View Full Version : can't get rid of win32.fraudload.edt
Hello, I have picked up a trojan that spybot can't seem to get rid of. Everytime I run spybot it finds it but then says can't clear it because it is still being used in memory. It asks to run again on restart so that it can clear it but it still cannot. I would really appreciate any help you can give, thank you.
here is dds:
DDS (Ver_10-03-17.01) - NTFSx86
Run by Me at 0:58:02.50 on Mon 09/20/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3581.2699 [GMT -4:00]
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
C:\Program Files\OpenOffice.org 2.2\program\soffice.BIN
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Me\Desktop\dds.com
============== Pseudo HJT Report ===============
uStart Page = hxxp://www.yahoo.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {996D4E16-517F-474a-870F-F882C6133C47} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [Smapp] c:\program files\analog devices\soundmax\SMTray.exe
mRun: [DrvLsnr] c:\program files\analog devices\soundmax\DrvLsnr.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [HP Software Update] "c:\program files\hewlett-packard\hp software update\HPWuSchd.exe"
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\me\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 2.2\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\lumixs~1.lnk - c:\program files\panasonic\lumixsimpleviewer\PhLeAutoRun.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ymetray.lnk - c:\program files\yahoo!\yahoo! music jukebox\ymetray.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} - hxxp://www-cdn.freerealms.com/gamedata/plugins/1.0.3.93/FreeRealmsInstaller.cab?v=1044
DPF: {41564D57-9980-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} - hxxp://a.download.toontown.com/sv1.0.38.59/ttinst.cab
DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
IFEO: dailybucks_install.exe - c:\windows\system32\ctfmon.exe
IFEO: install.48349.exe - c:\windows\system32\ctfmon.exe
============= SERVICES / DRIVERS ===============
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2009-12-23 135664]
=============== Created Last 30 ================
2010-09-20 03:52:56 7168 --sha-w- c:\documents and settings\me\Thumbs.db
2010-09-20 03:15:11 0 d-----w- c:\windows\system32\wbem\Repository
2010-09-20 03:10:00 0 d-----w- c:\program files\AnVi
2010-09-17 18:49:28 120 ----a-w- c:\windows\Tvaxevalanahifu.dat
2010-09-17 18:49:28 0 ----a-w- c:\windows\Xqavi.bin
2010-09-17 18:47:52 0 d-----w- c:\windows\PRAGMApeqqftirxt
2010-09-15 15:24:18 0 d-----w- c:\program files\InterActual
==================== Find3M ====================
2010-06-30 12:31:35 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22:03 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44:04 1851904 ----a-w- c:\windows\system32\win32k.sys
============= FINISH: 0:59:05.43 ===============
:snwelcome:
Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.
Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware execpt for the programs we may run.
Looks like you may be infected with a rootkit type infection
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
http://img.photobucket.com/albums/v706/ried7/RC1.png
Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
http://img.photobucket.com/albums/v706/ried7/RC2-1.png
Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
ok I ran combofix and have the log below. I did start to get a redirect again as soon as I came onto the forums to post the reply. I thank you for your time and help. I await to hear what to do next.
ComboFix 10-09-22.05 - Me 09/22/2010 20:44:47.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3581.3266 [GMT -4:00]
Running from: c:\documents and settings\Me\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\All Users\Application Data\.wtav
c:\documents and settings\Me\Application Data\~tmp.html
c:\documents and settings\Me\Application Data\Bitrix Security
c:\documents and settings\Me\Application Data\Bitrix Security\arm
c:\documents and settings\Me\Application Data\Bitrix Security\fadosvlk.dll
c:\documents and settings\Me\Application Data\Bitrix Security\fadosvlk_shrd
c:\documents and settings\Me\Application Data\Bitrix Security\fg.txt
c:\documents and settings\Me\Application Data\Bitrix Security\jje.txt
c:\documents and settings\Me\Application Data\Bitrix Security\ljgh.txt
c:\documents and settings\Me\Application Data\Bitrix Security\mxd1.txt
c:\documents and settings\Me\Application Data\Bitrix Security\plk.txt
c:\documents and settings\Me\Application Data\Bitrix Security\qnf.txt
c:\documents and settings\Me\Application Data\wiaserva.log
c:\documents and settings\Me\Desktop\Antivirus Support.lnk
c:\documents and settings\Me\Local Settings\Application Data\{FB6808E8-3804-4AA6-9D99-178779807FFF}
c:\documents and settings\Me\Local Settings\Application Data\{FB6808E8-3804-4AA6-9D99-178779807FFF}\chrome.manifest
c:\documents and settings\Me\Local Settings\Application Data\{FB6808E8-3804-4AA6-9D99-178779807FFF}\chrome\content\_cfg.js
c:\documents and settings\Me\Local Settings\Application Data\{FB6808E8-3804-4AA6-9D99-178779807FFF}\chrome\content\overlay.xul
c:\documents and settings\Me\Local Settings\Application Data\{FB6808E8-3804-4AA6-9D99-178779807FFF}\install.rdf
c:\documents and settings\Me\Start Menu\Programs\AnVi
c:\documents and settings\program files for Edrive\InstallShield Installation Information
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{36E14470-2757-11D4-8D88-00902799E3BF}\data1.cab
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{36E14470-2757-11D4-8D88-00902799E3BF}\data1.hdr
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{36E14470-2757-11D4-8D88-00902799E3BF}\layout.bin
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{36E14470-2757-11D4-8D88-00902799E3BF}\Setup.exe
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{36E14470-2757-11D4-8D88-00902799E3BF}\Setup.ini
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{36E14470-2757-11D4-8D88-00902799E3BF}\setup.inx
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{36E144A1-2757-11D4-8D88-00902799E3BF}\data1.cab
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{36E144A1-2757-11D4-8D88-00902799E3BF}\data1.hdr
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{36E144A1-2757-11D4-8D88-00902799E3BF}\layout.bin
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{36E144A1-2757-11D4-8D88-00902799E3BF}\Setup.exe
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{36E144A1-2757-11D4-8D88-00902799E3BF}\Setup.ini
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{36E144A1-2757-11D4-8D88-00902799E3BF}\setup.inx
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{93539D60-1817-11D1-9504-00805F26A89C}\data1.cab
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{93539D60-1817-11D1-9504-00805F26A89C}\data1.hdr
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{93539D60-1817-11D1-9504-00805F26A89C}\layout.bin
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{93539D60-1817-11D1-9504-00805F26A89C}\Setup.exe
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{93539D60-1817-11D1-9504-00805F26A89C}\setup.ilg
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{93539D60-1817-11D1-9504-00805F26A89C}\Setup.ini
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{93539D60-1817-11D1-9504-00805F26A89C}\setup.inx
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C0A23442-6214-11D3-8CDF-0080C768385C}\data1.cab
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C0A23442-6214-11D3-8CDF-0080C768385C}\data1.hdr
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C0A23442-6214-11D3-8CDF-0080C768385C}\layout.bin
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C0A23442-6214-11D3-8CDF-0080C768385C}\Setup.exe
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C0A23442-6214-11D3-8CDF-0080C768385C}\setup.ilg
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C0A23442-6214-11D3-8CDF-0080C768385C}\Setup.ini
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C0A23442-6214-11D3-8CDF-0080C768385C}\setup.inx
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C1A9EFC0-1C2E-11D4-892F-0008C73FDA66}\data1.cab
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C1A9EFC0-1C2E-11D4-892F-0008C73FDA66}\data1.hdr
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C1A9EFC0-1C2E-11D4-892F-0008C73FDA66}\layout.bin
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C1A9EFC0-1C2E-11D4-892F-0008C73FDA66}\Setup.exe
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C1A9EFC0-1C2E-11D4-892F-0008C73FDA66}\Setup.ini
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{C1A9EFC0-1C2E-11D4-892F-0008C73FDA66}\setup.inx
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{DEBD6FD4-146B-11D4-8CE7-0008C71345FC}\data1.cab
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{DEBD6FD4-146B-11D4-8CE7-0008C71345FC}\data1.hdr
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{DEBD6FD4-146B-11D4-8CE7-0008C71345FC}\layout.bin
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{DEBD6FD4-146B-11D4-8CE7-0008C71345FC}\Setup.exe
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{DEBD6FD4-146B-11D4-8CE7-0008C71345FC}\Setup.ini
c:\documents and settings\program files for Edrive\InstallShield Installation Information\{DEBD6FD4-146B-11D4-8CE7-0008C71345FC}\setup.inx
c:\program files\AnVi
c:\program files\AnVi\about.ico
c:\program files\AnVi\activate.ico
c:\program files\AnVi\avt.exe
c:\program files\AnVi\avtext.dll
c:\program files\AnVi\avthook.dll
c:\program files\AnVi\buy.ico
c:\program files\AnVi\help.ico
c:\program files\AnVi\scan.ico
c:\program files\AnVi\settings.ico
c:\program files\AnVi\Uninstall.exe
c:\program files\AnVi\update.ico
c:\program files\sFX
c:\windows\934fdfg34fgjf23
c:\windows\PRAGMApeqqftirxt
c:\windows\PRAGMApeqqftirxt\PRAGMAc.dll
c:\windows\PRAGMApeqqftirxt\PRAGMAcfg.ini
c:\windows\system32\9502523.dat
c:\windows\system32\certstore.dat
c:\windows\system32\nk.dat
c:\windows\system32\wsnpoem
c:\windows\tmp5361666.log
c:\windows\tmp7291406.log
c:\windows\tmp8076598.log
c:\windows\tmp8838909.log
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SFXDRV
((((((((((((((((((((((((( Files Created from 2010-08-23 to 2010-09-23 )))))))))))))))))))))))))))))))
.
2010-09-21 05:27 . 2010-09-21 05:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-21 05:24 . 2010-09-21 05:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-09-21 05:24 . 2010-09-21 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS(2)
2010-09-21 04:41 . 2010-09-21 04:41 -------- d-----w- c:\documents and settings\program files for Edrive\uTorrent
2010-09-20 07:32 . 2010-09-21 04:41 -------- d-----w- c:\documents and settings\LocalService\Application Data\Adobe(3)
2010-09-20 04:45 . 2010-09-21 04:41 -------- d-----w- c:\program files\ERUNT
2010-09-20 04:25 . 2010-09-21 04:41 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(5)
2010-09-19 05:55 . 2010-09-21 05:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(4)
2010-09-18 23:41 . 2010-09-18 23:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-09-18 12:47 . 2010-09-21 05:18 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(3)
2010-09-17 20:07 . 2010-09-21 05:21 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(2)
2010-09-17 19:55 . 2010-09-21 05:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\Adobe(2)
2010-09-17 19:41 . 2010-09-17 19:41 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-09-17 18:49 . 2010-09-17 18:49 120 ----a-w- c:\windows\Tvaxevalanahifu.dat
2010-09-17 18:49 . 2010-09-17 18:49 0 ----a-w- c:\windows\Xqavi.bin
2010-09-15 15:24 . 2010-09-15 15:24 -------- d-----w- c:\program files\InterActual
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-23 00:58 . 2007-08-04 16:10 -------- d-----w- c:\documents and settings\Me\Application Data\OpenOffice.org2
2010-09-22 09:02 . 2008-10-12 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-09-21 05:41 . 2007-10-10 05:15 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-21 05:12 . 2007-08-04 08:36 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-20 04:06 . 2010-07-03 14:42 -------- d-----w- c:\program files\Viva Media
2010-07-10 19:12 . 2010-01-09 13:59 251705 ----a-w- c:\documents and settings\Me\Application Data\Sony Online Entertainment\npsoeact.dll
2010-06-30 12:31 . 2004-08-04 05:56 149504 ----a-w- c:\windows\system32\schannel.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-02 149280]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-24 233472]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-23 176128]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2007-06-06 64256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
c:\documents and settings\Me\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-2-2 393216]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2008-1-6 63696]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-1-26 54776]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\_aunchPad.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/23/2009 9:55 AM 135664]
.
Contents of the 'Scheduled Tasks' folder
2010-09-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2010-09-23 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-12 19:17]
2010-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 13:55]
2010-09-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 13:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
.
