PDA

View Full Version : Click.Giftload



bucknut
2011-03-26, 18:15
Here is the Spybot and DDS logs. I attached a zipped Attach.txt file for Giftload issue-- Thanks for any assistance


Click.GiftLoad: [SBI $89783858] User settings (Registry value, fixed)
HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\featurecontrol\FEATURE_BROWSER_EMULATION\svchost.exe

Right Media: Tracking cookie (Internet Explorer: VHCClient001) (Cookie, fixed)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2010-12-11 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2011-02-24 Includes\Adware.sbi (*)
2011-03-15 Includes\AdwareC.sbi (*)
2010-08-13 Includes\Cookies.sbi (*)
2010-12-14 Includes\Dialer.sbi (*)
2011-03-08 Includes\DialerC.sbi (*)
2011-02-24 Includes\HeavyDuty.sbi (*)
2010-11-30 Includes\Hijackers.sbi (*)
2011-03-08 Includes\HijackersC.sbi (*)
2010-09-15 Includes\iPhone.sbi (*)
2010-12-14 Includes\Keyloggers.sbi (*)
2011-03-08 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2011-02-24 Includes\Malware.sbi (*)
2011-03-16 Includes\MalwareC.sbi (*)
2011-02-24 Includes\PUPS.sbi (*)
2011-03-15 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2011-03-08 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2011-02-24 Includes\Spyware.sbi (*)
2011-03-15 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-12-28 Includes\Trojans.sbi (*)
2011-03-15 Includes\TrojansC-02.sbi (*)
2011-03-03 Includes\TrojansC-03.sbi (*)
2011-03-08 Includes\TrojansC-04.sbi (*)
2011-03-08 Includes\TrojansC-05.sbi (*)
2011-03-08 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
----------------------------------------------------------------

.
DDS (Ver_11-03-05.01) - NTFSx86 NETWORK
Run by VHCClient001 at 9:41:58.45 on Sat 03/26/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.605 [GMT -5:00]
.
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\VHCClient001\Local Settings\Temporary Internet Files\Content.IE5\8VS82L31\dds[1].com
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uWindow Title = Windows Internet Explorer provided by MSN & Bing
uInternet Connection Wizard,ShellNext = hxxp://eeepc.asus.com/global
uInternet Settings,ProxyOverride = <local>
uURLSearchHooks: H - No File
mWinlogon: Userinit=userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - No File
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office14\GROOVEEX.DLL
BHO: {ac3c3ade-dcc3-419a-a185-8b5884049c8c} - No File
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {ac3c3ade-dcc3-419a-a185-8b5884049c8c} - No File
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [Alcmtr] ALCMTR.EXE
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [PCFix] e:\removal tools\pcfix\PCFix.exe
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\vhccli~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\vhccli~1\startm~1\programs\startup\autoru~1\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\superh~1.lnk - c:\program files\asus\eeepc\super hybrid engine\SuperHybridEngine.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{871df2be-41d2-4334-ac33-839af16fc8fe}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~4\office14\ONBttnIE.dll/105
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07}
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: bmnet.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256624992480
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256624984214
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: secuload.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office14\GROOVEEX.DLL
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\vhccli~1\applic~1\mozilla\firefox\profiles\wl6l5jrt.default\
FF - prefs.js: browser.search.selectedEngine - Search
FF - prefs.js: browser.startup.homepage - hxxp://dul.startya.com/?cfg=2-488-0-0&engine_id=3&provider_id=3&product_id=488&country=
FF - prefs.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101067100&s=
FF - component: c:\documents and settings\vhcclient001\application data\mozilla\firefox\profiles\wl6l5jrt.default\extensions\{ac3c3ade-dcc3-419a-a185-8b5884049c8c}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\vhcclient001\application data\mozilla\firefox\profiles\wl6l5jrt.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\progra~1\micros~4\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~4\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: XULRunner: {621ED853-F8AA-4C0A-B36F-39E2755B1985} - c:\documents and settings\vhcclient001\local settings\application data\{621ED853-F8AA-4C0A-B36F-39E2755B1985}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: PC Safety Suite Community Toolbar: {ac3c3ade-dcc3-419a-a185-8b5884049c8c} - %profile%\extensions\{ac3c3ade-dcc3-419a-a185-8b5884049c8c}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
