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} - hxxp://www.worldwinner.com/games/v45/royal/royal.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://service.futuremark.com/virtualmark/tc/FMSI.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} - hxxp://www.worldwinner.com/games/v44/golfsol/golfsol.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/da2/PCPitStop2.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\wayne\applic~1\mozilla\firefox\profiles\kt7j57ki.default\
# Mozilla User Preferences
/* Do not edit this file.
*
* If you make changes to this file while the application is running,
* the changes will be overwritten when the application exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see hxxp://www.mozilla.org/unix/customizing.html#prefs
*/
user_pref(app.update.lastUpdateTime.addon-background-update-timer, 1242299186);
user_pref(app.update.lastUpdateTime.background-update-timer, 1242299186);
user_pref(app.update.lastUpdateTime.blocklist-background-update-timer, 1242299186);
user_pref(app.update.lastUpdateTime.microsummary-generator-update-timer, 1242299186);
user_pref(app.update.lastUpdateTime.search-engine-update-timer, 1242321386);
user_pref(browser.migration.version, 1);
user_pref(browser.places.importDefaults, false);
user_pref(browser.places.migratePostDataAnnotations, false);
user_pref(browser.places.smartBookmarksVersion, 1);
user_pref(browser.places.updateRecentTagsUri, false);
user_pref(browser.rights.3.shown, true);
user_pref(browser.startup.homepage_override.mstone, rv:1.9.0.10);
user_pref(extensions.enabledItems, {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}:6.0.10,{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13,jqs@sun.com:1.0,{635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.5.2.20080717,moveplayer@movenetworks.com:7,{972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10);
user_pref(extensions.lastAppVersion, 3.0.10);
user_pref(extensions.update.notifyUser, false);
user_pref(intl.charsetmenu.browser.cache, ISO-8859-1, UTF-8);
user_pref(network.cookie.prefsMigrated, true);
user_pref(spellchecker.dictionary, en-US);
user_pref(urlclassifier.keyupdatetime.https://sb-ssl.google.com/safebrowsing/newkey, 1255473016);
user_pref(yahoo.addtomy, true);
user_pref(yahoo.homepage.dontask, true);
user_pref(yahoo.installer.country, us);
user_pref(yahoo.installer.dc, v1_yff2);
user_pref(yahoo.installer.language, us);
user_pref(yahoo.installer.nd, 2);
user_pref(yahoo.installer.sc, sunm);
user_pref(yahoo.installer.version, 1.5.2.20080717);
user_pref(yahoo.installer.version.simple, 1.5.2);
user_pref(yahoo.supports.livesearch, true);
user_pref(yahoo.toolbar.searchbox.width, 55);
FF - prefs.js: browser.search.selectedEngine - Yahoo!);
user_pref(browser.startup.homepage, http://bing.zugo.com/?cfg=2-79-0-1kCe3); (http://bing.zugo.com/?cfg=2-79-0-1kCe3%29;)
user_pref(keyword.URL, http://bing.zugo.com/s/?src=FF-Address&site=Bing&cfg=2-79-0-1kCe3&q=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2008-11-17 178376]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2008-11-17 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2008-11-17 28872]
R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2008-11-17 1402568]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-9-11 24652]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
S3 cpuz130;cpuz130;\??\c:\docume~1\wayne\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\wayne\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-25 25832]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
S3 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2008-11-17 3538632]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2009-9-14 144384]
=============== Created Last 30 ================
2010-08-01 22:15:37 174 ----a-w- c:\windows\system32\MRT.INI
2010-08-01 21:56:39 0 d-----w- c:\program files\MSXML 4.0
2010-08-01 16:24:35 0 d-----w- c:\program files\riva
2010-07-28 21:40:39 0 d-----w- c:\program files\GlobFX
2010-07-26 12:55:33 0 d-----w- c:\program files\common files\xing shared
2010-07-26 12:55:13 0 d-----w- c:\program files\common files\Real
2010-07-26 12:49:35 0 d-----w- c:\docume~1\wayne\applic~1\FinalMediaPlayer
2010-07-26 12:49:28 0 d-----w- c:\program files\Free Offers from Freeze.com
2010-07-13 23:05:14 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-08 20:35:33 0 d-s---w- C:\ComboFix
2010-07-08 00:47:34 0 d-----w- c:\docume~1\wayne\applic~1\uTorrent
2010-07-06 16:36:12 0 d-----w- c:\documents and settings\wayne\DoctorWeb
==================== Find3M ====================
2010-07-26 12:55:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-06-29 17:17:06 411368 ----a-w- c:\windows\system32\deployJava1.dll
2010-05-06 10:41:53 916480 ----a-w- c:\windows\system32\wininet.dll
============= FINISH: 13:04:02.84 ===============
http://forums.spybot.info/showthread.php?p=376867#post376867
shelf life
2010-08-06, 21:12
hi luckywayne,
Hey, I got infected again.
Didnt you learn anything?
the logs a few days old if you still need help, reply back
luckywayne
2010-08-06, 22:18
I hear you, I can be very dopey at times.
I do require help still, the same sympoms are occuring. I appreciate you helping me out. Here are the fresh logs
DDS (Ver_10-03-17.01) - NTFSx86
Run by Wayne at 16:03:48.84 on Fri 08/06/2010
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1176 [GMT -4:00]
FW: Online Armor Firewall *disabled* {B797DAA0-7E2E-4711-8BB3-D12744F1922A}
============== Running Processes ===============
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0379.0\mswinext.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Windows Media Player\setup_wm.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Documents and Settings\Wayne\Desktop\dds.scr
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/
uInternet Connection Wizard,ShellNext = iexplore
uURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mURLSearchHooks: AIM Toolbar Search Class: {03402f96-3dc7-4285-bc50-9e81fefafe43} - c:\program files\aim toolbar\aimtb.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\microsoft\desktoplayer.exe,c:\program files\real\realupgrade\realupgradesrv.exe,c:\program files\real\realupgrade\realupgradesrvsrv.exe,
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
BHO: Windows Live ID Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: AIM Toolbar Loader: {b0cda128-b425-4eef-a174-61a11ac5dbf8} - c:\program files\aim toolbar\aimtb.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: MSN Toolbar BHO: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: AIM Toolbar: {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Veoh Video Compass: {52836eb0-631a-47b1-94a6-61f9d9112dae} - c:\program files\veoh networks\veoh video compass\SearchRecsPlugin.dll
TB: MSN Toolbar: {8dcb7100-df86-4384-8842-8fa844297b3f} - c:\program files\msn toolbar\platform\4.0.0379.0\npwinext.dll
uRun: [{A0B78EA2-4748-65FB-B786-CFD36DA7BE43}] "c:\documents and settings\wayne\application data\bilyyq\rafy.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [b346b377-c5b1-44e6-8746-fff95c083a8f_46] rundll32.exe "c:\documents and settings\wayne\application data\b346b377-c5b1-44e6-8746-fff95c083a8f_46.avi", start
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRunOnce: [Shockwave Updater] c:\windows\system32\adobe\shockw~1\SWHELP~1.EXE -Update -1103470 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www.gamehouse.com/realarcade-webgames/ancientsudoku/index.jsp?pread=0&pread=0&ractype=fullclient"
mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSCONFIG.EXE /auto
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
IE: &AIM Toolbar Search - c:\documents and settings\all users\application data\aim toolbar\ietoolbar\resources\en-us\local\search.html
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {0b83c99c-1efa-4259-858f-bcb33e007a5b} - {61539ecd-cc67-4437-a03c-9aaccbd14326} - c:\program files\aim toolbar\aimtb.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} - hxxp://www.pcpitstop.com/betapit/PCPitStop.CAB
DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} - hxxp://www.worldwinner.com/games/v47/shared/FunGamesLoader.cab
DPF: {1D082E71-DF20-4AAF-863B-596428C49874} - hxxp://www.worldwinner.com/games/v50/tpir/tpir.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - hxxp://www.worldwinner.com/games/shared/wwlaunch.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} - hxxp://www.worldwinner.com/games/v57/wof/wof.cab
DPF: {BB637307-92FA-47EC-B3F7-6969078673CC} - hxxp://www.worldwinner.com/games/v45/royal/royal.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} - hxxp://service.futuremark.com/virtualmark/tc/FMSI.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E12EB891-D000-421B-A8ED-EDE1BDCA14A0} - hxxp://www.worldwinner.com/games/v44/golfsol/golfsol.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} - hxxp://utilities.pcpitstop.com/da2/PCPitStop2.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 89.149.193.137 www.google.com
Hosts: 89.149.193.137 us.search.yahoo.com
Hosts: 89.149.193.137 uk.search.yahoo.com
Hosts: 89.149.193.137 search.yahoo.com
Hosts: 89.149.193.137 www.google.com.br
Note: multiple HOSTS entries found. Please refer to Attach.txt
================= FIREFOX ===================
FF - ProfilePath - c:\docume~1\wayne\applic~1\mozilla\firefox\profiles\kt7j57ki.default\
# Mozilla User Preferences
/* Do not edit this file.