- - - - ORPHANS REMOVED - - - -
BHO-{996D4E16-517F-474a-870F-F882C6133C47} - (no file)
ActiveSetup-{FDC32A47-A70D-4F9E-97DD-7E08EA9C6BF8} - wonder what is going through her headdont know if she is just trying to remain friends because I told her I wouldnt see her or talk to her until the court date
AddRemove-Free Realms Installer - c:\program files\Sony Online Entertainment\uninst.exe
AddRemove-Microsoft Visual C# 2005 Express Edition - ENU - c:\program files\Microsoft Visual Studio 8\Microsoft Visual C# 2005 Express Edition - ENU\setup.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-22 20:59
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AD5FC76]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a0852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: Broadcom NetXtreme Gigabit Ethernet for hp -> SendCompleteHandler -> NDIS.sys @ 0xf7426bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7433a21
SendHandler -> NDIS.sys @ 0xf741187b
user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1202660629-220523388-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(660)
c:\windows\system32\WININET.dll
- - - - - - - > 'lsass.exe'(720)
c:\windows\system32\WININET.dll
- - - - - - - > 'explorer.exe'(3740)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\RUNDLL32.EXE
c:\program files\OpenOffice.org 2.2\program\soffice.exe
c:\program files\OpenOffice.org 2.2\program\soffice.BIN
c:\program files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
c:\program files\Java\jre6\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2010-09-22 21:07:42 - machine was rebooted
ComboFix-quarantined-files.txt 2010-09-23 01:07
Pre-Run: 3,461,459,968 bytes free
Post-Run: 3,966,644,224 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
- - End Of File - - 180A9DF50831B37D2A1AF74DDC41D74C
Hi,
Still some things we need to fix , run both these programs and post the log from Malwarebytes.
Download TFC (http://oldtimer.geekstogo.com/TFC.exe) to your desktop
Close any open windows.
Double click the TFC icon to run the program
TFC will close all open programs itself in order to run,
Click the Start button to begin the process.
Allow TFC to run uninterrupted.
The program should not take long to finish it's job
Once its finished it should automatically reboot your machine,
if it doesn't, manually reboot to ensure a complete clean
Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please
ok I downloaded and ran both of those TFC and Malwarbytes. Here is the resultant log from malwarebytes. Again I appreciate your quick response to this problem.
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4675
Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702
9/23/2010 7:50:55 AM
mbam-log-2010-09-23 (07-50-55).txt
Scan type: Quick scan
Objects scanned: 132090
Time elapsed: 5 minute(s), 43 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{e24211b3-a78a-c6a9-d317-70979ace5058} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{996d4e16-517f-474a-870f-f882c6133c47} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{996d4e16-517f-474a-870f-f882c6133c47} (Password.Stealer) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\SolutionAV (Rogue.AntivirSolutionPro) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\ucozejowedigo.dll (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Desktop\AntiVirus.lnk (Rogue.AntiVirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Me\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus.lnk (Rogue.AntiVirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gacaq32.dll (Password.Stealer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\spnmld.dll (Password.Stealer) -> Quarantined and deleted successfully.
One of the files that Malwarebytes removed was a Password Stealer, you need to change all your passwords to be on the safe side.
See if you can find these and delete them, leave them in the Recycle Bin for a day or two
c:\windows\Tvaxevalanahifu.dat
c:\windows\Xqavi.bin
Please run this free online virus scanner from ESET (http://www.eset.com/onlinescan/)
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is ticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic
How are things running now ?
things seem to be running better, didn't get any redirects when I did a search, however I did get another window open up to a spyware ad site, so not sure about that. Here is the log from the ESET, again thanks for prompt help.
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=6d5297124acd584bb9581b5e2615dbb2
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-09-23 01:43:05
# local_time=2010-09-23 09:43:05 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=143215
# found=78
# cleaned=78
# scan_time=4340
C:\Qoobox\Quarantine\C\Documents and Settings\Me\Application Data\Bitrix Security\fadosvlk.dll.vir a variant of Win32/AutoRun.Spy.Ambler.CA worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\AnVi\avt.exe.vir Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\AnVi\avthook.dll.vir a variant of Win32/Kryptik.DRS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Program Files\AnVi\Uninstall.exe.vir a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\tmp5361666.log.vir probably a variant of Win32/Kryptik.HD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\tmp7291406.log.vir a variant of Win32/Kryptik.HV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\tmp8076598.log.vir probably a variant of Win32/Kryptik.HD trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\tmp8838909.log.vir a variant of Win32/Kryptik.HV trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\WINDOWS\PRAGMApeqqftirxt\PRAGMAc.dll.vir a variant of Win32/Kryptik.EXT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP911\A0057402.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP913\A0057435.exe Win32/Adware.SpywareProtect2009 application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP959\A0058427.sys Win32/Olmarik.YA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP959\A0058428.dll a variant of Win32/Kryptik.GVH trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP960\A0059520.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP960\A0059522.dll a variant of Win32/Kryptik.DRS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP960\A0059527.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP961\A0060104.dll a variant of Win32/Wimpixo.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP961\A0060340.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP961\A0060352.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP961\A0060353.dll a variant of Win32/Kryptik.EXT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP961\A0061115.dll Win32/Chksyn.AB trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP963\A0062267.dll a variant of Win32/Wimpixo.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP963\A0062498.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP963\A0062510.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP963\A0062511.dll a variant of Win32/Kryptik.EXT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP963\A0062796.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP963\A0062798.dll a variant of Win32/Kryptik.DRS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP963\A0062803.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP963\A0062813.dll a variant of Win32/Wimpixo.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP963\A0066745.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP963\A0066757.dll a variant of Win32/Kryptik.EXT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP964\A0067777.exe Win32/Sirefef.BN trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP965\A0069282.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP965\A0069294.dll a variant of Win32/Kryptik.EXT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP965\A0069816.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP965\A0069818.dll a variant of Win32/Kryptik.DRS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP965\A0069823.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP965\A0070080.dll a variant of Win32/Wimpixo.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP965\A0070088.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP965\A0070091.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP965\A0070603.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP965\A0070605.dll a variant of Win32/Kryptik.DRS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP965\A0070610.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP965\A0070612.dll a variant of Win32/Wimpixo.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0073693.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0073695.dll a variant of Win32/Kryptik.DRS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0073700.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0073939.dll a variant of Win32/Wimpixo.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0073947.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0073959.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0073960.dll a variant of Win32/Kryptik.EXT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0074467.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0074469.dll a variant of Win32/Kryptik.DRS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0074474.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0074477.dll a variant of Win32/Wimpixo.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0075171.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0075926.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0075928.dll a variant of Win32/Kryptik.DRS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0075933.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0076171.dll a variant of Win32/Wimpixo.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0076179.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0076182.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0076626.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0076628.dll a variant of Win32/Kryptik.DRS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0076633.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0076635.dll a variant of Win32/Wimpixo.AA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP967\A0076876.dll a variant of Win32/PSW.Papras.BO trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP968\A0084000.sys Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP968\A0084052.dll a variant of Win32/AutoRun.Spy.Ambler.CA worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP968\A0084071.exe Win32/TrojanDownloader.Prodatect.AQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP968\A0084073.dll a variant of Win32/Kryptik.DRS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP968\A0084078.exe a variant of Win32/Kryptik.AT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP968\A0084080.dll a variant of Win32/Kryptik.EXT trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\gasac32.dll probably a variant of Win32/AutoRun.Spy.Ambler.NAC worm (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\WINDOWS\system32\drivers\afd.sys Win32/Olmarik.ZC trojan (cleaned - quarantined) 00000000000000000000000000000000 C
E:\WINDOWS\Shared\05 Track 5 (women).wma probably a variant of Win32/Agent.FCJWLFS trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
E:\WINDOWS\Shared\02 Track 2 (women).wma WMA/TrojanDownloader.Wimad.L trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
E:\WINDOWS\Shared\07 Track 7 (women).wma WMA/TrojanDownloader.Wimad.D trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
You have a ton of stuff in System Restore, lets flush it all out and create a new Restore Point.
System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points
Turn off System Restore.
Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Reboot your computer
Turn ON System Restore.
Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.
Create a new Restore Point <-- Very Important
Go to Start> All Programs> Assesories> System Tools> System Restore and create a New Restore Point
System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it
Lets run this Rootkit detector to make sure your not infected by one
Download the GMER Rootkit Scanner (http://www.gmer.net/gmer.zip). Unzip it to your Desktop.
Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.
Double click GMER.exe.
http://img.photobucket.com/albums/v666/sUBs/gmer_zip.gif
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ...
IAT/EAT
Drives/Partition other than Systemdrive (typically C:\)
Show All (don't miss this one)
http://www.geekstogo.com/misc/guide_icons/GMER_thumb.jpg (http://www.geekstogo.com/misc/guide_icons/GMER_instructions.jpg)
Click the image to enlarge it
Then click the Scan button & wait for it to finish.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt"
Save the log where you can easily find it, such as your desktop.
**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries
Please copy and paste the report into your Post.
Ok I ran gmer. the first time throught the computer locked up but then was able to run through it the second time. After running it and saving the ark.txt log to desktop when I tried to log on to post it the pc locked up again but seems to be ok now, here is the log.
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-23 15:40:46
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\Me\LOCALS~1\Temp\pxtdipow.sys
---- Kernel code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB904C380, 0x346307, 0xE8000020]
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\system32\wuauclt.exe[508] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0092000A
.text C:\WINDOWS\system32\wuauclt.exe[508] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0093000A
.text C:\WINDOWS\system32\wuauclt.exe[508] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0091000C
.text C:\WINDOWS\System32\svchost.exe[1060] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CF000A
.text C:\WINDOWS\System32\svchost.exe[1060] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D0000A
.text C:\WINDOWS\System32\svchost.exe[1060] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CE000C
.text C:\WINDOWS\System32\svchost.exe[1060] ole32.dll!CoCreateInstance 7750057E 3 Bytes JMP 00DC000A
.text C:\WINDOWS\System32\svchost.exe[1060] ole32.dll!CoCreateInstance + 4 77500582 1 Byte [89]
.text C:\WINDOWS\Explorer.EXE[1660] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BD000A
.text C:\WINDOWS\Explorer.EXE[1660] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BE000A
.text C:\WINDOWS\Explorer.EXE[1660] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B7000C
---- EOF - GMER 1.0.15 ----
Hi,
You shouldn't have another window opening up to a spyware site, what is the name of the site that's popping up ?
Download OTL (http://oldtimer.geekstogo.com/OTL.exe) to your desktop.
Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
When the window appears, underneath Output at the top change it to Minimal Output.
Check the boxes beside LOP Check and Purity Check.
Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
eventlog.dll
scecli.dll
netlogon.dll
cngaudit.dll
sceclt.dll
ntelogon.dll
logevent.dll
iaStor.sys
nvstor.sys
atapi.sys
IdeChnDr.sys
viasraid.sys
AGP440.sys
vaxscsi.sys
nvatabus.sys
viamraid.sys
nvata.sys
nvgts.sys
iastorv.sys
ViPrt.sys
eNetHook.dll
ahcix86.sys
KR10N.sys
nvstor32.sys
ahcix86s.sys
nvrd32.sys
symmpi.sys
adp3132.sys
mv61xx.sys
/md5stop
%systemroot%\*. /mp /s
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\system32\drivers\*.sys /lockedfiles
%systemroot%\System32\config\*.sav
Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt.
Note:These logs can be located in the OTL. folder on you C:\ drive if they fail to open automatically.
Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them both in.
ok I can't remember what the ad was that popped up but had another one earlier also for like an airline ad or something that just opened up in another window. Sorry about not knowing should have written it down I guess. here is the logs you requested:
OTL logfile created on: 9/23/2010 5:07:46 PM - Run 1
OTL by OldTimer - Version 3.2.14.1 Folder = C:\Documents and Settings\Me\Desktop
Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy
3.00 Gb Total Physical Memory | 3.00 Gb Available Physical Memory | 85.00% Memory free
4.00 Gb Paging File | 4.00 Gb Available in Paging File | 91.00% Paging File free
Paging file location(s): C:\pagefile.sys 756 1512 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.26 Gb Total Space | 10.78 Gb Free Space | 28.93% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
Drive E: | 25.21 Gb Total Space | 16.37 Gb Free Space | 64.93% Space Free | Partition Type: FAT32
Drive F: | 2.72 Gb Total Space | 0.91 Gb Free Space | 33.31% Space Free | Partition Type: FAT32
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded
Computer Name: HP1
Current User Name: Me
Logged in as Administrator.
Current Boot Mode: Normal
Scan Mode: Current user
Company Name Whitelist: Off
Skip Microsoft Files: Off
File Age = 30 Days
Output = Minimal
========== Processes (SafeList) ==========
PRC - C:\Documents and Settings\Me\Desktop\OTL.exe (OldTimer Tools)
PRC - C:\Program Files\Java\jre6\bin\jucheck.exe (Sun Microsystems, Inc.)
PRC - C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
PRC - C:\WINDOWS\explorer.exe (Microsoft Corporation)
PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac (ArcSoft)
PRC - C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft)
PRC - C:\Program Files\OpenOffice.org 2.2\program\soffice.bin (OpenOffice.org)
PRC - C:\Program Files\OpenOffice.org 2.2\program\soffice.exe (OpenOffice.org)
PRC - C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe (Matsushita Electric Industrial Co., Ltd.)