.
---- FIREFOX POLICIES ----
FF - user.js: browser.search.selectedEngine - Search
FF - user.js: browser.search.order.1 - Search
FF - user.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101067100&s=);user_pref(yahoo.homepage.dontask, true
============= SERVICES / DRIVERS ===============
.
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
S1 vcdrom;Virtual CD-ROM Device Driver;d:\software\winxp_virtualcd\VCdRom.sys [2009-10-26 8576]
S2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-6-23 54752]
S2 Protector;Protector;"c:\program files\tenebril\spycatcher\protectorsvc.exe" --> c:\program files\tenebril\spycatcher\ProtectorSvc.exe [?]
S2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2010-6-10 6016]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2009-10-9 121416]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\ptdubus.sys --> c:\windows\system32\drivers\PTDUBus.sys [?]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\ptdumdm.sys --> c:\windows\system32\drivers\PTDUMdm.sys [?]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\ptduvsp.sys --> c:\windows\system32\drivers\PTDUVsp.sys [?]
S3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\drivers\ptduwflt.sys --> c:\windows\system32\drivers\PTDUWFLT.sys [?]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\ptduwwan.sys --> c:\windows\system32\drivers\PTDUWWAN.sys [?]
S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [2009-3-31 190080]
S3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [2009-5-4 148096]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
.
=============== Created Last 30 ================
.
2011-03-21 00:34:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2011-03-20 22:49:39 5943120 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-03-20 22:48:50 5943120 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{f9703d05-5333-40de-88a8-684942769372}\mpengine.dll
2011-03-20 10:29:21 -------- d-----w- c:\docume~1\vhccli~1\applic~1\PCFix
2011-03-20 10:22:01 -------- d-----w- c:\docume~1\vhccli~1\locals~1\applic~1\PackageAware
2011-03-19 17:57:11 -------- d-----w- c:\windows\system32\SpycatcherAgentSetupTemp
2011-03-19 17:56:53 -------- d-----w- c:\docume~1\alluse~1\applic~1\Tenebril
2011-03-19 15:40:42 -------- d-----w- c:\docume~1\vhccli~1\locals~1\applic~1\ConduitEngine
2011-03-19 15:40:30 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-03-19 15:40:29 -------- d-----w- c:\program files\ConduitEngine
2011-03-19 15:20:05 -------- d-----w- c:\program files\Computing.Net
2011-03-19 15:18:39 -------- d-----w- c:\docume~1\vhccli~1\locals~1\applic~1\Conduit
2011-03-19 15:18:38 -------- d-----w- c:\program files\Conduit
2011-03-19 15:18:36 -------- d-----w- c:\docume~1\vhccli~1\locals~1\applic~1\PC_Safety_Suite
2011-03-08 18:49:27 25048 ----a-w- c:\program files\mozilla firefox\components\browserdirprovider.dll
2011-03-08 18:49:27 140248 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2011-03-08 18:49:23 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-03-08 18:49:22 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-03-04 23:09:52 -------- d-----w- c:\program files\Microsoft Security Client
2011-03-04 18:03:25 -------- dc-h--w- c:\windows\ie8
2011-03-04 14:58:44 -------- d--h--w- c:\windows\msdownld.tmp
.
==================== Find3M ====================
.
2011-02-02 23:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2008-05-07 08:34:00 15523560 ----a-w- c:\program files\U1 Setup.exe
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS542512K9SA00 rev.BB2OC31P -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86F33555]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x86f397b0]; MOV EAX, [0x86f3982c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x86F58AB8]
3 CLASSPNP[0xF7817FD7] -> nt!IofCallDriver[0x804E37D5] -> \Device\00000077[0x86F6F9E8]
5 ACPI[0xF778E620] -> nt!IofCallDriver[0x804E37D5] -> [0x86F70940]
\Driver\atapi[0x86EF1F38] -> IRP_MJ_CREATE -> 0x86F33555
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
\Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskHitachi_HTS542512K9SA00_________________BB2OC31P#3830313131304242323630304257584b4d57464e#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
\Driver\atapi DriverStartIo -> 0x86F3339B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 9:44:35.64 ===============