*
* If you make changes to this file while the application is running,
* the changes will be overwritten when the application exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see hxxp://www.mozilla.org/unix/customizing.html#prefs
*/
user_pref(app.update.lastUpdateTime.addon-background-update-timer, 1242299186);
user_pref(app.update.lastUpdateTime.background-update-timer, 1242299186);
user_pref(app.update.lastUpdateTime.blocklist-background-update-timer, 1242299186);
user_pref(app.update.lastUpdateTime.microsummary-generator-update-timer, 1242299186);
user_pref(app.update.lastUpdateTime.search-engine-update-timer, 1242321386);
user_pref(browser.migration.version, 1);
user_pref(browser.places.importDefaults, false);
user_pref(browser.places.migratePostDataAnnotations, false);
user_pref(browser.places.smartBookmarksVersion, 1);
user_pref(browser.places.updateRecentTagsUri, false);
user_pref(browser.rights.3.shown, true);
user_pref(browser.startup.homepage_override.mstone, rv:1.9.0.10);
user_pref(extensions.enabledItems, {CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}:6.0.10,{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}:6.0.13,jqs@sun.com:1.0,{635abd67-4fe9-1b23-4f01-e679fa7484c1}:1.5.2.20080717,moveplayer@movenetworks.com:7,{972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0.10);
user_pref(extensions.lastAppVersion, 3.0.10);
user_pref(extensions.update.notifyUser, false);
user_pref(intl.charsetmenu.browser.cache, ISO-8859-1, UTF-8);
user_pref(network.cookie.prefsMigrated, true);
user_pref(spellchecker.dictionary, en-US);
user_pref(urlclassifier.keyupdatetime.https://sb-ssl.google.com/safebrowsing/newkey, 1255473016);
user_pref(yahoo.addtomy, true);
user_pref(yahoo.homepage.dontask, true);
user_pref(yahoo.installer.country, us);
user_pref(yahoo.installer.dc, v1_yff2);
user_pref(yahoo.installer.language, us);
user_pref(yahoo.installer.nd, 2);
user_pref(yahoo.installer.sc, sunm);
user_pref(yahoo.installer.version, 1.5.2.20080717);
user_pref(yahoo.installer.version.simple, 1.5.2);
user_pref(yahoo.supports.livesearch, true);
user_pref(yahoo.toolbar.searchbox.width, 55);
FF - prefs.js: browser.search.selectedEngine - Yahoo!);
user_pref(browser.startup.homepage, http://bing.zugo.com/?cfg=2-79-0-1kCe3);
user_pref(keyword.URL, http://bing.zugo.com/s/?src=FF-Address&site=Bing&cfg=2-79-0-1kCe3&q=
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============
R1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2008-11-17 178376]
R1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2008-11-17 30920]
R1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2008-11-17 28872]
R2 OAcat;Online Armor Helper Service;c:\program files\tall emu\online armor\oacat.exe [2008-11-17 1402568]
R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-9-11 24652]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2008-6-27 99352]
S3 cpuz130;cpuz130;\??\c:\docume~1\wayne\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\wayne\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2008-6-27 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2008-6-27 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2008-6-27 566296]
S3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files\dragon age\bin_ship\daupdatersvc.service.exe [2009-12-25 25832]
S3 SetupNTGLM7X;SetupNTGLM7X;\??\e:\ntglm7x.sys --> e:\NTGLM7X.sys [?]
S3 SvcOnlineArmor;Online Armor;c:\program files\tall emu\online armor\oasrv.exe [2008-11-17 3538632]
S4 PCPitstop Scheduling;PCPitstop Scheduling;c:\program files\pcpitstop\PCPitstopScheduleService.exe [2009-9-14 144384]
=============== Created Last 30 ================
2010-08-06 04:44:57 25022 ----a-w- c:\windows\RGI9.tmp
2010-08-06 04:44:57 0 d-----w- c:\windows\system32\SeaPort
2010-08-06 04:39:38 25022 ----a-w- c:\windows\RGI6.tmp
2010-08-04 01:07:02 25022 ----a-w- c:\windows\RGI4.tmp
2010-08-01 22:15:37 174 ----a-w- c:\windows\system32\MRT.INI
2010-08-01 21:56:39 0 d-----w- c:\program files\MSXML 4.0
2010-08-01 16:24:35 0 d-----w- c:\program files\riva
2010-07-28 21:40:39 0 d-----w- c:\program files\GlobFX
2010-07-26 12:55:33 0 d-----w- c:\program files\common files\xing shared
2010-07-26 12:55:13 0 d-----w- c:\program files\common files\Real
2010-07-26 12:49:35 0 d-----w- c:\docume~1\wayne\applic~1\FinalMediaPlayer
2010-07-26 12:49:28 0 d-----w- c:\program files\Free Offers from Freeze.com
2010-07-13 23:05:14 744448 -c----w- c:\windows\system32\dllcache\helpsvc.exe
2010-07-08 20:35:33 0 d-s---w- C:\ComboFix
2010-07-08 00:47:34 0 d-----w- c:\docume~1\wayne\applic~1\uTorrent
==================== Find3M ====================
2010-07-26 12:55:14 499712 ----a-w- c:\windows\system32\msvcp71.dll
2010-06-29 17:17:06 411368 ----a-w- c:\windows\system32\deployJava1.dll
============= FINISH: 16:05:21.84 ===============
shelf life
2010-08-07, 02:18
ok.We will start with two downloads to use. The first one is TDSSkiller, the second is Combofix which you have used before.
1) Please download TDSS Killer.exe (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your desktop
Double click to launch the utility. click the start scan button.
Once the scan completes you can click the continue button.
"The utility will automatically selects an action (Cure or Delete) for known malacious objects. A suspicious object will be skipped by default."
"After clicking Next, the utility applies selected actions and outputs the result."
"A reboot might require after disinfection."
A report will be found in your Root drive Local Disk (C) as TDSSKiller.2.4.0.0_01.08.2010_17.32.21_log.txt (name, version, date, time)
Please post the log report
2) Please read through this guide on using combofix and apply the directions on your own machine. Post the combofix log in your reply.
Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
luckywayne
2010-08-07, 04:44
Hey Shelf Life.