PRC - C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe ()
PRC - C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe (HP)
PRC - C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe (Hewlett-Packard)
PRC - C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe (adi)
PRC - C:\Program Files\Analog Devices\SoundMAX\SMTray.exe (Analog Devices, Inc.)
PRC - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)
========== Modules (SafeList) ==========
MOD - C:\Documents and Settings\Me\Desktop\OTL.exe (OldTimer Tools)
MOD - C:\WINDOWS\system32\msscript.ocx (Microsoft Corporation)
========== Win32 Services (SafeList) ==========
SRV - (SoundMAX Agent Service (default)) -- C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe (Analog Devices, Inc.)
========== Driver Services (SafeList) ==========
DRV - (catchme) -- C:\ComboFix\catchme.sys File not found
DRV - (usbaudio) USB Audio Driver (WDM) -- C:\WINDOWS\system32\drivers\usbaudio.sys (Microsoft Corporation)
DRV - (BVRPMPR5) -- C:\WINDOWS\system32\drivers\BVRPMPR5.SYS (Avanquest Software)
DRV - (nv) -- C:\WINDOWS\system32\drivers\nv4_mini.sys (NVIDIA Corporation)
DRV - (b57w2k) -- C:\WINDOWS\system32\drivers\b57xp32.sys (Broadcom Corporation)
DRV - (Blfp) -- C:\WINDOWS\system32\drivers\baspxp32.sys (Broadcom Corporation)
DRV - (Afc) -- C:\WINDOWS\system32\drivers\afc.sys (Arcsoft, Inc.)
========== Standard Registry (SafeList) ==========
========== Internet Explorer ==========
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
O1 HOSTS File: ([2010/09/22 20:58:44 | 000,000,027 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll (Google Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [ArcSoft Connection Service] C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe (ArcSoft)
O4 - HKLM..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe (adi)
O4 - HKLM..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe (Hewlett-Packard)
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe (HP)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [NvMediaCenter] C:\WINDOWS\System32\NvMcTray.DLL (NVIDIA Corporation)
O4 - HKLM..\Run: [nwiz] C:\WINDOWS\System32\nwiz.exe ()
O4 - HKLM..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe (Analog Devices, Inc.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\LUMIX Simple Viewer.lnk = C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe (Matsushita Electric Industrial Co., Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe ()
O4 - Startup: C:\Documents and Settings\Me\Start Menu\Programs\Startup\OpenOffice.org 2.2.lnk = C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe ()
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O16 - DPF: {38AB6A6C-CC4C-4F9E-A3DD-3C5681EF18A1} http://www-cdn.freerealms.com/gamedata/plugins/1.0.3.93/FreeRealmsInstaller.cab?v=1044 (SonyOnlineInstallerX)
O16 - DPF: {41564D57-9980-0010-8000-00AA00389B71} http://download.microsoft.com/download/0/A/9/0A9F8B32-9F8C-4D74-A130-E4CAB36EB01F/wmvadvd.cab (Reg Error: Key error.)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} http://a.download.toontown.com/sv1.0.38.59/ttinst.cab (Toontown Installer ActiveX Control)
O16 - DPF: {CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0-windows-i586.cab (Java Plug-in 1.6.0)
O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab (Java Plug-in 1.6.0_05)
O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab (Java Plug-in 1.6.0_15)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O18 - Protocol\Handler\cetihpz {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll (Hewlett-Packard Company)
O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll (Microsoft Corporation)
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O24 - Desktop WallPaper: C:\Documents and Settings\Me\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O24 - Desktop BackupWallPaper: C:\Documents and Settings\Me\Local Settings\Application Data\Microsoft\Wallpaper1.bmp
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2007/07/20 14:50:14 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2006/06/18 15:18:14 | 000,000,262 | ---- | M] () - E:\AUTOEXEC.BAK -- [ FAT32 ]
O32 - AutoRun File - [2000/06/20 16:58:32 | 000,000,027 | -H-- | M] () - E:\AUTOEXEC.DOS -- [ FAT32 ]
O32 - AutoRun File - [2006/06/18 15:18:14 | 000,000,194 | ---- | M] () - E:\autoexec.bat -- [ FAT32 ]
O32 - AutoRun File - [2006/06/18 13:16:32 | 000,000,194 | ---- | M] () - E:\AUTOEXEC.001 -- [ FAT32 ]
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
NetSvcs: 6to4 - File not found
NetSvcs: Ias - File not found
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: WmdmPmSp - File not found
========== Files/Folders - Created Within 30 Days ==========
[2010/09/23 17:06:31 | 000,575,488 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Me\Desktop\OTL.exe
[2010/09/23 13:21:03 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Me\Desktop\gmer
[2010/09/23 08:28:08 | 000,000,000 | ---D | C] -- C:\Program Files\ESET
[2010/09/23 07:43:58 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Me\Application Data\Malwarebytes
[2010/09/23 07:43:35 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2010/09/23 07:43:34 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2010/09/23 07:43:34 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2010/09/23 07:43:34 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Malwarebytes
[2010/09/23 07:40:23 | 000,000,000 | -HSD | C] -- C:\RECYCLER
[2010/09/23 07:37:20 | 006,153,352 | ---- | C] (Malwarebytes Corporation ) -- C:\Documents and Settings\Me\Desktop\mbam-setup.exe
[2010/09/23 07:33:20 | 000,446,464 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Me\Desktop\TFC.exe
[2010/09/22 20:35:59 | 000,000,000 | RHSD | C] -- C:\cmdcons
[2010/09/22 20:32:46 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2010/09/22 20:32:46 | 000,161,792 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2010/09/22 20:32:46 | 000,136,704 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2010/09/22 20:32:46 | 000,031,232 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2010/09/22 20:31:01 | 000,000,000 | ---D | C] -- C:\Qoobox
[2010/09/21 09:18:12 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe
[2010/09/21 01:40:56 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe
[2010/09/21 01:24:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS
[2010/09/21 01:24:51 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\NOS(2)
[2010/09/20 03:32:38 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe(3)
[2010/09/20 00:47:00 | 000,000,000 | ---D | C] -- C:\WINDOWS\ERDNT
[2010/09/20 00:45:21 | 000,000,000 | ---D | C] -- C:\Program Files\ERUNT
[2010/09/20 00:25:29 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe(5)
[2010/09/19 01:55:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe(4)
[2010/09/18 19:41:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Adobe
[2010/09/18 19:41:52 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Sun
[2010/09/18 08:47:53 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe(3)
[2010/09/17 16:39:11 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Sun
[2010/09/17 16:07:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Adobe(2)
[2010/09/17 15:55:01 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Adobe(2)
[2010/09/17 15:42:42 | 000,000,000 | ---D | C] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2010/09/17 15:26:05 | 000,000,000 | ---D | C] -- C:\Documents and Settings\NetworkService\Application Data\Macromedia
[2010/09/16 08:20:33 | 000,000,000 | ---D | C] -- C:\Config.Msi
[2010/09/15 11:24:18 | 000,000,000 | ---D | C] -- C:\Program Files\InterActual
========== Files - Modified Within 30 Days ==========
[2010/09/23 17:08:48 | 000,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2010/09/23 17:06:32 | 000,575,488 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Me\Desktop\OTL.exe
[2010/09/23 16:15:00 | 000,000,886 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineUA.job
[2010/09/23 15:48:22 | 000,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2010/09/23 15:48:18 | 000,002,206 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2010/09/23 15:48:06 | 000,000,882 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskMachineCore.job
[2010/09/23 15:48:00 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2010/09/23 15:45:42 | 000,000,178 | -HS- | M] () -- C:\Documents and Settings\Me\ntuser.ini
[2010/09/23 15:45:41 | 004,980,736 | ---- | M] () -- C:\Documents and Settings\Me\ntuser.dat
[2010/09/23 15:45:04 | 004,836,196 | -H-- | M] () -- C:\Documents and Settings\Me\Local Settings\Application Data\IconCache.db
[2010/09/23 13:20:42 | 000,284,915 | ---- | M] () -- C:\Documents and Settings\Me\Desktop\gmer.zip
[2010/09/23 10:01:47 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2010/09/23 07:43:38 | 000,000,696 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/23 07:37:24 | 006,153,352 | ---- | M] (Malwarebytes Corporation ) -- C:\Documents and Settings\Me\Desktop\mbam-setup.exe
[2010/09/23 07:33:21 | 000,446,464 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Me\Desktop\TFC.exe
[2010/09/22 21:00:06 | 000,000,227 | ---- | M] () -- C:\WINDOWS\system.ini
[2010/09/22 20:58:44 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts
[2010/09/22 20:36:07 | 000,000,327 | RHS- | M] () -- C:\boot.ini
[2010/09/22 20:31:52 | 003,850,032 | R--- | M] () -- C:\Documents and Settings\Me\Desktop\ComboFix.exe
[2010/09/20 17:06:01 | 000,000,284 | ---- | M] () -- C:\WINDOWS\tasks\AppleSoftwareUpdate.job
[2010/09/20 01:02:01 | 000,004,167 | ---- | M] () -- C:\Documents and Settings\Me\Desktop\Attach.zip
[2010/09/20 00:09:06 | 000,001,917 | ---- | M] () -- C:\WINDOWS\imsins.BAK
[2010/09/19 22:44:57 | 000,103,824 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2010/08/27 14:49:37 | 000,001,323 | ---- | M] () -- C:\Documents and Settings\Me\Desktop\Shortcut to DSCN1185[1].JPG.lnk
[2010/08/25 14:04:03 | 000,024,064 | ---- | M] () -- C:\Documents and Settings\Me\My Documents\CM_Pee_Wee_Football_Schedule_2010.doc
========== Files Created - No Company Name ==========
[2010/09/23 13:20:41 | 000,284,915 | ---- | C] () -- C:\Documents and Settings\Me\Desktop\gmer.zip
[2010/09/23 07:43:38 | 000,000,696 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes' Anti-Malware.lnk
[2010/09/22 20:36:07 | 000,000,211 | ---- | C] () -- C:\Boot.bak
[2010/09/22 20:36:03 | 000,260,272 | RHS- | C] () -- C:\cmldr
[2010/09/22 20:32:46 | 000,256,512 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2010/09/22 20:32:46 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2010/09/22 20:32:46 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2010/09/22 20:32:46 | 000,077,312 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2010/09/22 20:32:46 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2010/09/22 20:25:22 | 003,850,032 | R--- | C] () -- C:\Documents and Settings\Me\Desktop\ComboFix.exe
[2010/09/20 01:02:01 | 000,004,167 | ---- | C] () -- C:\Documents and Settings\Me\Desktop\Attach.zip
[2010/09/19 23:52:56 | 000,007,168 | -HS- | C] () -- C:\Documents and Settings\Me\Thumbs.db
[2010/09/09 21:10:37 | 004,980,736 | ---- | C] () -- C:\Documents and Settings\Me\ntuser.dat
[2010/08/27 14:49:37 | 000,001,323 | ---- | C] () -- C:\Documents and Settings\Me\Desktop\Shortcut to DSCN1185[1].JPG.lnk
[2010/08/25 14:04:03 | 000,024,064 | ---- | C] () -- C:\Documents and Settings\Me\My Documents\CM_Pee_Wee_Football_Schedule_2010.doc
[2010/05/02 09:57:06 | 000,354,816 | ---- | C] () -- C:\WINDOWS\System32\psisdecd.dll
[2009/08/01 18:03:50 | 000,000,151 | ---- | C] () -- C:\WINDOWS\wininit.ini
[2009/07/14 20:39:10 | 000,000,206 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2009/01/25 14:03:49 | 000,000,069 | ---- | C] () -- C:\WINDOWS\MediaManager.INI
[2008/05/22 13:49:45 | 000,000,324 | ---- | C] () -- C:\WINDOWS\game.ini
[2008/02/19 07:50:14 | 000,001,755 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2008/01/06 13:40:25 | 000,000,000 | ---- | C] () -- C:\WINDOWS\PhEdit.INI
[2008/01/06 13:14:29 | 000,000,097 | ---- | C] () -- C:\WINDOWS\System32\PICSDK.ini