shelf life
2011-03-28, 01:30
hi bucknut,

You shouldn't be using this computer until its clean. Make sure it has no connectivity, if your not sure how to do this then I would power if off.

You have a rootkit on your machine. Rootkits hide malicious files and components from traditional antivirus/antimalware software. They bury themselves deep in the operating system. Special software is needed to detect and remove them. Even if symptoms are gone and logs are clean its still not a 100% guarantee that your machine is clean once a rootkit has been detected and removed. You should consider a reformat/reinstall of Windows as an option.
The best source for information on how to do this would be the computer manufacturers website.


We will get two downloads, the first is tdsskiller, then combofix. Use in that order;

Please download TDSS Killer.exe (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your desktop

Double click to launch the utility. After it initializes click the start scan button.

Once the scan completes you can click the continue button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."

"After clicking Next, the utility applies selected actions and outputs the result."

"A reboot might require after disinfection."

A report will be found in your Root drive Local Disk (C) as TDSSKiller.2.4.12.0_02.01.2011_17.32.21_log.txt (name, version, date, time, log.txt)

Please post the log in your reply.

Combofix requires that you read a guide first before you use it. Read through the guide and apply the directions on your own machine. Post the log in your reply
Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

bucknut
2011-03-28, 04:39
thanks Shelf Life

here are the logs

2011/03/27 19:24:07.0406 0552 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/27 19:24:07.0921 0552 ================================================================================
2011/03/27 19:24:07.0921 0552 SystemInfo:
2011/03/27 19:24:07.0921 0552
2011/03/27 19:24:07.0921 0552 OS Version: 5.1.2600 ServicePack: 3.0
2011/03/27 19:24:07.0921 0552 Product type: Workstation
2011/03/27 19:24:07.0921 0552 ComputerName: VHCC001
2011/03/27 19:24:07.0921 0552 UserName: VHCClient001
2011/03/27 19:24:07.0921 0552 Windows directory: C:\WINDOWS
2011/03/27 19:24:07.0921 0552 System windows directory: C:\WINDOWS
2011/03/27 19:24:07.0921 0552 Processor architecture: Intel x86
2011/03/27 19:24:07.0921 0552 Number of processors: 1
2011/03/27 19:24:07.0921 0552 Page size: 0x1000
2011/03/27 19:24:07.0937 0552 Boot type: Safe boot with network
2011/03/27 19:24:07.0937 0552 ================================================================================
2011/03/27 19:24:08.0234 0552 Initialize success
2011/03/27 19:24:25.0828 0396 ================================================================================
2011/03/27 19:24:25.0828 0396 Scan started
2011/03/27 19:24:25.0828 0396 Mode: Manual;
2011/03/27 19:24:25.0828 0396 ================================================================================
2011/03/27 19:24:27.0359 0396 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/27 19:24:27.0468 0396 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/03/27 19:24:27.0656 0396 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/03/27 19:24:27.0796 0396 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/03/27 19:24:28.0218 0396 AR5211 (6d5f95602b8d0d994d31a864872b38ef) C:\WINDOWS\system32\DRIVERS\ar5211.sys
2011/03/27 19:24:28.0656 0396 AsusACPI (784fcb197f9a50a419d8ce4980655ae4) C:\WINDOWS\system32\DRIVERS\ASUSACPI.sys
2011/03/27 19:24:28.0750 0396 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/27 19:24:28.0859 0396 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/27 19:24:28.0984 0396 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/27 19:24:29.0125 0396 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/27 19:24:29.0296 0396 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/27 19:24:29.0453 0396 btaudio (9e8cf88d340e32fcb3c53955b2df388f) C:\WINDOWS\system32\drivers\btaudio.sys
2011/03/27 19:24:29.0609 0396 BTDriver (2f9f111d31aa3fbbe5781d829a4524e6) C:\WINDOWS\system32\DRIVERS\btport.sys
2011/03/27 19:24:29.0750 0396 BthEnum (b279426e3c0c344893ed78a613a73bde) C:\WINDOWS\system32\DRIVERS\BthEnum.sys
2011/03/27 19:24:29.0812 0396 BTHMODEM (fca6f069597b62d42495191ace3fc6c1) C:\WINDOWS\system32\DRIVERS\bthmodem.sys
2011/03/27 19:24:29.0906 0396 BthPan (80602b8746d3738f5886ce3d67ef06b6) C:\WINDOWS\system32\DRIVERS\bthpan.sys
2011/03/27 19:24:29.0984 0396 BTHPORT (662bfd909447dd9cc15b1a1c366583b4) C:\WINDOWS\system32\Drivers\BTHport.sys
2011/03/27 19:24:30.0093 0396 BTHUSB (61364cd71ef63b0f038b7e9df00f1efa) C:\WINDOWS\system32\Drivers\BTHUSB.sys
2011/03/27 19:24:30.0234 0396 BTKRNL (378b6f92c8a5b24baaa8f2ea3483f963) C:\WINDOWS\system32\DRIVERS\btkrnl.sys
2011/03/27 19:24:30.0453 0396 BTWDNDIS (485020a1e1fc5c51a800ca69c618d881) C:\WINDOWS\system32\DRIVERS\btwdndis.sys
2011/03/27 19:24:30.0531 0396 btwhid (c51d50cf24da69a9c499e65b0edb3bb7) C:\WINDOWS\system32\DRIVERS\btwhid.sys
2011/03/27 19:24:30.0640 0396 btwmodem (5922bae0cd84924b9cd7e6bb515ee070) C:\WINDOWS\system32\DRIVERS\btwmodem.sys
2011/03/27 19:24:30.0781 0396 BTWUSB (ec034d30a2b48fab3ed09bc75d155c7c) C:\WINDOWS\system32\Drivers\btwusb.sys
2011/03/27 19:24:30.0859 0396 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/27 19:24:31.0000 0396 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/03/27 19:24:31.0140 0396 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/27 19:24:31.0218 0396 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/27 19:24:31.0343 0396 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/27 19:24:31.0562 0396 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/03/27 19:24:31.0718 0396 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/03/27 19:24:31.0937 0396 CVirtA (b5ecadf7708960f1818c7fa015f4c239) C:\WINDOWS\system32\DRIVERS\CVirtA.sys
2011/03/27 19:24:32.0109 0396 CVPNDRVA (8a15d7bd4cf1a8ccd7c65f7349f22e35) C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
2011/03/27 19:24:32.0390 0396 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/27 19:24:32.0515 0396 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/27 19:24:32.0656 0396 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/03/27 19:24:32.0750 0396 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/27 19:24:32.0875 0396 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/27 19:24:33.0000 0396 DNE (7b4fdfbe97c047175e613aa96f3de987) C:\WINDOWS\system32\DRIVERS\dne2000.sys
2011/03/27 19:24:33.0140 0396 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/27 19:24:33.0296 0396 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/27 19:24:33.0390 0396 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/03/27 19:24:33.0468 0396 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/27 19:24:33.0531 0396 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/03/27 19:24:33.0640 0396 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/03/27 19:24:33.0765 0396 fssfltr (c6ee3a87fe609d3e1db9dbd072a248de) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2011/03/27 19:24:33.0890 0396 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/27 19:24:33.0984 0396 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/27 19:24:34.0078 0396 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/27 19:24:34.0125 0396 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/03/27 19:24:34.0296 0396 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/27 19:24:34.0437 0396 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/27 19:24:34.0687 0396 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/27 19:24:34.0828 0396 ialm (6fcb904910da07c9dc2593d66438fa29) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/03/27 19:24:35.0062 0396 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/27 19:24:35.0421 0396 IntcAzAudAddService (47c79f7e330cbb829934d00f64d55fc9) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/03/27 19:24:35.0718 0396 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/03/27 19:24:35.0796 0396 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/03/27 19:24:35.0859 0396 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/03/27 19:24:35.0921 0396 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/27 19:24:36.0015 0396 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/27 19:24:36.0078 0396 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/27 19:24:36.0171 0396 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/27 19:24:36.0265 0396 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/27 19:24:36.0375 0396 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/27 19:24:36.0515 0396 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/27 19:24:36.0609 0396 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/03/27 19:24:36.0765 0396 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/27 19:24:36.0843 0396 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/27 19:24:36.0921 0396 Ktp (9ea9d6ba04629cb14260f46ff8bbd65a) C:\WINDOWS\system32\DRIVERS\ETD.sys