TDS ran fine, it would seem. However CFix, I think, had a bit of an issue, It set up a new version of recovery console and then proceeded to scan. It went through 50 stages and reported as deleting a good number of files, but then I got quite a bit of error messages saying that some of the files that were deleted needed to be restored and that I need to run chkdsk. Soon after CFix ended it's scan as normal and restarted my machine. Upon restart, chkdsk ran automatically and deleted 4-5 .gif files on it's index check. When it was complete and windows rebooted, I saw the CFix box open and then immediately close without further instruction or a log. I decided to check my MsConfig and saw that some of the unidentifiable programs were back and checked, so I am not really sure if CFix was able to complete it's job. I am going to attach the TDS log, but I do not have the CFix log:
2010/08/06 22:02:07.0359 TDSS rootkit removing tool 2.4.1.0 Aug 4 2010 15:06:41
2010/08/06 22:02:07.0359 ================================================================================
2010/08/06 22:02:07.0359 SystemInfo:
2010/08/06 22:02:07.0359
2010/08/06 22:02:07.0359 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/06 22:02:07.0359 Product type: Workstation
2010/08/06 22:02:07.0359 ComputerName: TOY-REBUILT
2010/08/06 22:02:07.0359 UserName: Wayne
2010/08/06 22:02:07.0359 Windows directory: C:\WINDOWS
2010/08/06 22:02:07.0359 System windows directory: C:\WINDOWS
2010/08/06 22:02:07.0359 Processor architecture: Intel x86
2010/08/06 22:02:07.0359 Number of processors: 2
2010/08/06 22:02:07.0359 Page size: 0x1000
2010/08/06 22:02:07.0359 Boot type: Normal boot
2010/08/06 22:02:07.0359 ================================================================================
2010/08/06 22:02:07.0656 Initialize success
2010/08/06 22:02:10.0187 ================================================================================
2010/08/06 22:02:10.0187 Scan started
2010/08/06 22:02:10.0187 Mode: Manual;
2010/08/06 22:02:10.0187 ================================================================================
2010/08/06 22:02:12.0062 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/06 22:02:12.0109 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/08/06 22:02:12.0171 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/08/06 22:02:12.0265 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/06 22:02:12.0328 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/08/06 22:02:12.0406 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/06 22:02:12.0421 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/06 22:02:12.0468 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/06 22:02:12.0609 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/06 22:02:12.0687 b57w2k (4826fcf97c47b361a2e2f68cd487a19e) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2010/08/06 22:02:12.0750 BCM43XX (ebf36d658d0da5b1ea667fa403919c26) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2010/08/06 22:02:12.0812 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/06 22:02:13.0171 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/06 22:02:13.0218 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/06 22:02:13.0281 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/06 22:02:13.0312 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/06 22:02:13.0343 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2010/08/06 22:02:13.0437 COMMONFX (12a4291c1853ad2d857a49940e02c597) C:\WINDOWS\system32\drivers\COMMONFX.SYS
2010/08/06 22:02:13.0453 COMMONFX.SYS (12a4291c1853ad2d857a49940e02c597) C:\WINDOWS\System32\drivers\COMMONFX.SYS
2010/08/06 22:02:13.0812 ctac32k (6828e496c441298a599b778da37e02ee) C:\WINDOWS\system32\drivers\ctac32k.sys
2010/08/06 22:02:13.0859 ctaud2k (ddea4817005cdea3831dc6916ed7d377) C:\WINDOWS\system32\drivers\ctaud2k.sys
2010/08/06 22:02:13.0937 CTAUDFX (97f388eb52f19e149f9cdab405c53fa7) C:\WINDOWS\system32\drivers\CTAUDFX.SYS
2010/08/06 22:02:13.0968 CTAUDFX.SYS (97f388eb52f19e149f9cdab405c53fa7) C:\WINDOWS\System32\drivers\CTAUDFX.SYS
2010/08/06 22:02:14.0031 ctdvda2k (b48be5615619b360e71d6d06f7b0648d) C:\WINDOWS\system32\drivers\ctdvda2k.sys
2010/08/06 22:02:14.0062 CTERFXFX (547f1e690a5994091665a1fcd2bfc091) C:\WINDOWS\system32\drivers\CTERFXFX.SYS
2010/08/06 22:02:14.0078 CTERFXFX.SYS (547f1e690a5994091665a1fcd2bfc091) C:\WINDOWS\System32\drivers\CTERFXFX.SYS
2010/08/06 22:02:14.0109 ctprxy2k (e5bbad0a8f9b2965af4b3fbc24098fc9) C:\WINDOWS\system32\drivers\ctprxy2k.sys
2010/08/06 22:02:14.0140 CTSBLFX (b40b38463c9747f5614bd8982d212dae) C:\WINDOWS\system32\drivers\CTSBLFX.SYS
2010/08/06 22:02:14.0250 CTSBLFX.SYS (b40b38463c9747f5614bd8982d212dae) C:\WINDOWS\System32\drivers\CTSBLFX.SYS
2010/08/06 22:02:14.0265 ctsfm2k (4881087b083f7dbf7a1eca63ccae3696) C:\WINDOWS\system32\drivers\ctsfm2k.sys
2010/08/06 22:02:14.0359 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/06 22:02:14.0421 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/06 22:02:14.0437 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/06 22:02:14.0484 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/06 22:02:14.0515 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/06 22:02:14.0625 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/06 22:02:14.0703 emupia (e74433ad1b95d96f4ef6516ff8963c0b) C:\WINDOWS\system32\drivers\emupia2k.sys
2010/08/06 22:02:14.0750 ENTECH (16ebd8bf1d5090923694cc972c7ce1b4) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
2010/08/06 22:02:14.0812 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/06 22:02:14.0843 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/08/06 22:02:14.0859 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/06 22:02:14.0937 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/08/06 22:02:15.0000 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/08/06 22:02:15.0046 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/06 22:02:15.0062 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/06 22:02:15.0093 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2010/08/06 22:02:15.0109 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/06 22:02:15.0203 ha10kx2k (703dd73e366d5b926c4f2011d01c69ce) C:\WINDOWS\system32\drivers\ha10kx2k.sys
2010/08/06 22:02:15.0312 hap16v2k (a94f6783447660573507728af42079ee) C:\WINDOWS\system32\drivers\hap16v2k.sys
2010/08/06 22:02:15.0343 hap17v2k (156d19c5cf8cc40378dbd7deb6c7ee5c) C:\WINDOWS\system32\drivers\hap17v2k.sys
2010/08/06 22:02:15.0406 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/06 22:02:15.0500 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/06 22:02:15.0546 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/06 22:02:15.0625 iastor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2010/08/06 22:02:15.0718 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/06 22:02:15.0765 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/08/06 22:02:15.0796 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/08/06 22:02:15.0828 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/08/06 22:02:15.0890 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/06 22:02:15.0906 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/06 22:02:15.0921 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/06 22:02:15.0953 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/06 22:02:16.0046 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/06 22:02:16.0109 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/06 22:02:16.0125 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/06 22:02:16.0203 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/08/06 22:02:16.0218 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/06 22:02:16.0250 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/06 22:02:16.0296 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/06 22:02:16.0343 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/06 22:02:16.0437 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/06 22:02:16.0484 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/06 22:02:16.0500 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/06 22:02:16.0609 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/06 22:02:16.0687 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/06 22:02:16.0718 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/06 22:02:16.0750 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/06 22:02:16.0765 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/06 22:02:16.0765 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/06 22:02:16.0796 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/06 22:02:16.0812 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/06 22:02:16.0828 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/06 22:02:16.0843 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/06 22:02:16.0984 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/06 22:02:17.0000 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/06 22:02:17.0015 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/06 22:02:17.0015 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/06 22:02:17.0031 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/06 22:02:17.0078 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/08/06 22:02:17.0109 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/06 22:02:17.0140 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/06 22:02:17.0218 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/06 22:02:17.0703 nv (cd9ed87b4fc6ec41d3b5be0b923843fc) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/08/06 22:02:18.0156 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/06 22:02:18.0203 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/06 22:02:18.0265 OADevice (4a850723c4d8d38c149fb1ac7b638247) C:\WINDOWS\system32\drivers\OADriver.sys
2010/08/06 22:02:18.0328 OAmon (fc8478f91da4c00bdb0fdbad71902b7d) C:\WINDOWS\system32\drivers\OAmon.sys
2010/08/06 22:02:18.0343 OAnet (6bec2a17db076a04041394409629d940) C:\WINDOWS\system32\drivers\OAnet.sys
2010/08/06 22:02:18.0406 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/08/06 22:02:18.0484 ossrv (d6003739f989a63461dec3e9d670b691) C:\WINDOWS\system32\drivers\ctoss2k.sys