[2007/12/10 07:27:16 | 000,007,168 | ---- | C] () -- C:\Documents and Settings\Me\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2007/11/20 18:56:31 | 000,010,605 | ---- | C] () -- C:\WINDOWS\hpdj3600.ini
[2007/09/29 11:18:11 | 000,000,125 | ---- | C] () -- C:\Documents and Settings\Me\Local Settings\Application Data\fusioncache.dat
[2007/07/21 17:01:39 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\msssc.dll
[2006/10/22 12:22:00 | 001,703,936 | ---- | C] () -- C:\WINDOWS\System32\nvwdmcpl.dll
[2006/10/22 12:22:00 | 001,474,560 | ---- | C] () -- C:\WINDOWS\System32\nview.dll
[2006/10/22 12:22:00 | 001,019,904 | ---- | C] () -- C:\WINDOWS\System32\nvwimg.dll
[2006/10/22 12:22:00 | 000,581,632 | ---- | C] () -- C:\WINDOWS\System32\nvhwvid.dll
[2006/10/22 12:22:00 | 000,466,944 | ---- | C] () -- C:\WINDOWS\System32\nvshell.dll
[2006/10/22 12:22:00 | 000,286,720 | ---- | C] () -- C:\WINDOWS\System32\nvnt4cpl.dll
[2006/03/06 11:41:02 | 000,073,728 | ---- | C] () -- C:\WINDOWS\System32\AMV_DecDLL.dll
[2004/09/16 14:26:40 | 000,012,634 | ---- | C] () -- C:\WINDOWS\System32\drivers\ADFUUD.SYS
========== LOP Check ==========
[2010/07/03 11:39:38 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Alawar Stargaze
[2010/07/03 10:49:16 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\AlawarWrapper
[2008/09/28 00:07:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IM
[2008/09/28 00:06:50 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\IncrediMail
[2010/05/01 20:02:33 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\NeoEdge Networks
[2010/04/19 20:38:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2007/11/24 10:55:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Yahoo
[2010/03/26 07:42:44 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Me\Application Data\LPECommon
[2008/01/06 13:28:49 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Me\Application Data\Panasonic
[2010/07/03 10:49:52 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Me\Application Data\SecretIslandUSA
[2010/07/10 15:12:55 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Me\Application Data\Sony Online Entertainment
========== Purity Check ==========
========== Custom Scans ==========
< %SYSTEMDRIVE%\*.exe >
< MD5 for: AGP440.SYS >
[2004/08/04 02:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:AGP440.sys
[2009/10/02 13:46:41 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:AGP440.sys
[2009/10/02 13:46:41 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:AGP440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ERDNT\cache\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008/04/13 14:36:38 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\system32\drivers\agp440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys
[2004/08/03 23:07:42 | 000,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386\AGP440.SYS
< MD5 for: ATAPI.SYS >
[2004/08/04 02:05:44 | 018,738,937 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp2.cab:atapi.sys
[2009/10/02 13:46:41 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\Driver Cache\i386\sp3.cab:atapi.sys
[2009/10/02 13:46:41 | 023,852,652 | ---- | M] () .cab file -- C:\WINDOWS\ServicePackFiles\i386\sp3.cab:atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ERDNT\cache\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008/04/13 14:40:30 | 000,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\system32\drivers\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004/08/03 18:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0002\DriverFiles\i386\atapi.sys
[2004/08/03 22:59:44 | 000,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\system32\ReinstallBackups\0006\DriverFiles\i386\atapi.sys
< MD5 for: EVENTLOG.DLL >
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ERDNT\cache\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008/04/13 20:11:53 | 000,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\system32\eventlog.dll
[2004/08/04 01:56:44 | 000,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll
< MD5 for: NETLOGON.DLL >
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ERDNT\cache\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008/04/13 20:12:01 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\system32\netlogon.dll
[2004/08/04 01:56:46 | 000,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll
< MD5 for: SCECLI.DLL >
[2004/08/04 01:56:46 | 000,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ERDNT\cache\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008/04/13 20:12:05 | 000,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\system32\scecli.dll
< %systemroot%\*. /mp /s >
< %systemroot%\system32\*.dll /lockedfiles >
< %systemroot%\Tasks\*.job /lockedfiles >
< %systemroot%\system32\drivers\*.sys /lockedfiles >
< %systemroot%\System32\config\*.sav >
[2007/07/20 09:29:55 | 000,094,208 | ---- | M] () -- C:\WINDOWS\system32\config\default.sav
[2007/07/20 09:29:55 | 000,659,456 | ---- | M] () -- C:\WINDOWS\system32\config\software.sav
[2007/07/20 09:29:55 | 000,876,544 | ---- | M] () -- C:\WINDOWS\system32\config\system.sav
========== Alternate Data Streams ==========
@Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5D17C178
< End of report >
for some reason it isn't letting me post the extras log; keeps saying there is a problem and get the diagnosis screen?
Not a problem on the extras. Looks like your host file was reset a few times.
Download the HostsXpert 4.3 - Hosts File Manager (http://www.funkytoad.com/download/HostsXpert.zip).
Unzip HostsXpert 4.2.0.0 - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper left corner.
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Let me know if the pop up windows has stopped ?
ok I reset the host files then exited out. I brought up explorer and ran a few searches and didn't get no redirects but did get another explorer window open up with a birthday card site, (one of the searches I did do was for cards) so not sure what could be wrong with that.
Lets see what this finds
Download OTS.exe (http://oldtimer.geekstogo.com/OTS.exe) by OldTimer to your Desktop.
Close any open browsers.
Double-click on OTS.exe to start the program.
Leave all settings as they appear as default, except for the following:
Under Drivers, select "All".
Under Additional Scans, click on the "Extra" button.
Now click the Run Scan button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Use the Reply button and attach the notepad file here (Do not copy and paste in a reply, rather attach it to it).
ok I ran the ots program. It didn't take very long at all thought so I don't know if that is a bad thing. I am attaching the log file to this. Again I appreciate all the help you are giving me. I had to zip the file to attach it so I hope that is ok.
Good Morning,
OTS does not take long, not to worry.
Start OTS.
Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
[Unregister Dlls]
[Alternate Data Streams]
NY -> @Alternate Data Stream - 125 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:5D17C178
[Purity]
[Empty Temp Folders]
[Start Explorer]
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.
Copy and paste these lines in Note pad.
@Echo on
pushd\windows\system32\drivers\etc
attrib -h -s -r hosts
echo 127.0.0.1 localhost>HOSTS
attrib +r +h +s hosts
popd
ipconfig /release
ipconfig /renew
ipconfig /flushdns
netsh winsock reset all
netsh int ip reset all
shutdown -r -t 1
del %0
Save as flush.bat to your desktop. Double click to run.
*** note: Win Vista and Win 7 need to right click and choose to "run as Administrator" .. the computer will reboot itself.
Let me know if your still getting that extra window
Good morning. I ran OTS again and after it ran it had to reboot my computer, when it came back on I had the notepad log but it did not create a new OTS log though. Here is the other though:
All Processes Killed
[Alternate Data Streams]
ADS C:\Documents and Settings\All Users\Application Data\TEMP:5D17C178 deleted successfully.
[Purity]
Purity scan complete.
[Empty Temp Folders]
User: All Users
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 8485936 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 5954 bytes
User: Me
->Temp folder emptied: 139167 bytes
->Temporary Internet Files folder emptied: 5156826 bytes
->Java cache emptied: 9287 bytes
->Flash cache emptied: 1492 bytes
User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 60114540 bytes
->Java cache emptied: 0 bytes
->Flash cache emptied: 8215 bytes
User: program files for Edrive
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 1113810 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 120 bytes
Total Files Cleaned = 72.00 mb
< End of fix log >
OTS by OldTimer - Version 3.1.38.1 fix logfile created on 09242010_070909
Files\Folders moved on Reboot...
File\Folder C:\Documents and Settings\Me\Local Settings\Temp\~DF1295.tmp not found!
File\Folder C:\Documents and Settings\Me\Local Settings\Temp\~DF12A4.tmp not found!
File\Folder C:\Documents and Settings\Me\Local Settings\Temp\~DF136C.tmp not found!
File\Folder C:\Documents and Settings\Me\Local Settings\Temp\~DF14B3.tmp not found!
File\Folder C:\Documents and Settings\Me\Local Settings\Temp\~DFF42.tmp not found!
File\Folder C:\Documents and Settings\Me\Local Settings\Temp\~DFF58.tmp not found!
C:\Documents and Settings\Me\Local Settings\Temporary Internet Files\Content.IE5\MGNUFXE3\showthread[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VZB7260K\PortalServe[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\VZB7260K\search1[2].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JBXE0PRV\breakingnews[1].txt moved successfully.
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JBXE0PRV\mevio_com[1].txt not found!
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\JBXE0PRV\sitetvratings[1].html not found!
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HFW9MD9W\;subTagID=100;subTagName=;clickTrack=;impactTrack=;cb=318012186[1].htm not found!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HFW9MD9W\fw-nonplayer-banner[4].htm moved successfully.
File\Folder C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HFW9MD9W\login_status[2].php not found!
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HFW9MD9W\mucinex_monsterrevision_us_450x360_h264[1].mp4 moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\HFW9MD9W\na[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\FVEZW0TQ\fw-nonplayer-banner[1].htm moved successfully.
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\FVEZW0TQ\news[1].aspx moved successfully.
File\Folder C:\WINDOWS\temp\fla7.tmp not found!
Registry entries deleted on Reboot...
I ran the flush.bat and it restarted my computer, when I got back on explorer the first thing I did was search for this site and it redirected me to another spyware blocker site. I clicked on the spybot home page and it took me to a spyware hunter blocker site.
Thanks for your help I really appreciate it.
Open Internet Explorer and do this.
Go to Tools > Internet Options > Advanced Tab > Reset Internet Explorer Setting > Reset.....if will take a few seconds...then ok your way out , close IE and reopen it and see if this helped
did that then restarted explorer and ran a few searches, still got another window pop up with an ad site, and even had another window pop up for spybot search and destroy download site. Sorry I don't know what seems to be the problem. Thankyou again for the help.
Let me ask you, are you using a router ?
Step 1 | Download MBRCheck.exe (http://ad13.geekstogo.com/MBRCheck.exe) to your desktop.
Be sure to disable your security programs
Double click on the file to run it
A window will open on your desktop
if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
If nothing unusual is found just press Enter A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your desktop.
Please post the contents of that file.
Yes I do use a router. Here is the contents of the log file after running MBRCheck.exe. I also seem to have random windows pop up if I walk away and come back from the computer after a little bit. There will be a couple opened up.
MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003d
Kernel Drivers (total 114):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0x8AE27000 \WINDOWS\system32\KDCOM.DLL
0xF789B000 \WINDOWS\system32\BOOTVID.dll
0xF75A8000 ACPI.sys
0xF7987000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7597000 pci.sys
0xF75F7000 isapnp.sys
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7989000 intelide.sys
0xF7607000 MountMgr.sys
0xF74D8000 ftdisk.sys
0xF798B000 dmload.sys
0xF74B2000 dmio.sys
0xF770F000 PartMgr.sys
0xF7617000 VolSnap.sys
0xF749A000 atapi.sys
0xF7627000 disk.sys
0xF7637000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF747A000 fltmgr.sys
0xF7468000 sr.sys
0xF7647000 PxHelp20.sys
0xF7451000 KSecDD.sys
0xF743E000 WudfPf.sys
0xF7B52000 Ntfs.sys
0xF7411000 NDIS.sys
0xF787D000 Mup.sys
0xF7657000 agp440.sys
0xB8451000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB843D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF7747000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB8419000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF774F000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB83EE000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xBA6FC000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF7757000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF775F000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB83DA000 \SystemRoot\system32\DRIVERS\parport.sys
0xF7667000 \SystemRoot\system32\DRIVERS\serial.sys
0xBA7C8000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF7767000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF776F000 \SystemRoot\system32\drivers\Afc.sys
0xF7677000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7687000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB83B7000 \SystemRoot\system32\DRIVERS\ks.sys
0xB8329000 \SystemRoot\system32\drivers\smwdm.sys
0xB8305000 \SystemRoot\system32\drivers\portcls.sys
0xF7697000 \SystemRoot\system32\drivers\drmk.sys
0xB82ED000 \SystemRoot\system32\drivers\aeaudio.sys
0xF76A7000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7AB3000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF76B7000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xBA7C0000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB82D6000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF76C7000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF76D7000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7777000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB82C5000 \SystemRoot\system32\DRIVERS\psched.sys
0xF76E7000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xB8BA1000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xB8B99000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB7D8B000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB9F85000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79CB000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB7D2D000 \SystemRoot\system32\DRIVERS\update.sys
0xF7923000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA77C000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xBA76C000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79FF000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF77EF000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF7995000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB43BB000 \SystemRoot\System32\Drivers\Null.SYS
0xF7997000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7817000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF781F000 \SystemRoot\System32\drivers\vga.sys
0xF7999000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF799B000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF773F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xB55F0000 \SystemRoot\System32\Drivers\Npfs.SYS
0xBA7D4000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB2A38000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB29DF000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB29B7000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB298B000 \SystemRoot\System32\drivers\afd.sys
0xB4379000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB2960000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB28F0000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB4359000 \SystemRoot\System32\Drivers\Fips.SYS
0xB28CA000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB4349000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB4691000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB403C000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB3815000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xB30C0000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xA8D32000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA8D1A000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xB47E5000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA97C8000 \SystemRoot\System32\drivers\Dxapi.sys
0xAA1A9000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xAF3F9000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xAEC4E000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA8446000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB020D000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA8377000 \SystemRoot\system32\DRIVERS\srv.sys
0xA9090000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xA8132000 \SystemRoot\system32\drivers\wdmaud.sys
0xB9F65000 \SystemRoot\system32\drivers\sysaudio.sys
0xA7EE3000 \SystemRoot\System32\Drivers\HTTP.sys
0x7C900000 \WINDOWS\system32\ntdll.dll
Processes (total 40):
0 System Idle Process
4 System
392 C:\WINDOWS\system32\smss.exe
440 csrss.exe
464 C:\WINDOWS\system32\winlogon.exe
512 C:\WINDOWS\system32\services.exe
524 C:\WINDOWS\system32\lsass.exe
684 C:\WINDOWS\system32\svchost.exe
748 svchost.exe
896 C:\WINDOWS\system32\svchost.exe
1004 svchost.exe
1100 svchost.exe
1188 C:\WINDOWS\system32\spoolsv.exe
1280 svchost.exe
1444 C:\Program Files\Java\jre6\bin\jqs.exe
1496 C:\WINDOWS\system32\nvsvc32.exe
1692 C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
2016 alg.exe
1548 C:\WINDOWS\system32\wscntfy.exe
1544 C:\WINDOWS\explorer.exe
536 C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
1492 C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
2000 C:\Program Files\Java\jre6\bin\jusched.exe
2056 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
2064 C:\Program Files\Hewlett-Packard\HP Software Update\hpwuSchd.exe
2072 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
2080 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
2088 C:\WINDOWS\system32\rundll32.exe
2120 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
2128 C:\WINDOWS\system32\ctfmon.exe
2156 C:\Program Files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe
2164 C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
2420 C:\Program Files\OpenOffice.org 2.2\program\soffice.exe
2508 C:\Program Files\OpenOffice.org 2.2\program\soffice.bin
2668 C:\WINDOWS\system32\svchost.exe
3596 C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
3692 C:\Program Files\Java\jre6\bin\jucheck.exe
3868 C:\Program Files\Internet Explorer\iexplore.exe
2328 C:\WINDOWS\system32\svchost.exe
2728 C:\Documents and Settings\Me\Desktop\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (FAT32)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000006`4e87de00 (FAT32)
PhysicalDrive0 Model Number: WDCWD400BB-22HEA1, Rev: 14.03G14
PhysicalDrive1 Model Number: QUANTUMFIREBALLlct1530, Rev: A01.0F00
Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
27 GB \\.\PhysicalDrive1 Unknown MBR code
SHA1: 0DCD918E9B55B1CB6BBF593A8E9A819601ADD524
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Done!
Its possible that your Master Boot Record is infected.. I need you to do two things.
1.
I need a copy of your MBR to send out for analysis
Re-run MBRCheck again.
When prompted, enter Y
Then enter 1 to dump the MBR to physical disk
Name the dumped file as Dump.dat
Enter -1 to exit
A log file named "dump.dat" will be located in the same folder as MBRCheck was saved, please zip it up and attach in your next reply.
2.
I need you to run Combofix again, but drag the copy you have to the trash and download a fresh new copy
Download ComboFix from one of these locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
* IMPORTANT !!! Save ComboFix.exe to your Desktop
So I need to see the dump.dat log from MBRCheck and the new Combofix log
ok I ran the MBRCheck again and got the dump.dat file which is attached. I also dl a knew copy of combofix and ran it and have attached the log below.
Thankyou for your continued efforts.
ComboFix 10-09-23.01 - Me 09/24/2010 14:31:02.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3581.3274 [GMT -4:00]
Running from: c:\documents and settings\Me\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Me\Application Data\Liat
c:\documents and settings\Me\Application Data\Liat\kyxa.exe
c:\documents and settings\Me\Application Data\Yldeto
c:\documents and settings\Me\Application Data\Yldeto\feodt.exe
.
((((((((((((((((((((((((( Files Created from 2010-08-24 to 2010-09-24 )))))))))))))))))))))))))))))))
.
2010-09-24 11:35 . 2010-09-24 11:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-09-24 11:09 . 2010-09-24 11:09 -------- d-----w- C:\_OTS
2010-09-23 12:28 . 2010-09-23 12:28 -------- d-----w- c:\program files\ESET
2010-09-23 11:43 . 2010-09-23 11:43 -------- d-----w- c:\documents and settings\Me\Application Data\Malwarebytes
2010-09-23 11:43 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-23 11:43 . 2010-09-23 11:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-23 11:43 . 2010-09-23 11:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-23 11:43 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-21 05:27 . 2010-09-21 05:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-21 05:24 . 2010-09-21 05:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-09-21 05:24 . 2010-09-21 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS(2)
2010-09-21 04:41 . 2010-09-21 04:41 -------- d-----w- c:\documents and settings\program files for Edrive\uTorrent
2010-09-20 07:32 . 2010-09-21 04:41 -------- d-----w- c:\documents and settings\LocalService\Application Data\Adobe(3)
2010-09-20 04:45 . 2010-09-21 04:41 -------- d-----w- c:\program files\ERUNT
2010-09-20 04:25 . 2010-09-21 04:41 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(5)
2010-09-19 05:55 . 2010-09-21 05:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(4)
2010-09-18 23:41 . 2010-09-18 23:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-09-18 12:47 . 2010-09-21 05:18 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(3)
2010-09-17 20:07 . 2010-09-21 05:21 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(2)
2010-09-17 19:55 . 2010-09-21 05:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\Adobe(2)
2010-09-17 19:41 . 2010-09-17 19:41 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-09-15 15:24 . 2010-09-15 15:24 -------- d-----w- c:\program files\InterActual
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-24 15:12 . 2007-10-10 05:15 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-24 14:58 . 2010-05-22 06:55 -------- d-----w- c:\documents and settings\Me\Application Data\Veihxy
2010-09-24 12:27 . 2008-10-12 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-09-24 12:07 . 2007-08-04 16:10 -------- d-----w- c:\documents and settings\Me\Application Data\OpenOffice.org2
2010-09-24 00:35 . 2009-04-04 09:20 -------- d-----w- c:\documents and settings\Me\Application Data\Enme
2010-09-21 05:12 . 2007-08-04 08:36 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-20 04:06 . 2010-07-03 14:42 -------- d-----w- c:\program files\Viva Media
2010-08-17 13:17 . 2004-08-04 05:56 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49 . 2004-08-04 05:56 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-17 11:31 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-10 19:12 . 2010-01-09 13:59 251705 ----a-w- c:\documents and settings\Me\Application Data\Sony Online Entertainment\npsoeact.dll
2010-06-30 12:31 . 2004-08-04 05:56 149504 ----a-w- c:\windows\system32\schannel.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-02 149280]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2003-10-24 233472]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-23 176128]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2007-06-06 64256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
c:\documents and settings\Default User\Start Menu\Programs\Startup\
ytvey.exe [2010-9-24 122880]
c:\documents and settings\Me\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-2-2 393216]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2008-1-6 63696]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-1-26 54776]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\_aunchPad.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/23/2009 9:55 AM 135664]
.
Contents of the 'Scheduled Tasks' folder
2010-09-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2010-09-24 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-12 19:17]
2010-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 13:55]
2010-09-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 13:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
.
- - - - ORPHANS REMOVED - - - -
Toolbar-Locked - (no file)
HKCU-Run-{6C220F91-2C00-A847-7085-732D128E0947} - c:\documents and settings\Me\Application Data\Yldeto\feodt.exe
HKCU-Run-{B617D663-422E-B04E-9E1F-BBE0E33F4DE0} - c:\documents and settings\Me\Application Data\Liat\kyxa.exe
AddRemove-Octoshape add-in for Adobe Flash Player - c:\documents and settings\Me\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\octoshape\octoshape.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-24 14:40
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8AE6CC76]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a0852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: Broadcom NetXtreme Gigabit Ethernet for hp -> SendCompleteHandler -> NDIS.sys @ 0xf7426bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7433a21
SendHandler -> NDIS.sys @ 0xf741187b
user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1202660629-220523388-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(460)
c:\windows\system32\WININET.dll
- - - - - - - > 'lsass.exe'(520)
c:\windows\system32\WININET.dll
.
Completion time: 2010-09-24 14:44:41
ComboFix-quarantined-files.txt 2010-09-24 18:44
ComboFix2.txt 2010-09-23 01:07
Pre-Run: 11,421,814,784 bytes free
Post-Run: 11,493,990,400 bytes free
- - End Of File - - 3E705678F4EF3C530DA6CAD7F5D57266
Thanks, it may take me a bit to get the results of that dump. They will need the make and model of your computer because some vendors create there own MBR and MBR Check may be thinking its bad, so post it in your next reply
Download TDSSKiller and save it to your Desktop.
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
Extract the file and run it.