2011/03/27 19:24:37.0062 0396 L1e (303627228dd739d98289679901a38c8f) C:\WINDOWS\system32\DRIVERS\l1e51x86.sys
2011/03/27 19:24:37.0343 0396 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/27 19:24:37.0468 0396 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/27 19:24:37.0562 0396 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/27 19:24:37.0656 0396 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/27 19:24:37.0765 0396 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/27 19:24:37.0890 0396 MpFilter (7e34bfa1a7b60bba1da03d677f16cd63) C:\WINDOWS\system32\DRIVERS\MpFilter.sys
2011/03/27 19:24:38.0062 0396 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/27 19:24:38.0171 0396 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/27 19:24:38.0359 0396 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/27 19:24:38.0500 0396 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/27 19:24:38.0593 0396 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/27 19:24:38.0687 0396 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/27 19:24:38.0765 0396 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/27 19:24:38.0906 0396 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/03/27 19:24:39.0046 0396 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/27 19:24:39.0125 0396 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/03/27 19:24:39.0234 0396 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/27 19:24:39.0343 0396 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/03/27 19:24:39.0484 0396 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/27 19:24:39.0578 0396 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/27 19:24:39.0656 0396 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/27 19:24:39.0734 0396 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/27 19:24:39.0859 0396 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/27 19:24:39.0937 0396 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/27 19:24:40.0171 0396 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/27 19:24:40.0265 0396 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/27 19:24:40.0468 0396 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/27 19:24:40.0562 0396 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/27 19:24:40.0625 0396 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/27 19:24:40.0843 0396 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/03/27 19:24:40.0921 0396 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/27 19:24:41.0000 0396 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/27 19:24:41.0093 0396 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/27 19:24:41.0203 0396 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/03/27 19:24:41.0281 0396 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/03/27 19:24:41.0359 0396 PCTINDIS5 (1e715247efffdda938c085913045d599) C:\WINDOWS\system32\PCTINDIS5.SYS
2011/03/27 19:24:41.0875 0396 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/27 19:24:42.0000 0396 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/27 19:24:42.0312 0396 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/27 19:24:42.0640 0396 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/27 19:24:42.0718 0396 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/27 19:24:42.0828 0396 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/27 19:24:42.0968 0396 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/27 19:24:43.0093 0396 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/27 19:24:43.0234 0396 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/27 19:24:43.0390 0396 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/27 19:24:43.0531 0396 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/27 19:24:43.0703 0396 RFCOMM (851c30df2807fcfa21e4c681a7d6440e) C:\WINDOWS\system32\DRIVERS\rfcomm.sys
2011/03/27 19:24:43.0828 0396 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2011/03/27 19:24:43.0968 0396 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/03/27 19:24:44.0187 0396 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/27 19:24:44.0296 0396 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/03/27 19:24:44.0484 0396 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/03/27 19:24:44.0625 0396 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/03/27 19:24:44.0796 0396 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/27 19:24:44.0968 0396 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/27 19:24:45.0078 0396 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/27 19:24:45.0187 0396 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/03/27 19:24:45.0281 0396 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/27 19:24:45.0453 0396 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/27 19:24:45.0578 0396 swmsflt (150ab4fa272130ec55b2a4faebdf47f9) C:\WINDOWS\System32\drivers\swmsflt.sys
2011/03/27 19:24:45.0671 0396 SWNC8UA3 (384b7805c856b92bb6662fca26acdb4d) C:\WINDOWS\system32\DRIVERS\swnc8ua3.sys
2011/03/27 19:24:46.0031 0396 SWUMXA3 (086f352446a171acd850ccdef6632310) C:\WINDOWS\system32\DRIVERS\swumxa3.sys
2011/03/27 19:24:46.0328 0396 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/27 19:24:46.0468 0396 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/27 19:24:46.0593 0396 tcpipBM (c779befc948e365cdb271b98cade6b29) C:\WINDOWS\system32\drivers\tcpipBM.sys
2011/03/27 19:24:46.0703 0396 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/27 19:24:46.0765 0396 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/27 19:24:46.0843 0396 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/27 19:24:47.0296 0396 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/27 19:24:47.0578 0396 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/27 19:24:47.0671 0396 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/27 19:24:47.0718 0396 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/27 19:24:47.0750 0396 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/27 19:24:47.0781 0396 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/27 19:24:47.0828 0396 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/27 19:24:47.0875 0396 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/03/27 19:24:47.0937 0396 vcdrom (bfa4ae30b3ac10e9223830bf103f5a3f) D:\Software\WinXP_VirtualCD\VCdRom.sys
2011/03/27 19:24:48.0015 0396 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/03/27 19:24:48.0140 0396 vnccom (b67632451f760797bb183e1fb99f4b39) C:\WINDOWS\system32\Drivers\vnccom.SYS
2011/03/27 19:24:48.0187 0396 vncdrv (4ec979b157d1aa075330362acb5424e5) C:\WINDOWS\system32\DRIVERS\vncdrv.sys
2011/03/27 19:24:48.0265 0396 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/27 19:24:48.0375 0396 vsdatant (27b3dd12a19eec50220df15b64913dda) C:\WINDOWS\system32\vsdatant.sys
2011/03/27 19:24:48.0500 0396 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/27 19:24:48.0593 0396 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/27 19:24:48.0812 0396 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/03/27 19:24:48.0843 0396 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/03/27 19:24:48.0921 0396 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/03/27 19:24:49.0015 0396 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/03/27 19:24:49.0156 0396 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/03/27 19:24:49.0156 0396 ================================================================================
2011/03/27 19:24:49.0156 0396 Scan finished
2011/03/27 19:24:49.0156 0396 ================================================================================
2011/03/27 19:24:49.0171 1692 Detected object count: 1
2011/03/27 19:25:59.0015 1692 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/03/27 19:25:59.0015 1692 \HardDisk0 - ok
2011/03/27 19:25:59.0015 1692 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/03/27 19:26:07.0250 0544 Deinitialize success