2010/08/06 22:02:18.0562 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/08/06 22:02:18.0578 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/06 22:02:18.0625 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/06 22:02:18.0640 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/06 22:02:18.0656 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2010/08/06 22:02:18.0703 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/06 22:02:18.0828 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/06 22:02:18.0843 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/06 22:02:18.0843 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/06 22:02:18.0890 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/08/06 22:02:18.0968 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/06 22:02:19.0031 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/06 22:02:19.0046 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/06 22:02:19.0125 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/06 22:02:19.0140 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/06 22:02:19.0156 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/06 22:02:19.0281 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/06 22:02:19.0328 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/06 22:02:19.0359 sbp2port (b244960e5a1db8e9d5d17086de37c1e4) C:\WINDOWS\system32\DRIVERS\sbp2port.sys
2010/08/06 22:02:19.0406 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/06 22:02:19.0468 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/08/06 22:02:19.0531 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/08/06 22:02:19.0593 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/06 22:02:19.0656 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/06 22:02:19.0750 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/06 22:02:19.0890 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/06 22:02:19.0968 StarOpen (f92254b0bcfcd10caac7bccc7cb7f467) C:\WINDOWS\system32\drivers\StarOpen.sys
2010/08/06 22:02:20.0015 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/06 22:02:20.0031 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/06 22:02:20.0125 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/06 22:02:20.0203 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/06 22:02:20.0265 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/06 22:02:20.0281 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/06 22:02:20.0281 TermDD (d8255d23e53f6267991a9b10c2b73ffd) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/06 22:02:20.0281 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\termdd.sys. Real md5: d8255d23e53f6267991a9b10c2b73ffd, Fake md5: 88155247177638048422893737429d9e
2010/08/06 22:02:20.0281 TermDD - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/08/06 22:02:20.0359 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/06 22:02:20.0437 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/06 22:02:20.0531 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/06 22:02:20.0562 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/06 22:02:20.0671 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/06 22:02:20.0718 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/06 22:02:20.0781 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/06 22:02:20.0843 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/06 22:02:20.0921 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/06 22:02:20.0984 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/06 22:02:21.0093 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/08/06 22:02:21.0187 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/08/06 22:02:21.0234 ================================================================================
2010/08/06 22:02:21.0234 Scan finished
2010/08/06 22:02:21.0234 ================================================================================
2010/08/06 22:02:21.0234 Detected object count: 1
2010/08/06 22:02:27.0328 TermDD (d8255d23e53f6267991a9b10c2b73ffd) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/06 22:02:27.0328 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\termdd.sys. Real md5: d8255d23e53f6267991a9b10c2b73ffd, Fake md5: 88155247177638048422893737429d9e
2010/08/06 22:02:28.0265 Backup copy found, using it..
2010/08/06 22:02:28.0296 C:\WINDOWS\system32\DRIVERS\termdd.sys - will be cured after reboot
2010/08/06 22:02:28.0296 Rootkit.Win32.TDSS.tdl3(TermDD) - User select action: Cure
2010/08/06 22:02:33.0578 Deinitialize success
shelf life
2010-08-07, 17:57
Take a look in your root drive Local Disk (C) and you might find the saved log in the combofix folder. Also you can download and run Malwarebytes:
Please download Malwarebytes (http://www.malwarebytes.org/mbam.php) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click *Remove Selected.*
*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.
luckywayne
2010-08-07, 23:44
No sign of the Cfix log. Malware Ran fine, but on restart the same installs occurred and the computer crashed into a blue screen. I restarted again and when I did cfix window popped and went away again with no other result and my start up is still populated with garbage. When I opened the browser to post here, I still got redirects. Here is the malware bytes log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4404
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
8/7/2010 5:35:45 PM
mbam-log-2010-08-07 (17-35-45).txt
Scan type: Full scan (C:\|)
Objects scanned: 222623
Time elapsed: 1 hour(s), 6 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 42
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\Software\WinServers (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\b346b377-c5b1-44e6-8746-fff95c083a8f_46 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\24d1ca9a-a864-4f7b-86fe-495eb56529d8 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\7bde84a2-f58f-46ec-9eac-f1f90fead080 (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Malware.Packer.Gen) -> Data: c:\program files\real\realupgrade\realupgradesrv.exe -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\ComboFix\NircmdBSrv.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\ComboFix\SFSrv.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\ComboFix\SWREGSrv.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\ComboFix\pevSrv.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wayne\Application Data\Mozilla\Firefox\Profiles\kt7j57ki.default\extensions\{896642E4-C556-4ED3-85D1-9AC431603E7D}\chrome\content\id_searchtoolbar\SearchToolbar.dll (Adware.EcoBar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wayne\Application Data\Pewi\odyzl.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Documents and Settings\Wayne\Local Settings\temp\16.tmp (Rootkit.TDSS) -> Delete on reboot.
C:\Documents and Settings\Wayne\Local Settings\temp\17.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\Poker\Winner Poker\_SetupPoker_22ce47.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\Real\Update_OB\realschedSrv.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Real\RealUpgrade\realupgradeSrv.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Real\RealUpgrade\realupgradesrvSrv.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Real\RealUpgrade\realupgradesrvsrvSrv.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Program Files\Real\RealUpgrade\realupgradesrvsrvSrvSrv.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\DesktopLayer.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Wayne\Application Data\b346b377-c5b1-44e6-8746-fff95c083a8f_46.avi.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Wayne\Application Data\Bilyyq\rafy.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Wayne\Application Data\Qofo\inozg.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\DOCUME~1\Wayne\LOCALS~1\temp\4fab030a-7617-4248-8615-946d95ea5a17\wrk4.tmp_46.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\DOCUME~1\Wayne\LOCALS~1\temp\4fab030a-7617-4248-8615-946d95ea5a17\wrk5.tmp_46.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Microsoft\DesktopLayer.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\Microsoft\DesktopLayerSrv.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Program Files\riva\l_acc0037.1280835110.exe.vir (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EEAD7172-7D8D-4A56-ACA0-6652FF74E8CC}\RP1\A0000252.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EEAD7172-7D8D-4A56-ACA0-6652FF74E8CC}\RP1\A0000115.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EEAD7172-7D8D-4A56-ACA0-6652FF74E8CC}\RP1\A0000200.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EEAD7172-7D8D-4A56-ACA0-6652FF74E8CC}\RP1\A0000244.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EEAD7172-7D8D-4A56-ACA0-6652FF74E8CC}\RP1\A0000246.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EEAD7172-7D8D-4A56-ACA0-6652FF74E8CC}\RP1\A0000247.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EEAD7172-7D8D-4A56-ACA0-6652FF74E8CC}\RP1\A0000257.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EEAD7172-7D8D-4A56-ACA0-6652FF74E8CC}\RP1\A0000267.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EEAD7172-7D8D-4A56-ACA0-6652FF74E8CC}\RP1\A0000278.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EEAD7172-7D8D-4A56-ACA0-6652FF74E8CC}\RP1\A0000280.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EEAD7172-7D8D-4A56-ACA0-6652FF74E8CC}\RP1\A0000282.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EEAD7172-7D8D-4A56-ACA0-6652FF74E8CC}\RP1\A0000284.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EEAD7172-7D8D-4A56-ACA0-6652FF74E8CC}\RP1\A0000386.dll (Adware.EcoBar) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EEAD7172-7D8D-4A56-ACA0-6652FF74E8CC}\RP1\A0000394.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EEAD7172-7D8D-4A56-ACA0-6652FF74E8CC}\RP1\A0000685.exe (Adware.Casino) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EEAD7172-7D8D-4A56-ACA0-6652FF74E8CC}\RP1\A0001139.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EEAD7172-7D8D-4A56-ACA0-6652FF74E8CC}\RP1\A0002864.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EEAD7172-7D8D-4A56-ACA0-6652FF74E8CC}\RP1\A0002865.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{EEAD7172-7D8D-4A56-ACA0-6652FF74E8CC}\RP1\A0002866.exe (Malware.Packer.Gen) -> Quarantined and deleted successfully.
shelf life
2010-08-08, 00:30
We will get two more downloads to use. One is called TDSSkiller the other MBRcheck:
Please download TDSS Killer.exe (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your desktop
Double click to launch the utility. click the start scan button.