Once completed it will create a log in your C:\ drive
Please post the contents of that log
ok the make and model # of my computer is :
hp compaq d530 cmt
d530c/ p2 6c/ 40c/512f/4 us
I don't know if that is what you needed or not, not sure if that is the make and model # that you were looking for. Posted below is the log:
2010/09/24 16:26:14.0734 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44
2010/09/24 16:26:14.0734 ================================================================================
2010/09/24 16:26:14.0734 SystemInfo:
2010/09/24 16:26:14.0734
2010/09/24 16:26:14.0734 OS Version: 5.1.2600 ServicePack: 3.0
2010/09/24 16:26:14.0734 Product type: Workstation
2010/09/24 16:26:14.0734 ComputerName: HP1
2010/09/24 16:26:14.0734 UserName: Me
2010/09/24 16:26:14.0734 Windows directory: C:\WINDOWS
2010/09/24 16:26:14.0734 System windows directory: C:\WINDOWS
2010/09/24 16:26:14.0734 Processor architecture: Intel x86
2010/09/24 16:26:14.0734 Number of processors: 1
2010/09/24 16:26:14.0734 Page size: 0x1000
2010/09/24 16:26:14.0734 Boot type: Normal boot
2010/09/24 16:26:14.0734 ================================================================================
2010/09/24 16:26:14.0921 Initialize success
2010/09/24 16:26:19.0671 ================================================================================
2010/09/24 16:26:19.0671 Scan started
2010/09/24 16:26:19.0671 Mode: Manual;
2010/09/24 16:26:19.0671 ================================================================================
2010/09/24 16:26:21.0890 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/09/24 16:26:21.0968 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/09/24 16:26:22.0093 aeaudio (e696e749bedcda8b23757b8b5ea93780) C:\WINDOWS\system32\drivers\aeaudio.sys
2010/09/24 16:26:22.0187 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/09/24 16:26:22.0265 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys
2010/09/24 16:26:22.0343 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/09/24 16:26:22.0437 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/09/24 16:26:22.0890 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/09/24 16:26:22.0968 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/09/24 16:26:23.0109 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/09/24 16:26:23.0234 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/09/24 16:26:23.0328 b57w2k (f96038aa1ec4013a93d2420fc689d1e9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2010/09/24 16:26:23.0406 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/09/24 16:26:23.0500 Blfp (690308631d4f78679272dff58734f968) C:\WINDOWS\system32\DRIVERS\baspxp32.sys
2010/09/24 16:26:23.0562 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
2010/09/24 16:26:23.0796 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/09/24 16:26:23.0921 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/09/24 16:26:24.0015 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/09/24 16:26:24.0093 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/09/24 16:26:24.0375 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/09/24 16:26:24.0500 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/09/24 16:26:24.0640 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/09/24 16:26:24.0750 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/09/24 16:26:24.0812 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/09/24 16:26:24.0937 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/09/24 16:26:25.0046 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/09/24 16:26:25.0109 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/09/24 16:26:25.0218 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/09/24 16:26:25.0281 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/09/24 16:26:25.0421 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/09/24 16:26:25.0515 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/09/24 16:26:25.0656 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/09/24 16:26:25.0750 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/09/24 16:26:25.0828 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/09/24 16:26:25.0984 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/09/24 16:26:26.0203 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/09/24 16:26:26.0312 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/09/24 16:26:26.0437 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/09/24 16:26:26.0703 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/09/24 16:26:26.0984 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/09/24 16:26:27.0062 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/09/24 16:26:27.0156 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/09/24 16:26:27.0203 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/09/24 16:26:27.0312 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/09/24 16:26:27.0421 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/09/24 16:26:27.0515 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/09/24 16:26:27.0609 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/09/24 16:26:27.0671 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/09/24 16:26:27.0781 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/09/24 16:26:27.0890 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/09/24 16:26:28.0078 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/09/24 16:26:28.0171 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/09/24 16:26:28.0250 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/09/24 16:26:28.0328 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/09/24 16:26:28.0421 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/09/24 16:26:28.0562 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/09/24 16:26:28.0703 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/09/24 16:26:28.0828 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/09/24 16:26:28.0906 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/09/24 16:26:29.0000 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/09/24 16:26:29.0093 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/09/24 16:26:29.0156 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/09/24 16:26:29.0281 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/09/24 16:26:29.0406 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/09/24 16:26:29.0515 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/09/24 16:26:29.0562 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/09/24 16:26:29.0656 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/09/24 16:26:29.0765 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/09/24 16:26:29.0859 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/09/24 16:26:29.0968 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/09/24 16:26:30.0109 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/09/24 16:26:30.0234 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/09/24 16:26:30.0312 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/09/24 16:26:30.0593 nv (8c0456001b6900114bbb1c548bd8aaf5) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/09/24 16:26:30.0906 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/09/24 16:26:30.0953 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/09/24 16:26:31.0031 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/09/24 16:26:31.0140 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/09/24 16:26:31.0250 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/09/24 16:26:31.0328 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/09/24 16:26:31.0453 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/09/24 16:26:31.0546 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/09/24 16:26:31.0968 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/09/24 16:26:32.0046 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/09/24 16:26:32.0156 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/09/24 16:26:32.0250 PxHelp20 (81088114178112618b1c414a65e50f7c) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/09/24 16:26:32.0562 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/09/24 16:26:32.0656 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/09/24 16:26:32.0796 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/09/24 16:26:32.0890 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/09/24 16:26:32.0984 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/09/24 16:26:33.0078 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/09/24 16:26:33.0171 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/09/24 16:26:33.0250 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/09/24 16:26:33.0359 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/09/24 16:26:33.0515 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/09/24 16:26:33.0593 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/09/24 16:26:33.0703 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/09/24 16:26:33.0843 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/09/24 16:26:34.0031 smwdm (fa3368a7039f5abaa4b933703ac34763) C:\WINDOWS\system32\drivers\smwdm.sys
2010/09/24 16:26:34.0156 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/09/24 16:26:34.0296 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/09/24 16:26:34.0390 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/09/24 16:26:34.0500 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/09/24 16:26:34.0546 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/09/24 16:26:34.0765 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/09/24 16:26:34.0953 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/09/24 16:26:35.0062 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/09/24 16:26:35.0125 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/09/24 16:26:35.0218 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/09/24 16:26:35.0390 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/09/24 16:26:35.0546 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/09/24 16:26:35.0671 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/09/24 16:26:35.0718 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/09/24 16:26:35.0812 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/09/24 16:26:35.0890 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/09/24 16:26:35.0953 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/09/24 16:26:36.0046 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/09/24 16:26:36.0125 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/09/24 16:26:36.0187 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/09/24 16:26:36.0343 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/09/24 16:26:36.0453 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/09/24 16:26:36.0562 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2010/09/24 16:26:36.0703 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/09/24 16:26:36.0890 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/09/24 16:26:37.0000 WudfPf (6ff66513d372d479ef1810223c8d20ce) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/09/24 16:26:37.0093 WudfRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/09/24 16:26:37.0203 \HardDisk1\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/09/24 16:26:37.0203 ================================================================================
2010/09/24 16:26:37.0203 Scan finished
2010/09/24 16:26:37.0203 ================================================================================
2010/09/24 16:26:37.0218 Detected object count: 1
2010/09/24 16:26:59.0203 \HardDisk1\MBR - will be cured after reboot
2010/09/24 16:26:59.0203 Rootkit.Win32.TDSS.tdl4(\HardDisk1\MBR) - User select action: Cure
2010/09/24 16:27:06.0531 Deinitialize success
Good Morning,
Sorry for the late reply, was away last night and didn't get back until late.
Looks like your MBR was infected and TDSSkiller fixed it. Make sure you have rebooted your computer since TDSSkiller was run and let me know how things are now
No problem I thank you for your time. I have rebooted my computer and everything seems to run ok, but I do still get some pop up ads that open every now and then in another window still. I don't know if I should download the anti spy programs listed in the forums if that would help. Computer has locked up during reboot a few times don't know if that means anything. Anyway thanks again.
Lets try this program and see what it finds
Please download SuperAntiSpyware Free (http://www.superantispyware.com/superantispyware.html)
Install the program
Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next <-- Important
Then, click Finish
It is possible that the program asks to reboot in order to delete some files.
Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)
Please provide the SuperAntiSpyware log in your next reply
ok I ran that one and it found 80 problems and needed to reboot to clear all of them. Posted below is the log;
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 09/25/2010 at 09:06 AM
Application Version : 4.43.1000
Core Rules Database Version : 5578
Trace Rules Database Version: 3390
Scan type : Complete Scan
Total Scan Time : 00:44:34
Memory items scanned : 465
Memory threats detected : 0
Registry items scanned : 5856
Registry threats detected : 0
File items scanned : 46435
File threats detected : 80
Adware.Tracking Cookie
C:\Documents and Settings\Me\Cookies\me@interclick[1].txt
C:\Documents and Settings\Me\Cookies\me@hatrack[2].txt
C:\Documents and Settings\Me\Cookies\me@ad.bodybuilding[1].txt
C:\Documents and Settings\Me\Cookies\me@trafficmp[1].txt
C:\Documents and Settings\Me\Cookies\me@overture[1].txt
C:\Documents and Settings\Me\Cookies\me@content.yieldmanager[1].txt
C:\Documents and Settings\Me\Cookies\me@bizzclick[1].txt
C:\Documents and Settings\Me\Cookies\me@n-traffic[1].txt
C:\Documents and Settings\Me\Cookies\me@ads.blogtalkradio[2].txt
C:\Documents and Settings\Me\Cookies\me@adbrite[1].txt
C:\Documents and Settings\Me\Cookies\me@at.atwola[1].txt
C:\Documents and Settings\Me\Cookies\me@advertise[1].txt
C:\Documents and Settings\Me\Cookies\me@kontera[1].txt
C:\Documents and Settings\Me\Cookies\me@richmedia.yahoo[1].txt
C:\Documents and Settings\Me\Cookies\me@yieldmanager[1].txt
C:\Documents and Settings\Me\Cookies\me@serving-sys[1].txt
C:\Documents and Settings\Me\Cookies\me@atdmt[1].txt
C:\Documents and Settings\Me\Cookies\me@counter.surfcounters[1].txt
C:\Documents and Settings\Me\Cookies\me@imrworldwide[2].txt
C:\Documents and Settings\Me\Cookies\me@specificclick[2].txt
C:\Documents and Settings\Me\Cookies\me@bs.serving-sys[2].txt
C:\Documents and Settings\Me\Cookies\me@tacoda[2].txt
C:\Documents and Settings\Me\Cookies\me@adinterax[2].txt
C:\Documents and Settings\Me\Cookies\me@questionmarket[1].txt
C:\Documents and Settings\Me\Cookies\me@ad.wsod[2].txt
C:\Documents and Settings\Me\Cookies\me@microsoftwindows.112.2o7[1].txt
C:\Documents and Settings\Me\Cookies\me@adcloudmedia[1].txt
C:\Documents and Settings\Me\Cookies\me@atwola[2].txt
C:\Documents and Settings\Me\Cookies\me@hatrack[1].txt
C:\Documents and Settings\Me\Cookies\me@media.abovetopsecret[1].txt
media.mtvnservices.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\TW9TLPVQ ]
media.scanscout.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\TW9TLPVQ ]
secure-us.imrworldwide.com [ C:\Documents and Settings\LocalService\Application Data\Macromedia\Flash Player\#SharedObjects\TW9TLPVQ ]
media.mtvnservices.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\6F9C2ZDW ]
media.scanscout.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\6F9C2ZDW ]
secure-us.imrworldwide.com [ C:\Documents and Settings\NetworkService\Application Data\Macromedia\Flash Player\#SharedObjects\6F9C2ZDW ]
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@xml.trafficengine[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@dc.tremormedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adecn[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@atdmt[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@overture[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@bizzclick[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@2o7[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificmedia[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@adbrite[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@videoegg.adbureau[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@click.fastpartner[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@eyewonder[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@adserver.adtechus[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@insightexpressai[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@insightexpressai[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@bs.serving-sys[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@realmedia[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@tacoda[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@tribalfusion[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@at.atwola[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@serving-sys[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@sportingnews.122.2o7[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@revsci[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@questionmarket[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@specificclick[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@viacom.adbureau[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[4].txt
C:\Documents and Settings\NetworkService\Cookies\system@media.mtvnservices[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.addynamix[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@imrworldwide[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[3].txt
C:\Documents and Settings\NetworkService\Cookies\system@pointroll[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@collective-media[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@ads.pointroll[1].txt
media.ign.com [ E:\WINDOWS\Application Data\Macromedia\Flash Player\#SharedObjects\EU3D4KKF ]
stat.radioblogclub.com [ E:\WINDOWS\Application Data\Macromedia\Flash Player\#SharedObjects\EU3D4KKF ]
files.adbrite.com [ E:\WINDOWS\Application Data\Macromedia\Flash Player\#SharedObjects\EU3D4KKF ]
macromedia.com [ E:\WINDOWS\Application Data\Macromedia\Flash Player\#SharedObjects\EU3D4KKF ]
Trojan.Agent/Gen-Virut
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP3\A0004171.EXE
Is your computer still locking up upon rebooting ? Are those popup windows still opening ?
my computer doesn't seem to be locking up after rebooting now, but when I go to shut down or restart it always delays and says the hpmcmgr.exe is still running and I have to end it to finish the shut down. The name on that may be off alitte I forgot to write it down. Anyway, I am still getting redirects also on the web browser.
Hi,
I had you run SuperAntiSpyware to clean out more junk so we can concentrate on your current problem.
A couple of things
The error on shutdown is related to this, looks like you just need to update
http://h10025.www1.hp.com/ewfrf/wc/genericSoftwareDownloadIndex?lc=en&cc=us&softwareitem=oj-22424-5
From the SAS scan. This could be troubling as Virut is an uncleanable virus, although I am not seeing any other markers for it so this may just have been detected wrong, not sure
Trojan.Agent/Gen-Virut
C:\SYSTEM VOLUME INFORMATION\_RESTORE{AB361FEF-B892-40BA-955E-F42CD2CF40B9}\RP3\A0004171.EXE
I am still not convinced that the MBR is ok, I didn't submit that dump file because it looked like TDSSkiller fix the MBR, but lets check further.
1.
Drag Combofix to the trash and grab a fresh copy , run it please and post the log.
2.
Run MBRCheck again and post the log
3.
Run MBRCheck and attach a new dump log
Then I will submit all this info and see where we stand
ok I redid the combofix and ran it and here is the log below. I am now going to redo the MBRCheck and will post it in the next reply.
ComboFix 10-09-24.05 - Me 09/25/2010 12:18:43.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3581.3273 [GMT -4:00]
Running from: c:\documents and settings\Me\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2010-08-25 to 2010-09-25 )))))))))))))))))))))))))))))))
.