------------------------------------------------------------------------

ComboFix 11-03-27.01 - VHCClient001 03/27/2011 19:56:54.1.1 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.594 [GMT -5:00]
Running from: c:\documents and settings\VHCClient001\My Documents\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\VHCClient001\Application Data\Adobe\AdobeUpdate .exe
c:\documents and settings\VHCClient001\Application Data\Adobe\plugs
c:\documents and settings\VHCClient001\Application Data\completescan
c:\documents and settings\VHCClient001\Application Data\install
c:\documents and settings\VHCClient001\g2ax_customer_downloadhelper_win32_x86.exe
c:\documents and settings\VHCClient001\Local Settings\Application Data\{621ED853-F8AA-4C0A-B36F-39E2755B1985}
c:\documents and settings\VHCClient001\Local Settings\Application Data\{621ED853-F8AA-4C0A-B36F-39E2755B1985}\chrome.manifest
c:\documents and settings\VHCClient001\Local Settings\Application Data\{621ED853-F8AA-4C0A-B36F-39E2755B1985}\chrome\content\_cfg.js
c:\documents and settings\VHCClient001\Local Settings\Application Data\{621ED853-F8AA-4C0A-B36F-39E2755B1985}\chrome\content\overlay.xul
c:\documents and settings\VHCClient001\Local Settings\Application Data\{621ED853-F8AA-4C0A-B36F-39E2755B1985}\install.rdf
c:\windows\system32\html
c:\windows\system32\html\calendar.html
c:\windows\system32\html\calendarbottom.html
c:\windows\system32\html\calendartop.html
c:\windows\system32\html\crystalexportdialog.htm
c:\windows\system32\html\crystalprinthost.html
c:\windows\system32\images
c:\windows\system32\images\toolbar\calendar.gif
c:\windows\system32\images\toolbar\crlogo.gif
c:\windows\system32\images\toolbar\export.gif
c:\windows\system32\images\toolbar\export_over.gif
c:\windows\system32\images\toolbar\exportd.gif
c:\windows\system32\images\toolbar\First.gif
c:\windows\system32\images\toolbar\first_over.gif
c:\windows\system32\images\toolbar\Firstd.gif
c:\windows\system32\images\toolbar\gotopage.gif
c:\windows\system32\images\toolbar\gotopage_over.gif
c:\windows\system32\images\toolbar\gotopaged.gif
c:\windows\system32\images\toolbar\grouptree.gif
c:\windows\system32\images\toolbar\grouptree_over.gif
c:\windows\system32\images\toolbar\grouptreed.gif
c:\windows\system32\images\toolbar\grouptreepressed.gif
c:\windows\system32\images\toolbar\Last.gif
c:\windows\system32\images\toolbar\last_over.gif
c:\windows\system32\images\toolbar\Lastd.gif
c:\windows\system32\images\toolbar\Next.gif
c:\windows\system32\images\toolbar\next_over.gif
c:\windows\system32\images\toolbar\Nextd.gif
c:\windows\system32\images\toolbar\Prev.gif
c:\windows\system32\images\toolbar\prev_over.gif
c:\windows\system32\images\toolbar\Prevd.gif
c:\windows\system32\images\toolbar\print.gif
c:\windows\system32\images\toolbar\print_over.gif
c:\windows\system32\images\toolbar\printd.gif
c:\windows\system32\images\toolbar\Refresh.gif
c:\windows\system32\images\toolbar\refresh_over.gif
c:\windows\system32\images\toolbar\refreshd.gif
c:\windows\system32\images\toolbar\Search.gif
c:\windows\system32\images\toolbar\search_over.gif
c:\windows\system32\images\toolbar\searchd.gif
c:\windows\system32\images\toolbar\up.gif
c:\windows\system32\images\toolbar\up_over.gif
c:\windows\system32\images\toolbar\upd.gif
c:\windows\system32\images\tree\begindots.gif
c:\windows\system32\images\tree\beginminus.gif
c:\windows\system32\images\tree\beginplus.gif
c:\windows\system32\images\tree\blank.gif
c:\windows\system32\images\tree\blankdots.gif
c:\windows\system32\images\tree\dots.gif
c:\windows\system32\images\tree\lastdots.gif
c:\windows\system32\images\tree\lastminus.gif
c:\windows\system32\images\tree\lastplus.gif
c:\windows\system32\images\tree\Magnify.gif
c:\windows\system32\images\tree\minus.gif
c:\windows\system32\images\tree\minusbox.gif
c:\windows\system32\images\tree\plus.gif
c:\windows\system32\images\tree\plusbox.gif
c:\windows\system32\images\tree\singleminus.gif
c:\windows\system32\images\tree\singleplus.gif
c:\windows\system32\Thumbs.db
c:\windows\Tasks\At1.job
c:\windows\Tasks\At10.job
c:\windows\Tasks\At100.job
c:\windows\Tasks\At101.job
c:\windows\Tasks\At102.job
c:\windows\Tasks\At103.job
c:\windows\Tasks\At104.job
c:\windows\Tasks\At105.job
c:\windows\Tasks\At106.job
c:\windows\Tasks\At107.job
c:\windows\Tasks\At108.job
c:\windows\Tasks\At109.job
c:\windows\Tasks\At11.job
c:\windows\Tasks\At110.job
c:\windows\Tasks\At111.job
c:\windows\Tasks\At112.job
c:\windows\Tasks\At113.job
c:\windows\Tasks\At114.job
c:\windows\Tasks\At115.job
c:\windows\Tasks\At116.job
c:\windows\Tasks\At117.job
c:\windows\Tasks\At118.job
c:\windows\Tasks\At119.job
c:\windows\Tasks\At12.job
c:\windows\Tasks\At120.job
c:\windows\Tasks\At13.job
c:\windows\Tasks\At14.job
c:\windows\Tasks\At15.job
c:\windows\Tasks\At16.job
c:\windows\Tasks\At17.job
c:\windows\Tasks\At18.job
c:\windows\Tasks\At19.job
c:\windows\Tasks\At2.job
c:\windows\Tasks\At20.job
c:\windows\Tasks\At21.job
c:\windows\Tasks\At22.job
c:\windows\Tasks\At23.job
c:\windows\Tasks\At24.job
c:\windows\Tasks\At25.job
c:\windows\Tasks\At26.job
c:\windows\Tasks\At27.job
c:\windows\Tasks\At28.job
c:\windows\Tasks\At29.job
c:\windows\Tasks\At3.job
c:\windows\Tasks\At30.job
c:\windows\Tasks\At31.job
c:\windows\Tasks\At32.job
c:\windows\Tasks\At33.job
c:\windows\Tasks\At34.job
c:\windows\Tasks\At35.job
c:\windows\Tasks\At36.job
c:\windows\Tasks\At37.job