Once the scan completes you can click the continue button.
"The utility will automatically selects an action (Cure or Delete) for known malacious objects. A suspicious object will be skipped by default."
"After clicking Next, the utility applies selected actions and outputs the result."
"A reboot might be required after disinfection."
A report will be found in your Root drive Local Disk (C) as TDSSKiller.2.4.0.0_01.08.2010_17.32.21_log.txt (name, version, date, time)
Please post the log report
Please also download MBRCheck to your desktop
http://ad13.geekstogo.com/MBRCheck.exe
* Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
* It will show a Black screen with some information that will contain either the below line if no problem is found:
o Done! Press ENTER to exit...
* Or you will see more information like below if a problem is found:
o Found non-standard or infected MBR.
o Enter 'Y' and hit ENTER for more options, or 'N' to exit:
* Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
* MBRCheck will create a log on your desktop named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
* Attach this log to your next message.
luckywayne
2010-08-08, 01:27
Heya Shelf Life
Ran both scans, had a hell of a time restarting, took 20+ trys. Nothing has changed performance wise. Am I doing something wrong?
Here are the logs:
010/08/07 18:53:40.0046 TDSS rootkit removing tool 2.4.1.0 Aug 4 2010 15:06:41
2010/08/07 18:53:40.0046 ================================================================================
2010/08/07 18:53:40.0046 SystemInfo:
2010/08/07 18:53:40.0046
2010/08/07 18:53:40.0046 OS Version: 5.1.2600 ServicePack: 3.0
2010/08/07 18:53:40.0046 Product type: Workstation
2010/08/07 18:53:40.0046 ComputerName: TOY-REBUILT
2010/08/07 18:53:40.0046 UserName: Wayne
2010/08/07 18:53:40.0046 Windows directory: C:\WINDOWS
2010/08/07 18:53:40.0046 System windows directory: C:\WINDOWS
2010/08/07 18:53:40.0046 Processor architecture: Intel x86
2010/08/07 18:53:40.0046 Number of processors: 2
2010/08/07 18:53:40.0046 Page size: 0x1000
2010/08/07 18:53:40.0046 Boot type: Normal boot
2010/08/07 18:53:40.0046 ================================================================================
2010/08/07 18:53:41.0359 Initialize success
2010/08/07 18:53:42.0968 ================================================================================
2010/08/07 18:53:42.0968 Scan started
2010/08/07 18:53:42.0968 Mode: Manual;
2010/08/07 18:53:42.0968 ================================================================================
2010/08/07 18:53:45.0187 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/08/07 18:53:45.0375 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/08/07 18:53:45.0656 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/08/07 18:53:45.0906 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/08/07 18:53:46.0437 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
2010/08/07 18:53:46.0843 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/08/07 18:53:47.0015 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/08/07 18:53:47.0140 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/08/07 18:53:47.0375 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/08/07 18:53:47.0687 b57w2k (4826fcf97c47b361a2e2f68cd487a19e) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2010/08/07 18:53:48.0031 BCM43XX (ebf36d658d0da5b1ea667fa403919c26) C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
2010/08/07 18:53:48.0234 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/08/07 18:53:48.0718 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/08/07 18:53:48.0859 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/08/07 18:53:49.0156 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/08/07 18:53:49.0234 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/08/07 18:53:49.0468 cercsr6 (84853b3fd012251690570e9e7e43343f) C:\WINDOWS\system32\drivers\cercsr6.sys
2010/08/07 18:53:49.0812 COMMONFX (12a4291c1853ad2d857a49940e02c597) C:\WINDOWS\system32\drivers\COMMONFX.SYS
2010/08/07 18:53:49.0875 COMMONFX.SYS (12a4291c1853ad2d857a49940e02c597) C:\WINDOWS\System32\drivers\COMMONFX.SYS
2010/08/07 18:53:50.0734 ctac32k (6828e496c441298a599b778da37e02ee) C:\WINDOWS\system32\drivers\ctac32k.sys
2010/08/07 18:53:51.0187 ctaud2k (ddea4817005cdea3831dc6916ed7d377) C:\WINDOWS\system32\drivers\ctaud2k.sys
2010/08/07 18:53:51.0546 CTAUDFX (97f388eb52f19e149f9cdab405c53fa7) C:\WINDOWS\system32\drivers\CTAUDFX.SYS
2010/08/07 18:53:51.0703 CTAUDFX.SYS (97f388eb52f19e149f9cdab405c53fa7) C:\WINDOWS\System32\drivers\CTAUDFX.SYS
2010/08/07 18:53:52.0031 ctdvda2k (b48be5615619b360e71d6d06f7b0648d) C:\WINDOWS\system32\drivers\ctdvda2k.sys
2010/08/07 18:53:52.0328 CTERFXFX (547f1e690a5994091665a1fcd2bfc091) C:\WINDOWS\system32\drivers\CTERFXFX.SYS
2010/08/07 18:53:52.0390 CTERFXFX.SYS (547f1e690a5994091665a1fcd2bfc091) C:\WINDOWS\System32\drivers\CTERFXFX.SYS
2010/08/07 18:53:52.0531 ctprxy2k (e5bbad0a8f9b2965af4b3fbc24098fc9) C:\WINDOWS\system32\drivers\ctprxy2k.sys
2010/08/07 18:53:53.0093 CTSBLFX (b40b38463c9747f5614bd8982d212dae) C:\WINDOWS\system32\drivers\CTSBLFX.SYS
2010/08/07 18:53:53.0609 CTSBLFX.SYS (b40b38463c9747f5614bd8982d212dae) C:\WINDOWS\System32\drivers\CTSBLFX.SYS
2010/08/07 18:53:53.0968 ctsfm2k (4881087b083f7dbf7a1eca63ccae3696) C:\WINDOWS\system32\drivers\ctsfm2k.sys
2010/08/07 18:53:54.0250 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/08/07 18:53:54.0546 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/08/07 18:53:54.0859 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/08/07 18:53:54.0953 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/08/07 18:53:55.0328 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/08/07 18:53:55.0453 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/08/07 18:53:55.0640 emupia (e74433ad1b95d96f4ef6516ff8963c0b) C:\WINDOWS\system32\drivers\emupia2k.sys
2010/08/07 18:53:55.0875 ENTECH (16ebd8bf1d5090923694cc972c7ce1b4) C:\WINDOWS\system32\DRIVERS\ENTECH.sys
2010/08/07 18:53:56.0031 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/08/07 18:53:56.0296 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2010/08/07 18:53:56.0359 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/08/07 18:53:56.0500 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2010/08/07 18:53:56.0625 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/08/07 18:53:56.0843 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/08/07 18:53:56.0984 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/08/07 18:53:57.0046 gameenum (065639773d8b03f33577f6cdaea21063) C:\WINDOWS\system32\DRIVERS\gameenum.sys
2010/08/07 18:53:57.0140 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/08/07 18:53:57.0484 ha10kx2k (703dd73e366d5b926c4f2011d01c69ce) C:\WINDOWS\system32\drivers\ha10kx2k.sys
2010/08/07 18:53:57.0546 hap16v2k (a94f6783447660573507728af42079ee) C:\WINDOWS\system32\drivers\hap16v2k.sys
2010/08/07 18:53:57.0843 hap17v2k (156d19c5cf8cc40378dbd7deb6c7ee5c) C:\WINDOWS\system32\drivers\hap17v2k.sys
2010/08/07 18:53:57.0984 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/08/07 18:53:58.0375 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/08/07 18:53:58.0765 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/08/07 18:53:59.0125 iastor (fd7f9d74c2b35dbda400804a3f5ed5d8) C:\WINDOWS\system32\DRIVERS\iaStor.sys