2010-09-25 16:03 . 2010-09-25 16:03 -------- d-----w- c:\program files\Overland
2010-09-25 12:20 . 2010-09-25 12:20 63488 ----a-w- c:\documents and settings\Me\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-09-25 12:20 . 2010-09-25 12:20 52224 ----a-w- c:\documents and settings\Me\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-09-25 12:20 . 2010-09-25 12:20 117760 ----a-w- c:\documents and settings\Me\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-09-25 12:20 . 2010-09-25 12:20 -------- d-----w- c:\documents and settings\Me\Application Data\SUPERAntiSpyware.com
2010-09-25 12:20 . 2010-09-25 12:20 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-09-25 12:19 . 2010-09-25 12:20 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-09-24 11:35 . 2010-09-24 11:35 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Apple Computer
2010-09-24 11:09 . 2010-09-24 11:09 -------- d-----w- C:\_OTS
2010-09-23 12:28 . 2010-09-23 12:28 -------- d-----w- c:\program files\ESET
2010-09-23 11:43 . 2010-09-23 11:43 -------- d-----w- c:\documents and settings\Me\Application Data\Malwarebytes
2010-09-23 11:43 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-23 11:43 . 2010-09-23 11:43 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-23 11:43 . 2010-09-23 11:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-09-23 11:43 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-21 05:27 . 2010-09-21 05:27 -------- d-----w- c:\windows\system32\wbem\Repository
2010-09-21 05:24 . 2010-09-21 05:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-09-21 05:24 . 2010-09-21 05:24 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS(2)
2010-09-21 04:41 . 2010-09-21 04:41 -------- d-----w- c:\documents and settings\program files for Edrive\uTorrent
2010-09-20 07:32 . 2010-09-21 04:41 -------- d-----w- c:\documents and settings\LocalService\Application Data\Adobe(3)
2010-09-20 04:45 . 2010-09-21 04:41 -------- d-----w- c:\program files\ERUNT
2010-09-20 04:25 . 2010-09-21 04:41 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(5)
2010-09-19 05:55 . 2010-09-21 05:06 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(4)
2010-09-18 23:41 . 2010-09-18 23:42 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2010-09-18 12:47 . 2010-09-21 05:18 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(3)
2010-09-17 20:07 . 2010-09-21 05:21 -------- d-----w- c:\documents and settings\NetworkService\Application Data\Adobe(2)
2010-09-17 19:55 . 2010-09-21 05:21 -------- d-----w- c:\documents and settings\LocalService\Application Data\Adobe(2)
2010-09-17 19:41 . 2010-09-17 19:41 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2010-09-15 15:24 . 2010-09-15 15:24 -------- d-----w- c:\program files\InterActual
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-25 16:06 . 2007-08-04 16:10 -------- d-----w- c:\documents and settings\Me\Application Data\OpenOffice.org2
2010-09-24 19:16 . 2008-10-12 13:55 -------- d-----w- c:\program files\Google
2010-09-24 15:12 . 2007-10-10 05:15 1324 ----a-w- c:\windows\system32\d3d9caps.dat
2010-09-24 14:58 . 2010-05-22 06:55 -------- d-----w- c:\documents and settings\Me\Application Data\Veihxy
2010-09-24 12:27 . 2008-10-12 13:55 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2010-09-24 00:35 . 2009-04-04 09:20 -------- d-----w- c:\documents and settings\Me\Application Data\Enme
2010-09-21 05:12 . 2007-08-04 08:36 -------- d-----w- c:\program files\Common Files\Adobe
2010-09-20 04:06 . 2010-07-03 14:42 -------- d-----w- c:\program files\Viva Media
2010-08-17 13:17 . 2004-08-04 05:56 58880 ----a-w- c:\windows\system32\spoolsv.exe
2010-07-22 15:49 . 2004-08-04 05:56 590848 ----a-w- c:\windows\system32\rpcrt4.dll
2010-07-22 05:57 . 2009-04-17 11:31 5120 ----a-w- c:\windows\system32\xpsp4res.dll
2010-07-10 19:12 . 2010-01-09 13:59 251705 ----a-w- c:\documents and settings\Me\Application Data\Sony Online Entertainment\npsoeact.dll
2010-06-30 12:31 . 2004-08-04 05:56 149504 ----a-w- c:\windows\system32\schannel.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-09-24_18.41.17 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-09-25 16:16 . 2010-09-25 16:16 16384 c:\windows\Temp\Perflib_Perfdata_bc.dat
+ 2010-09-24 19:17 . 2010-09-24 19:17 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74_1.exe
+ 2010-09-24 19:17 . 2010-09-24 19:17 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\UNINST_Uninstall_G_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-09-24 19:17 . 2010-09-24 19:17 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\ShortcutOGL_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-09-24 19:17 . 2010-09-24 19:17 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\ShortcutDX_EB071909B9884F8CBF3D6115D4ADEE5E.exe
+ 2010-09-24 19:17 . 2010-09-24 19:17 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\googleearth.exe1_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-09-24 19:17 . 2010-09-24 19:17 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\googleearth.exe_F6A848FB884248E6A4CDCBDCF41F6A74.exe
+ 2010-09-24 19:17 . 2010-09-24 19:17 25214 c:\windows\Installer\{4286E640-B5FB-11DF-AC4B-005056C00008}\ARPPRODUCTICON.exe
+ 2010-09-25 16:03 . 2010-09-25 16:03 510976 c:\windows\Installer\7c744d.msi
+ 2010-09-24 19:17 . 2010-09-24 19:17 1223680 c:\windows\Installer\2af541.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-09-10 2424560]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-12-05 8523776]
"nwiz"="nwiz.exe" [2007-12-05 1626112]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"DrvLsnr"="c:\program files\Analog Devices\SoundMAX\DrvLsnr.exe" [2003-05-08 69632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-02 149280]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2003-06-25 49152]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2005-07-23 176128]
"ArcSoft Connection Service"="c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe" [2007-06-06 64256]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-12-05 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
c:\documents and settings\Default User\Start Menu\Programs\Startup\
ytvey.exe [2010-9-24 122880]
c:\documents and settings\Me\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - c:\program files\OpenOffice.org 2.2\program\quickstart.exe [2007-2-2 393216]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
LUMIX Simple Viewer.lnk - c:\program files\Panasonic\LUMIXSimpleViewer\PhLeAutoRun.exe [2008-1-6 63696]
ymetray.lnk - c:\program files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe [2007-1-26 54776]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"c:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"=
"c:\\Program Files\\Sony\\Station\\Launchpad\\_aunchPad.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [12/23/2009 9:55 AM 135664]
.
Contents of the 'Scheduled Tasks' folder
2010-09-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 16:34]
2010-09-25 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-12 19:17]
2010-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 13:55]
2010-09-25 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-12-23 13:55]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-25 12:28
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net
device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8ADE9C76]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\Disk -> CLASSPNP.SYS @ 0xf763bf28
\Driver\ACPI -> ACPI.sys @ 0xf75aecb8
\Driver\atapi -> atapi.sys @ 0xf74a0852
IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
\Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe @ 0x805e710a
ParseProcedure -> ntoskrnl.exe @ 0x80578f7a
NDIS: Broadcom NetXtreme Gigabit Ethernet for hp -> SendCompleteHandler -> NDIS.sys @ 0xf7426bb0
PacketIndicateHandler -> NDIS.sys @ 0xf7433a21
SendHandler -> NDIS.sys @ 0xf741187b
user & kernel MBR OK
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_USERS\S-1-5-21-1202660629-220523388-1801674531-1003\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(456)
c:\windows\system32\WININET.dll
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
- - - - - - - > 'lsass.exe'(516)
c:\windows\system32\WININET.dll
.
Completion time: 2010-09-25 12:33:31
ComboFix-quarantined-files.txt 2010-09-25 16:33
ComboFix2.txt 2010-09-24 18:44
ComboFix3.txt 2010-09-23 01:07
Pre-Run: 11,003,482,112 bytes free
Post-Run: 11,292,454,912 bytes free
- - End Of File - - 399F0A00CE4708B6CC0AFBAE9D6FE419
Ok I reran the MBRCheck and here is the log posted below, I will now run it again and dump it and post it in the next reply.
MBRCheck, version 1.2.3
(c) 2010, AD
Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003d
Kernel Drivers (total 120):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806FF000 \WINDOWS\system32\hal.dll
0x8AED9000 \WINDOWS\system32\KDCOM.DLL
0xF789B000 \WINDOWS\system32\BOOTVID.dll
0xF75A8000 ACPI.sys
0xF7987000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF7597000 pci.sys
0xF75F7000 isapnp.sys
0xF7A4F000 pciide.sys
0xF7707000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7989000 intelide.sys
0xF7607000 MountMgr.sys
0xF74D8000 ftdisk.sys
0xF798B000 dmload.sys
0xF74B2000 dmio.sys
0xF770F000 PartMgr.sys
0xF7617000 VolSnap.sys
0xF749A000 atapi.sys
0xF7627000 disk.sys
0xF7637000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF747A000 fltmgr.sys
0xF7468000 sr.sys
0xF7647000 PxHelp20.sys
0xF7451000 KSecDD.sys
0xF743E000 WudfPf.sys
0xF7B52000 Ntfs.sys
0xF7411000 NDIS.sys
0xF787D000 Mup.sys
0xF7657000 agp440.sys
0xB8AE4000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xB8AD0000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF77FF000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB8AAC000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7807000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB8A81000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xF76D7000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF780F000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB93AF000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xB8A6D000 \SystemRoot\system32\DRIVERS\parport.sys
0xF76E7000 \SystemRoot\system32\DRIVERS\serial.sys
0xF793F000 \SystemRoot\system32\DRIVERS\serenum.sys
0xB93A7000 \SystemRoot\system32\DRIVERS\fdc.sys
0xB939F000 \SystemRoot\system32\drivers\Afc.sys
0xF76F7000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7587000 \SystemRoot\system32\DRIVERS\redbook.sys
0xB8A4A000 \SystemRoot\system32\DRIVERS\ks.sys
0xB89BC000 \SystemRoot\system32\drivers\smwdm.sys
0xB8998000 \SystemRoot\system32\drivers\portcls.sys
0xF7577000 \SystemRoot\system32\drivers\drmk.sys
0xB8980000 \SystemRoot\system32\drivers\aeaudio.sys
0xF7567000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF7A59000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF7557000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7947000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB8969000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF7547000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF7537000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xB9397000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB8958000 \SystemRoot\system32\DRIVERS\psched.sys
0xF7527000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF7747000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF775F000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB6F62000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xB9D5D000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79E7000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB6F04000 \SystemRoot\system32\DRIVERS\update.sys
0xB9270000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xB9DAD000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xB9D9D000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF79FF000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF773F000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF799D000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xB352C000 \SystemRoot\System32\Drivers\Null.SYS
0xF799F000 \SystemRoot\System32\Drivers\Beep.SYS
0xF7777000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xF777F000 \SystemRoot\System32\drivers\vga.sys
0xF79A1000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF79A3000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF778F000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF7797000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB4782000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xB2B6E000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xB2B15000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xB2AE3000 \SystemRoot\system32\DRIVERS\netbt.sys
0xB2AC1000 \SystemRoot\System32\drivers\afd.sys
0xB4964000 \SystemRoot\system32\DRIVERS\netbios.sys
0xB2A9F000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xF77F7000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xB2A74000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xB2A04000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xB3DC4000 \SystemRoot\System32\Drivers\Fips.SYS
0xB29DE000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xB3DB4000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xB4C8A000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xB9CA8000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xB284D000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xF7927000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xA6864000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xA684C000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xA8B61000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xA7CEE000 \SystemRoot\System32\drivers\Dxapi.sys
0xA7966000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xA71F6000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB9C98000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xA5D1B000 \SystemRoot\system32\drivers\wdmaud.sys
0xA6B72000 \SystemRoot\system32\drivers\sysaudio.sys
0xA5B58000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xB6EFE000 \SystemRoot\System32\Drivers\ParVdm.SYS
0xA5A89000 \SystemRoot\system32\DRIVERS\srv.sys
0xB3D94000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xACB4A000 \??\C:\DOCUME~1\Me\LOCALS~1\Temp\mbr.sys
0xACB62000 \??\C:\DOCUME~1\Me\LOCALS~1\Temp\catchme.sys
0xA7D86000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
0xA58B8000 \SystemRoot\System32\Drivers\HTTP.sys
0xA588D000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll
Processes (total 25):
0 System Idle Process
4 System
384 C:\WINDOWS\system32\smss.exe
432 csrss.exe
456 C:\WINDOWS\system32\winlogon.exe
504 C:\WINDOWS\system32\services.exe
516 C:\WINDOWS\system32\lsass.exe
676 C:\WINDOWS\system32\svchost.exe
736 svchost.exe
808 C:\WINDOWS\system32\svchost.exe
856 C:\WINDOWS\system32\svchost.exe
996 svchost.exe
1092 svchost.exe
1180 C:\WINDOWS\system32\spoolsv.exe
1884 svchost.exe
188 C:\Program Files\Java\jre6\bin\jqs.exe
292 C:\WINDOWS\system32\nvsvc32.exe
784 C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
424 C:\WINDOWS\system32\wscntfy.exe
1668 alg.exe
400 C:\WINDOWS\system32\notepad.exe
224 C:\WINDOWS\explorer.exe
2036 C:\WINDOWS\system32\svchost.exe
1760 C:\WINDOWS\system32\ctfmon.exe
336 C:\Documents and Settings\Me\Desktop\MBRCheck.exe
\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
\\.\E: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (FAT32)
\\.\F: --> \\.\PhysicalDrive1 at offset 0x00000006`4e87de00 (FAT32)
PhysicalDrive0 Model Number: WDCWD400BB-22HEA1, Rev: 14.03G14
PhysicalDrive1 Model Number: QUANTUMFIREBALLlct1530, Rev: A01.0F00
Size Device Name MBR Status
--------------------------------------------
37 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
27 GB \\.\PhysicalDrive1 Unknown MBR code
SHA1: 0DCD918E9B55B1CB6BBF593A8E9A819601ADD524
Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
Done!