c:\windows\Tasks\At38.job
c:\windows\Tasks\At39.job
c:\windows\Tasks\At4.job
c:\windows\Tasks\At40.job
c:\windows\Tasks\At41.job
c:\windows\Tasks\At42.job
c:\windows\Tasks\At43.job
c:\windows\Tasks\At44.job
c:\windows\Tasks\At45.job
c:\windows\Tasks\At46.job
c:\windows\Tasks\At47.job
c:\windows\Tasks\At48.job
c:\windows\Tasks\At49.job
c:\windows\Tasks\At5.job
c:\windows\Tasks\At50.job
c:\windows\Tasks\At51.job
c:\windows\Tasks\At52.job
c:\windows\Tasks\At53.job
c:\windows\Tasks\At54.job
c:\windows\Tasks\At55.job
c:\windows\Tasks\At56.job
c:\windows\Tasks\At57.job
c:\windows\Tasks\At58.job
c:\windows\Tasks\At59.job
c:\windows\Tasks\At6.job
c:\windows\Tasks\At60.job
c:\windows\Tasks\At61.job
c:\windows\Tasks\At62.job
c:\windows\Tasks\At63.job
c:\windows\Tasks\At64.job
c:\windows\Tasks\At65.job
c:\windows\Tasks\At66.job
c:\windows\Tasks\At67.job
c:\windows\Tasks\At68.job
c:\windows\Tasks\At69.job
c:\windows\Tasks\At7.job
c:\windows\Tasks\At70.job
c:\windows\Tasks\At71.job
c:\windows\Tasks\At72.job
c:\windows\Tasks\At73.job
c:\windows\Tasks\At74.job
c:\windows\Tasks\At75.job
c:\windows\Tasks\At76.job
c:\windows\Tasks\At77.job
c:\windows\Tasks\At78.job
c:\windows\Tasks\At79.job
c:\windows\Tasks\At8.job
c:\windows\Tasks\At80.job
c:\windows\Tasks\At81.job
c:\windows\Tasks\At82.job
c:\windows\Tasks\At83.job
c:\windows\Tasks\At84.job
c:\windows\Tasks\At85.job
c:\windows\Tasks\At86.job
c:\windows\Tasks\At87.job
c:\windows\Tasks\At88.job
c:\windows\Tasks\At89.job
c:\windows\Tasks\At9.job
c:\windows\Tasks\At90.job
c:\windows\Tasks\At91.job
c:\windows\Tasks\At92.job
c:\windows\Tasks\At93.job
c:\windows\Tasks\At94.job
c:\windows\Tasks\At95.job
c:\windows\Tasks\At96.job
c:\windows\Tasks\At97.job
c:\windows\Tasks\At98.job
c:\windows\Tasks\At99.job
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_PROTECTOR
-------\Legacy_SSHNAS
-------\Service_Protector
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-28 )))))))))))))))))))))))))))))))
.
.
2011-03-28 01:04 . 2011-03-28 01:04 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F9703D05-5333-40DE-88A8-684942769372}\MpKsl28373c21.sys
2011-03-28 00:29 . 2011-03-28 00:29 -------- d-----w- c:\documents and settings\VHCClient001\Application Data\AT&T
2011-03-28 00:28 . 2011-03-28 00:28 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F9703D05-5333-40DE-88A8-684942769372}\MpKsl7aa69405.sys
2011-03-26 14:40 . 2011-03-26 14:40 -------- d-----w- c:\program files\ERUNT
2011-03-21 00:34 . 2011-03-21 00:34 -------- d-----w- c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
2011-03-20 22:49 . 2011-02-23 15:35 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-03-20 22:48 . 2011-02-23 15:35 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F9703D05-5333-40DE-88A8-684942769372}\mpengine.dll
2011-03-20 10:29 . 2011-03-20 10:30 -------- d-----w- c:\documents and settings\VHCClient001\Application Data\PCFix
2011-03-20 10:22 . 2011-03-20 10:22 -------- d-----w- c:\documents and settings\VHCClient001\Local Settings\Application Data\PackageAware
2011-03-20 09:45 . 2011-03-20 09:45 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2011-03-20 03:20 . 2011-03-20 03:20 -------- d-----w- c:\program files\microsoft frontpage
2011-03-19 17:57 . 2011-03-19 17:57 -------- d-----w- c:\windows\system32\SpycatcherAgentSetupTemp
2011-03-19 17:56 . 2011-03-19 17:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Tenebril
2011-03-19 15:40 . 2011-03-19 15:40 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-03-19 15:20 . 2011-03-19 15:20 -------- d-----w- c:\program files\Computing.Net
2011-03-19 15:18 . 2011-03-19 15:40 -------- d-----w- c:\documents and settings\VHCClient001\Local Settings\Application Data\Conduit
2011-03-19 15:18 . 2011-03-19 15:18 -------- d-----w- c:\program files\Conduit
2011-03-19 15:18 . 2011-03-19 17:42 -------- d-----w- c:\documents and settings\VHCClient001\Local Settings\Application Data\PC_Safety_Suite
2011-03-08 18:49 . 2011-03-27 09:34 25048 ----a-w- c:\program files\Mozilla Firefox\components\browserdirprovider.dll
2011-03-08 18:49 . 2011-03-27 09:34 140248 ----a-w- c:\program files\Mozilla Firefox\components\brwsrcmp.dll
2011-03-08 18:49 . 2011-03-27 09:35 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-03-08 18:49 . 2011-03-27 09:35 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-03-05 08:06 . 2011-03-05 08:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\PCHealth
2011-03-04 23:09 . 2011-03-04 23:10 -------- d-----w- c:\program files\Microsoft Security Client
2011-03-04 18:03 . 2011-03-04 18:04 -------- dc-h--w- c:\windows\ie8
2011-03-04 14:58 . 2011-03-04 14:58 -------- d--h--w- c:\windows\msdownld.tmp
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-02 23:11 . 2010-06-11 14:34 222080 ------w- c:\windows\system32\MpSigStub.exe
2008-05-07 08:34 . 2008-08-08 18:09 15523560 ----a-w- c:\program files\U1 Setup.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-01-17 14:54 175912 ----a-w- c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-07-26 3883856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-16 16806400]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-09-24 100888]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-09-24 104984]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-09-24 121368]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-03-13 91520]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2009-10-09 883272]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-07-23 98304]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-07-23 479232]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2010-02-28 519584]