2010/08/07 18:53:59.0343 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/08/07 18:53:59.0734 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/08/07 18:53:59.0906 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/08/07 18:54:00.0015 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/08/07 18:54:00.0109 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/08/07 18:54:00.0250 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/08/07 18:54:00.0625 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/08/07 18:54:00.0890 IPSec (08786703e19269cd77eb8496f7a8407a) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/07 18:54:00.0890 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ipsec.sys. Real md5: 08786703e19269cd77eb8496f7a8407a, Fake md5: 5a97a1015fd2cb0244be8b992520f9f1
2010/08/07 18:54:00.0890 IPSec - detected Rootkit.Win32.TDSS.tdl3 (0)
2010/08/07 18:54:01.0046 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/08/07 18:54:01.0093 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/08/07 18:54:01.0265 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/08/07 18:54:01.0562 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/08/07 18:54:01.0687 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/08/07 18:54:01.0828 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/08/07 18:54:02.0312 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/08/07 18:54:02.0437 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/08/07 18:54:02.0718 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/08/07 18:54:02.0812 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/08/07 18:54:02.0921 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/08/07 18:54:03.0500 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/08/07 18:54:03.0765 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/08/07 18:54:03.0953 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/08/07 18:54:04.0265 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/08/07 18:54:04.0328 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/08/07 18:54:04.0453 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/08/07 18:54:04.0531 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/08/07 18:54:04.0906 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/08/07 18:54:05.0093 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/08/07 18:54:05.0203 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/08/07 18:54:05.0531 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/08/07 18:54:05.0718 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/08/07 18:54:05.0875 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/08/07 18:54:06.0015 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/08/07 18:54:06.0140 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/08/07 18:54:06.0281 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
2010/08/07 18:54:06.0468 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/08/07 18:54:06.0703 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/08/07 18:54:07.0093 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/08/07 18:54:09.0312 nv (cd9ed87b4fc6ec41d3b5be0b923843fc) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/08/07 18:54:12.0203 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/08/07 18:54:12.0234 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/08/07 18:54:12.0484 OADevice (4a850723c4d8d38c149fb1ac7b638247) C:\WINDOWS\system32\drivers\OADriver.sys
2010/08/07 18:54:12.0625 OAmon (fc8478f91da4c00bdb0fdbad71902b7d) C:\WINDOWS\system32\drivers\OAmon.sys
2010/08/07 18:54:12.0703 OAnet (6bec2a17db076a04041394409629d940) C:\WINDOWS\system32\drivers\OAnet.sys
2010/08/07 18:54:12.0859 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
2010/08/07 18:54:12.0968 ossrv (d6003739f989a63461dec3e9d670b691) C:\WINDOWS\system32\drivers\ctoss2k.sys
2010/08/07 18:54:13.0093 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/08/07 18:54:13.0265 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/08/07 18:54:13.0453 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/08/07 18:54:13.0609 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/08/07 18:54:13.0953 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2010/08/07 18:54:14.0093 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/08/07 18:54:14.0734 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/08/07 18:54:14.0859 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/08/07 18:54:15.0015 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/08/07 18:54:15.0187 PxHelp20 (d86b4a68565e444d76457f14172c875a) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/08/07 18:54:15.0656 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/08/07 18:54:15.0812 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/08/07 18:54:15.0937 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/08/07 18:54:16.0156 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/08/07 18:54:16.0390 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/08/07 18:54:16.0468 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/08/07 18:54:16.0609 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/08/07 18:54:16.0718 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/08/07 18:54:16.0843 sbp2port (b244960e5a1db8e9d5d17086de37c1e4) C:\WINDOWS\system32\DRIVERS\sbp2port.sys
2010/08/07 18:54:17.0046 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/08/07 18:54:17.0109 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/08/07 18:54:17.0140 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/08/07 18:54:17.0234 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/08/07 18:54:17.0531 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/08/07 18:54:17.0593 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/08/07 18:54:17.0812 Srv (89220b427890aa1dffd1a02648ae51c3) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/08/07 18:54:18.0187 StarOpen (f92254b0bcfcd10caac7bccc7cb7f467) C:\WINDOWS\system32\drivers\StarOpen.sys
2010/08/07 18:54:18.0312 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/08/07 18:54:18.0406 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/08/07 18:54:18.0875 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/08/07 18:54:19.0250 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/08/07 18:54:19.0546 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/08/07 18:54:19.0765 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/08/07 18:54:20.0078 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/08/07 18:54:20.0296 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/08/07 18:54:20.0656 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/08/07 18:54:21.0000 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/08/07 18:54:21.0140 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/08/07 18:54:21.0250 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/08/07 18:54:21.0437 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/08/07 18:54:21.0546 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/08/07 18:54:21.0781 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/08/07 18:54:22.0000 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/08/07 18:54:22.0156 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/08/07 18:54:22.0515 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/08/07 18:54:22.0703 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/08/07 18:54:22.0796 ================================================================================
2010/08/07 18:54:22.0796 Scan finished
2010/08/07 18:54:22.0796 ================================================================================
2010/08/07 18:54:22.0812 Detected object count: 1
2010/08/07 18:54:30.0593 IPSec (08786703e19269cd77eb8496f7a8407a) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/08/07 18:54:30.0593 Suspicious file (Forged): C:\WINDOWS\system32\DRIVERS\ipsec.sys. Real md5: 08786703e19269cd77eb8496f7a8407a, Fake md5: 5a97a1015fd2cb0244be8b992520f9f1
2010/08/07 18:54:32.0718 Backup copy found, using it..