Ok I finished it again and zipped up the dump.dat file and will attach it to this post. Thank you again for your help.
OK, thanks, I will submit this info and be back as soon as I hear back from them
They would like to see a new TDSSKiller log to confirm that the MBR is clean
Download TDSSKiller and save it to your Desktop.
http://support.kaspersky.com/downloads/utils/tdsskiller.zip
Extract the file and run it.
Once completed it will create a log in your C:\ drive
Please post the contents of that log
sorry have been gone all day, thanks for getting back with me so soon.
Here is the log from the scan:
2010/09/25 20:45:33.0312 TDSS rootkit removing tool 2.4.2.1 Sep 7 2010 14:43:44
2010/09/25 20:45:33.0312 ================================================================================
2010/09/25 20:45:33.0312 SystemInfo:
2010/09/25 20:45:33.0312
2010/09/25 20:45:33.0312 OS Version: 5.1.2600 ServicePack: 3.0
2010/09/25 20:45:33.0312 Product type: Workstation
2010/09/25 20:45:33.0312 ComputerName: HP1
2010/09/25 20:45:33.0312 UserName: Me
2010/09/25 20:45:33.0312 Windows directory: C:\WINDOWS
2010/09/25 20:45:33.0312 System windows directory: C:\WINDOWS
2010/09/25 20:45:33.0312 Processor architecture: Intel x86
2010/09/25 20:45:33.0312 Number of processors: 1
2010/09/25 20:45:33.0312 Page size: 0x1000
2010/09/25 20:45:33.0312 Boot type: Normal boot
2010/09/25 20:45:33.0312 ================================================================================
2010/09/25 20:45:33.0921 Initialize success
2010/09/25 20:45:37.0671 ================================================================================
2010/09/25 20:45:37.0671 Scan started
2010/09/25 20:45:37.0671 Mode: Manual;
2010/09/25 20:45:37.0671 ================================================================================
2010/09/25 20:45:40.0015 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2010/09/25 20:45:40.0140 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2010/09/25 20:45:40.0328 aeaudio (e696e749bedcda8b23757b8b5ea93780) C:\WINDOWS\system32\drivers\aeaudio.sys
2010/09/25 20:45:40.0437 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2010/09/25 20:45:40.0531 Afc (a7b8a3a79d35215d798a300df49ed23f) C:\WINDOWS\system32\drivers\Afc.sys
2010/09/25 20:45:40.0656 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2010/09/25 20:45:40.0765 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2010/09/25 20:45:41.0359 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2010/09/25 20:45:41.0468 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2010/09/25 20:45:41.0625 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2010/09/25 20:45:41.0750 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2010/09/25 20:45:41.0890 b57w2k (f96038aa1ec4013a93d2420fc689d1e9) C:\WINDOWS\system32\DRIVERS\b57xp32.sys
2010/09/25 20:45:42.0015 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2010/09/25 20:45:42.0140 Blfp (690308631d4f78679272dff58734f968) C:\WINDOWS\system32\DRIVERS\baspxp32.sys
2010/09/25 20:45:42.0234 BVRPMPR5 (248dfa5762dde38dfddbbd44149e9d7a) C:\WINDOWS\system32\drivers\BVRPMPR5.SYS
2010/09/25 20:45:42.0500 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2010/09/25 20:45:42.0640 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2010/09/25 20:45:42.0765 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2010/09/25 20:45:42.0921 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2010/09/25 20:45:43.0375 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2010/09/25 20:45:43.0500 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2010/09/25 20:45:43.0687 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2010/09/25 20:45:43.0859 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2010/09/25 20:45:43.0968 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2010/09/25 20:45:44.0171 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2010/09/25 20:45:44.0468 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2010/09/25 20:45:44.0562 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2010/09/25 20:45:44.0671 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2010/09/25 20:45:44.0812 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2010/09/25 20:45:44.0937 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2010/09/25 20:45:45.0062 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2010/09/25 20:45:45.0171 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2010/09/25 20:45:45.0265 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2010/09/25 20:45:45.0375 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2010/09/25 20:45:45.0531 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2010/09/25 20:45:45.0828 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2010/09/25 20:45:45.0968 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2010/09/25 20:45:46.0171 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2010/09/25 20:45:46.0296 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2010/09/25 20:45:46.0375 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2010/09/25 20:45:46.0500 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2010/09/25 20:45:46.0609 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2010/09/25 20:45:46.0703 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2010/09/25 20:45:46.0890 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2010/09/25 20:45:47.0015 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2010/09/25 20:45:47.0109 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2010/09/25 20:45:47.0218 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2010/09/25 20:45:47.0343 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2010/09/25 20:45:47.0406 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2010/09/25 20:45:47.0546 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2010/09/25 20:45:47.0734 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2010/09/25 20:45:47.0890 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2010/09/25 20:45:48.0000 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2010/09/25 20:45:48.0109 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2010/09/25 20:45:48.0265 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2010/09/25 20:45:48.0453 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2010/09/25 20:45:48.0578 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2010/09/25 20:45:48.0718 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2010/09/25 20:45:48.0875 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2010/09/25 20:45:48.0953 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2010/09/25 20:45:49.0062 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2010/09/25 20:45:49.0187 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2010/09/25 20:45:49.0296 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2010/09/25 20:45:49.0453 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2010/09/25 20:45:49.0578 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2010/09/25 20:45:49.0625 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2010/09/25 20:45:49.0734 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2010/09/25 20:45:49.0875 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2010/09/25 20:45:49.0984 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2010/09/25 20:45:50.0109 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2010/09/25 20:45:50.0281 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2010/09/25 20:45:50.0375 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2010/09/25 20:45:50.0500 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2010/09/25 20:45:50.0921 nv (8c0456001b6900114bbb1c548bd8aaf5) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2010/09/25 20:45:51.0296 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2010/09/25 20:45:51.0359 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2010/09/25 20:45:51.0453 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2010/09/25 20:45:51.0562 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2010/09/25 20:45:51.0625 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2010/09/25 20:45:51.0734 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2010/09/25 20:45:51.0859 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2010/09/25 20:45:51.0968 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2010/09/25 20:45:52.0453 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2010/09/25 20:45:52.0515 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2010/09/25 20:45:52.0593 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2010/09/25 20:45:52.0687 PxHelp20 (81088114178112618b1c414a65e50f7c) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2010/09/25 20:45:53.0000 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2010/09/25 20:45:53.0109 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2010/09/25 20:45:53.0156 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2010/09/25 20:45:53.0296 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2010/09/25 20:45:53.0437 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2010/09/25 20:45:53.0500 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2010/09/25 20:45:53.0593 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2010/09/25 20:45:53.0703 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2010/09/25 20:45:53.0812 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2010/09/25 20:45:53.0984 SASDIFSV (a3281aec37e0720a2bc28034c2df2a56) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2010/09/25 20:45:54.0015 SASKUTIL (61db0d0756a99506207fd724e3692b25) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2010/09/25 20:45:54.0140 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2010/09/25 20:45:54.0265 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2010/09/25 20:45:54.0343 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2010/09/25 20:45:54.0453 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2010/09/25 20:45:54.0656 smwdm (fa3368a7039f5abaa4b933703ac34763) C:\WINDOWS\system32\drivers\smwdm.sys
2010/09/25 20:45:54.0875 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2010/09/25 20:45:54.0968 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2010/09/25 20:45:55.0078 Srv (da852e3e0bf1cea75d756f9866241e57) C:\WINDOWS\system32\DRIVERS\srv.sys
2010/09/25 20:45:55.0187 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2010/09/25 20:45:55.0250 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2010/09/25 20:45:55.0453 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2010/09/25 20:45:55.0625 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2010/09/25 20:45:55.0750 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2010/09/25 20:45:55.0875 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2010/09/25 20:45:55.0968 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2010/09/25 20:45:56.0109 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2010/09/25 20:45:56.0234 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2010/09/25 20:45:56.0359 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2010/09/25 20:45:56.0406 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2010/09/25 20:45:56.0500 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2010/09/25 20:45:56.0578 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2010/09/25 20:45:56.0640 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2010/09/25 20:45:56.0734 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2010/09/25 20:45:56.0875 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2010/09/25 20:45:56.0968 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2010/09/25 20:45:57.0125 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2010/09/25 20:45:57.0218 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2010/09/25 20:45:57.0375 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2010/09/25 20:45:57.0531 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2010/09/25 20:45:57.0718 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
2010/09/25 20:45:57.0906 WudfPf (6ff66513d372d479ef1810223c8d20ce) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2010/09/25 20:45:57.0984 WudfRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2010/09/25 20:45:58.0062 \HardDisk1\MBR - detected Rootkit.Win32.TDSS.tdl4 (0)
2010/09/25 20:45:58.0062 ================================================================================
2010/09/25 20:45:58.0062 Scan finished
2010/09/25 20:45:58.0062 ================================================================================
2010/09/25 20:45:58.0093 Detected object count: 1
2010/09/25 20:46:06.0609 \HardDisk1\MBR - will be cured after reboot
2010/09/25 20:46:06.0609 Rootkit.Win32.TDSS.tdl4(\HardDisk1\MBR) - User select action: Cure
2010/09/25 20:46:11.0046 Deinitialize success
Hi,
Whats happening here is that your infected with the TDSS Rootkit, and this rootkit has infected your Master Boot Record. TDSSKiller is fixing it but the rootkit returns. Where going to have to rebuild your master boot record, this can be dangerous if not done correctly, to be on the safe side I would like you to back up to a CD, External Hard drive or a thumb drive any of your important documents , photos , music files. Let me know when you have done this and we can proceed
ok I don't have anything here to back up to so it will take me until tomarrow or so to get a disk or something. I did just install a dvd drive that a friend gave me is it possible that could have it embedded in it or something, I don't really know just want to make sure it isn't that cause then it would keep coming back. Anyway I appreciate you time and effort on this.
No, your DVD drive is fine, some viruses infect removable drives like a usb flash drive.
By chance do you have your windows CD ?
no I don't actually, I got this computer off of a friend when they were getting knew ones. Sorry about that, will that be a problem.
Not sure , we will see how it goes. Let me know when your ready
ok I have backed up my pictures to a disk, that is the only thing I really needed to worry about, rest of it is no big deal, so I am ready when ever you get the chance, thanks again for the help.
I am working on a tutorial for you that may make it easier to understand, be back in a bit
Here we go , been checking this over and over again, dont want any mistakes, any questions please ask before you proceed
ComboFix installed the Recovery Console. We're going to use that now
Reboot your machine and when the Boot Menu flashes up - select "Microsoft Windows Recovery Console"
(you need to do this quickly , you only have a few seconds or your computer will boot to windows)
http://img.photobucket.com/albums/v666/sUBs/RC_BootMenu.gif
http://img.photobucket.com/albums/v666/sUBs/RConsole_A.png
When you get to the above screen, take note of the number that references your operating system.
If it's '1' like the picture above, type 1 and press Enter
If it asks for admimistator password just press enter
http://img.photobucket.com/albums/v666/sUBs/RConsole_Fixmbr.png
Next type FIXMBR
http://img.photobucket.com/albums/v666/sUBs/RConsole_FixmbrB.png
If it ask if you're sure you want to write a new MBR, answer 'Y'
Then type EXIT to reboot the machine.
Your damaged MBR will be replaced with a new one, and you should then be able to boot your system normally. In some cases, you may need to repair the boot sector in addition to the MBR. If your system still doesn't boot properly, repeat the steps above, but issue the fixboot command instead.
After you boot back into windows do this
Press Start > Run or Windows Key + R then copy and paste the following command into the run box that opens and press "Enter"
cmd /c mbr -t>"%userprofile%\Desktop\mbr.txt"
That will place a file called MBR.txt on your desktop. Please copy and paste the contents of that file into your next post.
I have attempted to do this twice and each time it would get to the part saying starting the recovery console would then load the time bar across then basically do nothing but sit there like it was locked up. Don't know, I let it sit there for a about 5 minutes and it did nothing.
Ok, what your going to need is a windows CD for Microsoft Windows XP Professional, your going to have to try to borrow one from a friend. There really is no way around this
ok I will see what I can do about that, Might be kind of hard, alot of the people I know have the newer vista and 7 now but I will try to find one.
Thanks again I will get back as soon as possible.
I was kind of afraid of that. Its the rootkit preventing the RC from running.
I will leave this thread open for you until you return
Good Morning,
May have found away around this. Does your DVD drive work, can you burn files to it ?
This thread is closed due to lack of response. If you still require assistance please start a new thread.