.
c:\documents and settings\VHCClient001\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
.
c:\documents and settings\VHCClient001\Start Menu\Programs\Startup\AutorunsDisabled
Office Startup.lnk - c:\program files\Microsoft Office\Office\OSA.EXE [1996-11-17 51984]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2010-8-6 607584]
SuperHybridEngine.lnk - c:\program files\Asus\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2008-8-8 303104]
VPN Client.lnk - c:\windows\Installer\{871DF2BE-41D2-4334-AC33-839AF16FC8FE}\Icon3E5562ED7.ico [2010-2-22 6144]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\SecuLoad.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Safety Suite]
2009-10-18 20:12 626176 ----a-w- c:\program files\Computing.Net\PC Safety Suite\PC Safety Suite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
2009-03-05 22:07 2260480 --sha-r- c:\program files\Spybot - Search & Destroy\TeaTimer.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\AT&T\\Communication Manager\\SwiApiMux.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
.
R1 MpKsl28373c21;MpKsl28373c21;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F9703D05-5333-40DE-88A8-684942769372}\MpKsl28373c21.sys [3/27/2011 8:04 PM 28752]
R1 MpKsl7aa69405;MpKsl7aa69405;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F9703D05-5333-40DE-88A8-684942769372}\MpKsl7aa69405.sys [3/27/2011 7:28 PM 28752]
R1 vcdrom;Virtual CD-ROM Device Driver;d:\software\WinXP_VirtualCD\VCdRom.sys [10/26/2009 10:17 PM 8576]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [6/10/2010 9:31 AM 6016]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [10/9/2009 6:59 PM 121416]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 11:25 AM 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 10:37 PM 4640000]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\DRIVERS\PTDUBus.sys --> c:\windows\system32\DRIVERS\PTDUBus.sys [?]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\DRIVERS\PTDUMdm.sys --> c:\windows\system32\DRIVERS\PTDUMdm.sys [?]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\DRIVERS\PTDUVsp.sys --> c:\windows\system32\DRIVERS\PTDUVsp.sys [?]
S3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\DRIVERS\PTDUWFLT.sys --> c:\windows\system32\DRIVERS\PTDUWFLT.sys [?]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\DRIVERS\PTDUWWAN.sys --> c:\windows\system32\DRIVERS\PTDUWWAN.sys [?]
S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [3/31/2009 3:45 PM 190080]
S3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [5/4/2009 4:57 PM 148096]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\TfNetMon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MPKSL28373C21
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-28 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 18:26]
.
2011-03-28 c:\windows\Tasks\MpIdleTask.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 18:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = hxxp://eeepc.asus.com/global
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~4\Office14\ONBttnIE.dll/105
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
LSP: bmnet.dll
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
FF - ProfilePath - c:\documents and settings\VHCClient001\Application Data\Mozilla\Firefox\Profiles\wl6l5jrt.default\
FF - prefs.js: browser.startup.homepage - hxxp://dul.startya.com/?cfg=2-488-0-0&engine_id=3&provider_id=3&product_id=488&country=
FF - prefs.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101067100&s=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: PC Safety Suite Community Toolbar: {ac3c3ade-dcc3-419a-a185-8b5884049c8c} - %profile%\extensions\{ac3c3ade-dcc3-419a-a185-8b5884049c8c}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
FF - user.js: browser.search.order.1 - Search
FF - user.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101067100&s=);user_pref(yahoo.homepage.dontask, true
.
- - - - ORPHANS REMOVED - - - -
.
URLSearchHooks-{ac3c3ade-dcc3-419a-a185-8b5884049c8c} - (no file)
BHO-{ac3c3ade-dcc3-419a-a185-8b5884049c8c} - (no file)
Toolbar-{ac3c3ade-dcc3-419a-a185-8b5884049c8c} - (no file)
WebBrowser-{AC3C3ADE-DCC3-419A-A185-8B5884049C8C} - (no file)
HKLM-Run-PCFix - e:\removal tools\PCFix\PCFix.exe
ShellExecuteHooks-{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - (no file)
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-27 20:04
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'lsass.exe'(1120)
c:\windows\system32\bmnet.dll
.
- - - - - - - > 'explorer.exe'(2876)
c:\progra~1\COMMON~1\MICROS~1\OFFICE14\Cultures\office.odf
c:\progra~1\MICROS~4\Office14\1033\GrooveIntlResource.dll
c:\windows\system32\btmmhook.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\rundll32.exe
c:\windows\system32\igfxsrvc.exe
c:\windows\system32\igfxext.exe
.
**************************************************************************
.
Completion time: 2011-03-27 20:15:12 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-28 01:15
.
Pre-Run: 40,944,328,704 bytes free
Post-Run: 40,958,152,704 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - E020D96C307492A1218DF12F84CB10A7