2010/08/07 18:54:32.0718 C:\WINDOWS\system32\DRIVERS\ipsec.sys - will be cured after reboot
2010/08/07 18:54:32.0718 Rootkit.Win32.TDSS.tdl3(IPSec) - User select action: Cure
2010/08/07 18:54:37.0062 Deinitialize success
MBAM:
MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00000034
Kernel Drivers (total 130):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0xF7987000 \WINDOWS\system32\KDCOM.DLL
0xF7897000 \WINDOWS\system32\BOOTVID.dll
0xF75A8000 ACPI.sys
0xF7989000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7597000 pci.sys
0xF75F7000 isapnp.sys
0xF7607000 ohci1394.sys
0xF7617000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF7A4F000 PCIIde.sys
0xF7707000 \WINDOWS\System32\Drivers\PCIIDEX.SYS
0xF798B000 intelide.sys
0xF7627000 MountMgr.sys
0xF74D8000 ftdisk.sys
0xF770F000 PartMgr.sys
0xF7637000 sbp2port.sys
0xF7647000 VolSnap.sys
0xF741A000 iaStor.sys
0xF7402000 atapi.sys
0xF7717000 cercsr6.sys
0xF787F000 \WINDOWS\System32\Drivers\SCSIPORT.SYS
0xF7657000 disk.sys
0xF7667000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB87E0000 fltmgr.sys
0xB87CE000 sr.sys
0xF7677000 PxHelp20.sys
0xB8717000 KSecDD.sys
0xB868A000 Ntfs.sys
0xB865D000 NDIS.sys
0xB8643000 Mup.sys
0xF7697000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xB7E7E000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB628B000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB6277000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xB6249000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xF77A7000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB6225000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF77AF000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB61A4000 \SystemRoot\system32\drivers\ctaud2k.sys
0xB6180000 \SystemRoot\system32\drivers\portcls.sys
0xB7E6E000 \SystemRoot\system32\drivers\drmk.sys
0xB615D000 \SystemRoot\system32\drivers\ks.sys
0xB6129000 \SystemRoot\system32\drivers\ctoss2k.sys
0xF77B7000 \SystemRoot\system32\drivers\ctprxy2k.sys
0xB7F96000 \SystemRoot\system32\DRIVERS\gameenum.sys
0xB6115000 \SystemRoot\system32\DRIVERS\parport.sys
0xB7E5E000 \SystemRoot\system32\DRIVERS\serial.sys
0xB7F92000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB7E4E000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xB7E3E000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB7E2E000 \SystemRoot\system32\DRIVERS\imapi.sys
0xB7F07000 \SystemRoot\system32\DRIVERS\audstub.sys
0xB7E1E000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF793B000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB60FE000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xB877E000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xB876E000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF77BF000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB60ED000 \SystemRoot\system32\DRIVERS\psched.sys
0xB875E000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF77C7000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF77CF000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB874E000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF77D7000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF77DF000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF79DD000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB608F000 \SystemRoot\system32\DRIVERS\update.sys
0xF7947000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB0868000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB0848000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79D1000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xAEE7E000 \SystemRoot\system32\drivers\hap16v2k.sys
0xAED74000 \SystemRoot\system32\drivers\ha10kx2k.sys
0xAED45000 \SystemRoot\system32\drivers\emupia2k.sys
0xAED1C000 \SystemRoot\system32\drivers\ctsfm2k.sys
0xAEC80000 \SystemRoot\system32\drivers\ctac32k.sys
0xAEC65000 \SystemRoot\System32\drivers\COMMONFX.SYS
0xAEBDA000 \SystemRoot\System32\drivers\CTAUDFX.SYS
0xAEB4C000 \SystemRoot\System32\drivers\CTSBLFX.SYS
0xF79D3000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xAEFA8000 \SystemRoot\System32\Drivers\Null.SYS
0xF79D5000 \SystemRoot\System32\Drivers\Beep.SYS
0xB0448000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xB0440000 \SystemRoot\System32\drivers\vga.sys
0xF79D7000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79D9000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xB0438000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB0430000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB1112000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB01FE000 \??\C:\WINDOWS\system32\drivers\OAnet.sys
0xAEA01000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xAE9A8000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xAE982000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB01EE000 \??\C:\WINDOWS\system32\drivers\OAmon.sys
0xAE95A000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB01DE000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xAE938000 \SystemRoot\System32\drivers\afd.sys
0xB01CE000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xB01BE000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB10F6000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xAF026000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xAE8FC000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xAE8BF000 \??\C:\WINDOWS\system32\drivers\OADriver.sys
0xAE84F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAF016000 \SystemRoot\System32\Drivers\Fips.SYS
0xB10F2000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xAF176000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xB1C8B000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA685F000 \SystemRoot\System32\Drivers\dump_iastor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xA8069000 \SystemRoot\System32\drivers\Dxapi.sys
0xB09E4000 \SystemRoot\System32\watchdog.sys
0xBD000000 \SystemRoot\System32\drivers\dxg.sys
0xA780E000 \SystemRoot\System32\drivers\dxgthk.sys
0xBD012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB8607000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA664A000 \SystemRoot\system32\drivers\wdmaud.sys
0xB1C7B000 \SystemRoot\system32\drivers\sysaudio.sys
0xB1D73000 \SystemRoot\system32\drivers\splitter.sys
0xA6627000 \SystemRoot\system32\drivers\aec.sys
0xB190B000 \SystemRoot\system32\drivers\swmidi.sys
0xA8241000 \SystemRoot\system32\drivers\DMusic.sys
0xA65FC000 \SystemRoot\system32\drivers\kmixer.sys
0xB425A000 \SystemRoot\system32\drivers\drmkaud.sys
0xA6437000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF79BF000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA63B8000 \SystemRoot\system32\DRIVERS\srv.sys
0x7C900000 \WINDOWS\system32\ntdll.dll
Processes (total 32):
0 System Idle Process
4 System
608 C:\WINDOWS\system32\smss.exe
656 csrss.exe
680 C:\WINDOWS\system32\winlogon.exe
728 C:\WINDOWS\system32\services.exe
740 C:\WINDOWS\system32\lsass.exe
900 C:\WINDOWS\system32\nvsvc32.exe
948 C:\WINDOWS\system32\svchost.exe
1012 svchost.exe
1108 C:\WINDOWS\system32\svchost.exe
1200 svchost.exe
1304 svchost.exe
1472 C:\WINDOWS\system32\spoolsv.exe
1664 C:\WINDOWS\system32\userinit.exe
1708 C:\WINDOWS\explorer.exe
1720 C:\Program Files\Internet Explorer\iexplore.exe
1968 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
2016 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
168 C:\WINDOWS\system32\ctfmon.exe
744 svchost.exe
1232 C:\Program Files\Java\jre6\bin\jqs.exe
1488 C:\Program Files\CDBurnerXP\NMSAccessU.exe
1504 C:\Program Files\Tall Emu\Online Armor\oacat.exe
1436 C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
1812 C:\Program Files\Viewpoint\Common\ViewpointService.exe
1372 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
1952 C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
2008 C:\WINDOWS\system32\wuauclt.exe
432 C:\Documents and Settings\Wayne\Desktop\MBRCheck.exe
560 C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
596 C:\WINDOWS\system32\drwtsn32.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)
PhysicalDrive0 Model Number: HDS724040KLSA80, Rev: KFAOA20N
Size Device Name MBR Status
--------------------------------------------
372 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
Done!
shelf life
2010-08-08, 03:47
Your not doing anything wrong. TDSSkiller removed a goodie.
had a hell of a time restarting, took 20+ trys
If you mean it took 20 tries to get your computer to boot up then you should seriously consider pulling off what you dont want to lose. I would take that as a indication of possible serious problem(s). The tools we use should not be causing any of the problems.
Try running combofix again in normal mode. MBRcheck log looks ok.
luckywayne
2010-08-08, 08:24
I ran CFix again, it went through it's steps and when it went for a restart I had the same errors that I have been having which stopped CFix from completing and therefore did not produce a log.
The boot errors came when I got infected and the problem is that there are a handful of programs that are in my startup that I have no idea of what they are and they are impossible to shut off. I uncheck them and restart and they come right back.
The one program that is causing the main issue start by installing what looks like an overlay and then it highlights all of my desktop icons and then gives me a fatal error (C000021a). So what I have to do is continually click these off and reboot until it allows me access to my machine again.
These program names are:
NvCpl (which seems to be the main one)
dumprep 0 -U
dumprep 0 -K
ifysy
misu
google task bar
b34b377..
Realsched
Like I said, I uncheck them and restart if IC an and they just check themselves right back. and no matter what we have done as far scans these have never gone away and semmingly undo what we have done.
I'll start backing my stuff up now. any insight you may have would be great.
shelf life
2010-08-08, 15:49
I dont see a antivirus in any of the logs. Unchecking malware in msconfig wont work until more malware is removed.
Download, install and update one of these AV solutions below, then pull the plug on your ethernet connection and do a full scan. I would use the computer as little as possible until its clean and when not in use make sure theres no network connectivity.
Antivirus;
Avast:
http://www.avast.com/free-antivirus-download
Avira:
http://www.free-av.com/en/download/index.html
AVG:
http://free.avg.com/us-en/homepage
Dr Web is also good as a one time scanner you can use it also after one of the above.
Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
* Doubleclick the drweb-cureit icon to start the program.
* press start
* Allow the program to run the initial express scan
* This will scan the files currently running in memory. If something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
Note: A pop up may appear during this phase suggesting you purchase their program - click the X at the top right corner of this pop-up to close it.
* Once the short scan has finished, check the Complete scan box on the left side, even if nothing was found on the initial scan.
* Then click the small green arrow button on the right under the Dr.Web Antivirus picture to start the complete scan. (This scan will take several hours)
* During this complete scan - if Dr.Web finds an infection a window will pop up requesting your attention. Select the Cure button.
Note:(If the file cannot be cured, Dr.Web will automatically delete the file)
* Once the scan is complete, on the menu bar, click file and choose report list.
* Save the report to your desktop. The report will be called DrWeb.csv
* Note:this report will need to be renamed to Dr.Web.txt in order to post it on the forum.
* Close Dr.Web Cureit.
* Please post the Dr.Web.txt report in your next reply
luckywayne
2010-08-09, 04:28
Downloaded and ran Avast, also ran Cure it quick and complete scans here are the logs:
Process in memory: C:\WINDOWS\System32\svchost.exe:1176;;BackDoor.Tdss.565;Eradicated.;
winlogon.exe;C:\WINDOWS\system32;Trojan.Starter.1510;Cured.;
kbdhid.sys;C:\WINDOWS\system32\drivers;BackDoor.Tdss.2459;Will be cured after restart.;
7.tmp;C:\DOCUME~1\Wayne\LOCALS~1\Temp;Trojan.Packed.20807;Deleted.;
msvcr71.dll;c:\program files\java\jre6\bin;Win32.Rmnet;Cured.;
coreclr.dll;c:\program files\microsoft silverlight\4.0.50524.0;Win32.Rmnet;Cured.;
npctrl.dll;c:\program files\microsoft silverlight\4.0.50524.0;Win32.Rmnet;Cured.;
desktoplayer.exe;c:\program files\microsoft;Trojan.Packed.20343;Deleted.;
pcpitstopscheduleservice.exe;c:\program files\pcpitstop;Win32.Rmnet;Cured.;
wmpnetwk.exe;c:\program files\windows media player;Win32.Rmnet;Cured.;
kbdhid.sys;c:\windows\system32\drivers;BackDoor.Tdss.2459;Cured.;
shelf life
2010-08-09, 22:34
You saw all those files that Dr. Web cured? Looks like a virus that infects the Windows .exe, .dll and htm extension. If you pulled any files off like to a usb drive then I would consider them infected also. Its possible that these infected files can spread from a usb drive to a computer the drive is inserted into. Dont transfer any of those files you pulled off to another computer just yet.
You might consider a reformat/reinstall of Windows. Looks like many files are infected.
I would run both Avast again and Dr Web for a second pass after checking for updates to each of them.
luckywayne
2010-08-11, 19:27
Yeah, that last scan was a mess. I ran the scans again and they are alot cleaner. Here's the log:
f_000a4a\gziped.gz;C:\Documents and Settings\Wayne\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000a4a;Probably SCRIPT.Virus;;
f_000a4a;C:\Documents and Settings\Wayne\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache;Archive contains infected objects;Moved.;
f_000b1b\gziped.gz;C:\Documents and Settings\Wayne\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache\f_000b1b;Probably SCRIPT.Virus;;
f_000b1b;C:\Documents and Settings\Wayne\Local Settings\Application Data\Google\Chrome\User Data\Default\Cache;Archive contains infected objects;Moved.;
b346b377-c5b1-44e6-8746-fff95c083a8f_46.avi.vir;C:\Qoobox\Quarantine\C\Documents and Settings\Wayne\Application Data;Trojan.Hosts.1049;Incurable.Moved.;
ifysy.exe.vir;C:\Qoobox\Quarantine\C\Documents and Settings\Wayne\Application Data\Paevze;Trojan.Packed.20343;Deleted.;
wrk1.tmp_46.vir;C:\Qoobox\Quarantine\C\DOCUME~1\Wayne\LOCALS~1\temp\4fab030a-7617-4248-8615-946d95ea5a17;Trojan.Hosts.1049;Incurable.Moved.;
wrk2.tmp_46.vir;C:\Qoobox\Quarantine\C\DOCUME~1\Wayne\LOCALS~1\temp\4fab030a-7617-4248-8615-946d95ea5a17;Trojan.Hosts.1049;Incurable.Moved.;
A0034039.ocx;C:\System Volume Information\_restore{EEAD7172-7D8D-4A56-ACA0-6652FF74E8CC}\RP3;Trojan.PWS.Qqpass.origin;Incurable.Moved.;
A0034150.exe;C:\System Volume Information\_restore{EEAD7172-7D8D-4A56-ACA0-6652FF74E8CC}\RP4;Trojan.Hosts.1049;Incurable.Moved.;
shelf life
2010-08-11, 23:02
C:\Qoobox\Quarantine\C\Documents and Settings\Wayne\Application Data;Trojan.Hosts.1049;Incurable.Moved.;
this is combofix's Quarantine folder so anything in there was already removed and is harmless
C:\System Volume Information\_restore
We will clean out system restore later.
Why dont you do a online scan also just for another opinion:
ESET online scanner:
http://www.eset.com/onlinescan/
uses Internet Explorer only
check "YES" to accept terms
click start button
allow the ActiveX component to install
click the start button. the Scanner will update.
check both "Remove found threats" and "Scan unwanted applications"
click scan
when done you can find the scan log at:C:\Program Files\EsetOnlineScanner\log.txt
please copy/paste that log in next reply.
luckywayne
2010-08-12, 15:36
ESET scan complete:
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=4f497784cecb004b9c9f9c48b1128493
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-08-12 01:33:31
# local_time=2010-08-12 09:33:31 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=6401 16777214 100 100 0 57337455 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=113371
# found=4
# cleaned=4
# scan_time=6626
C:\Documents and Settings\Wayne\DoctorWeb\Quarantine\b346b377-c5b1-44e6-8746-fff95c083a8f_46.avi.vir a variant of Win32/Qhost.PBI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Wayne\DoctorWeb\Quarantine\wrk1.tmp_46.vir a variant of Win32/Qhost.PBI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Wayne\DoctorWeb\Quarantine\wrk2.tmp_46.vir a variant of Win32/Qhost.PBI trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\hlp.dat Win32/Bamital.DP trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
shelf life
2010-08-12, 22:49
Those files the online scan found are in Dr web quarantine folder. So hows it all looking on your end now?
luckywayne
2010-08-12, 23:32
It seems clean, nothing strange happening at all. I still have those programs listed in my start up, but i can restart without an issue. Seems to have recovered ok i think.
shelf life
2010-08-13, 01:32
I still have those programs listed in my start up
you mean they are listed in the msconfig utility under the startup tab?
luckywayne
2010-08-13, 03:08
Yeah, but they could be perfectly good programs:
NvCpl
misu
ctfmon
google toolbar notifier
I am not sure what they do, they don't seem familiar to me at all.
shelf life
2010-08-13, 03:44
NvCpl: Nvidia system tray control panel
ctfmon: XP language bar
google toolbar notifier: part of a google toolbar install
misu?
Items you check or uncheck under the startup tab in msconfig will remain in the list.
They are harmless, even ones that may have pointed to malware are harmless once the malware has been removed. There may be a registry hack that will remove them. Those first 3 look harmless, misu not sure.
Iam in linux right now, when I boot in to Windows I will poke around in msconfig.