shelf life
2011-03-29, 00:03
hi,

ok good. We will get one more download which you can keep:

Please download the free version of Malwarebytes (http://www.malwarebytes.org/mbam.php) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

Post the log in your reply. Also please post a new DDS log after you run Malwarebytes.

bucknut
2011-03-29, 16:47
Thank you very much

Here are the two files:

.
DDS (Ver_11-03-05.01) - NTFSx86
Run by VHCClient001 at 8:41:23.51 on Tue 03/29/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_18
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.367 [GMT -5:00]
.
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
svchost.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\EeePC\ACPI\AsTray.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\VHCClient001\Local Settings\Temporary Internet Files\Content.IE5\S2QE174J\dds[1].scr
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://google.com/
uInternet Connection Wizard,ShellNext = hxxp://eeepc.asus.com/global
uInternet Settings,ProxyOverride = <local>
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - No File
BHO: Conduit Engine : {30f9b915-b755-4826-820b-08fba6bd249d} - c:\program files\conduitengine\prxConduitEngine.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\progra~1\micros~4\office14\GROOVEEX.DLL
BHO: Office Document Cache Handler: {b4f3a835-0e21-4959-ba22-42b3008e02ff} - c:\progra~1\micros~4\office14\URLREDIR.DLL
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [BCSSync] "c:\program files\microsoft office\office14\BCSSync.exe" /DelayServices
mRun: [AT&T Communication Manager] "c:\program files\at&t\communication manager\ATTCM.exe" -a
mRun: [AsusTray] c:\program files\eeepc\acpi\AsTray.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [Malwarebytes' Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
StartupFolder: c:\docume~1\vhccli~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\vhccli~1\startm~1\programs\startup\autoru~1\office~1.lnk - c:\program files\microsoft office\office\OSA.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{871df2be-41d2-4334-ac33-839af16fc8fe}\Icon3E5562ED7.ico
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\micros~4\office14\ONBttnIE.dll/105
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\program files\microsoft office\office14\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07}
IE: {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - {FFFDC614-B694-4AE6-AB38-5D6374584B52} - c:\program files\microsoft office\office14\ONBttnIELinkedNotes.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSP: bmnet.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1256624992480
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1256624984214
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - c:\program files\common files\microsoft shared\office14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: c:\windows\system32\
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~4\office14\GROOVEEX.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\docume~1\vhccli~1\applic~1\mozilla\firefox\profiles\wl6l5jrt.default\
FF - prefs.js: browser.startup.homepage - hxxp://dul.startya.com/?cfg=2-488-0-0&engine_id=3&provider_id=3&product_id=488&country=
FF - prefs.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101067100&s=
FF - component: c:\documents and settings\vhcclient001\application data\mozilla\firefox\profiles\wl6l5jrt.default\extensions\{ac3c3ade-dcc3-419a-a185-8b5884049c8c}\components\RadioWMPCoreGecko19.dll
FF - component: c:\documents and settings\vhcclient001\application data\mozilla\firefox\profiles\wl6l5jrt.default\extensions\engine@conduit.com\components\RadioWMPCoreGecko19.dll
FF - plugin: c:\progra~1\micros~4\office14\NPAUTHZ.DLL
FF - plugin: c:\progra~1\micros~4\office14\NPSPWRAP.DLL
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: PC Safety Suite Community Toolbar: {ac3c3ade-dcc3-419a-a185-8b5884049c8c} - %profile%\extensions\{ac3c3ade-dcc3-419a-a185-8b5884049c8c}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: Conduit Engine : engine@conduit.com - %profile%\extensions\engine@conduit.com
.
---- FIREFOX POLICIES ----
FF - user.js: browser.search.order.1 - Search
FF - user.js: keyword.URL - hxxp://search.fast-find.net/?sid=10101067100&s=);user_pref(yahoo.homepage.dontask, true
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-10-24 165264]
R1 MpKsl0262b225;MpKsl0262b225;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b2a2ed90-0be0-4bee-b213-23933d1f2af2}\MpKsl0262b225.sys [2011-3-29 28752]
R1 vcdrom;Virtual CD-ROM Device Driver;d:\software\winxp_virtualcd\VCdRom.sys [2009-10-26 8576]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2010-6-23 54752]
R2 vnccom;vnccom;c:\windows\system32\drivers\vnccom.SYS [2010-6-10 6016]
S0 TfFsMon;TfFsMon;c:\windows\system32\drivers\tffsmon.sys --> c:\windows\system32\drivers\TfFsMon.sys [?]
S0 TfSysMon;TfSysMon;c:\windows\system32\drivers\tfsysmon.sys --> c:\windows\system32\drivers\TfSysMon.sys [?]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\at&t\communication manager\RcAppSvc.exe [2009-10-9 121416]
S3 fsssvc;Windows Live Family Safety Service;c:\program files\windows live\family safety\fsssvc.exe [2009-8-5 704864]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\microsoft office\office14\GROOVE.EXE [2010-3-25 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\common files\microsoft shared\officesoftwareprotectionplatform\OSPPSVC.EXE [2010-1-9 4640000]
S3 PTDUBus;PANTECH UM175 Composite Device Driver ;c:\windows\system32\drivers\ptdubus.sys --> c:\windows\system32\drivers\PTDUBus.sys [?]
S3 PTDUMdm;PANTECH UM175 Drivers;c:\windows\system32\drivers\ptdumdm.sys --> c:\windows\system32\drivers\PTDUMdm.sys [?]
S3 PTDUVsp;PANTECH UM175 Diagnostic Port;c:\windows\system32\drivers\ptduvsp.sys --> c:\windows\system32\drivers\PTDUVsp.sys [?]
S3 PTDUWFLT;PTDUWWAN Filter Driver;c:\windows\system32\drivers\ptduwflt.sys --> c:\windows\system32\drivers\PTDUWFLT.sys [?]
S3 PTDUWWAN;PANTECH UM175 WWAN Driver;c:\windows\system32\drivers\ptduwwan.sys --> c:\windows\system32\drivers\PTDUWWAN.sys [?]
S3 SWNC8UA3;Sierra Wireless MUX NDIS Driver (UMTSA3);c:\windows\system32\drivers\swnc8ua3.sys [2009-3-31 190080]
S3 SWUMXA3;Sierra Wireless USB MUX Driver (UMTSA3);c:\windows\system32\drivers\swumxa3.sys [2009-5-4 148096]
S3 TfNetMon;TfNetMon;\??\c:\windows\system32\drivers\tfnetmon.sys --> c:\windows\system32\drivers\TfNetMon.sys [?]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2005-1-26 280344]
.
=============== Created Last 30 ================
.
2011-03-29 11:32:03 54016 ----a-w- c:\windows\system32\drivers\jebu.sys
2011-03-29 09:12:40 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{b2a2ed90-0be0-4bee-b213-23933d1f2af2}\MpKsl0262b225.sys
2011-03-29 01:44:56 6792528 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{b2a2ed90-0be0-4bee-b213-23933d1f2af2}\mpengine.dll
2011-03-28 00:55:45 -------- d-sha-r- C:\cmdcons
2011-03-28 00:50:14 98816 ----a-w- c:\windows\sed.exe
2011-03-28 00:50:14 89088 ----a-w- c:\windows\MBR.exe
2011-03-28 00:50:14 256512 ----a-w- c:\windows\PEV.exe
2011-03-28 00:50:14 161792 ----a-w- c:\windows\SWREG.exe
2011-03-28 00:29:35 -------- d-----w- c:\docume~1\vhccli~1\applic~1\AT&T
2011-03-21 00:34:43 -------- d-----w- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2011-03-20 22:49:39 5943120 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\backup\mpengine.dll
2011-03-20 10:29:21 -------- d-----w- c:\docume~1\vhccli~1\applic~1\PCFix
2011-03-20 10:22:01 -------- d-----w- c:\docume~1\vhccli~1\locals~1\applic~1\PackageAware
2011-03-19 17:57:11 -------- d-----w- c:\windows\system32\SpycatcherAgentSetupTemp
2011-03-19 15:40:42 -------- d-----w- c:\docume~1\vhccli~1\locals~1\applic~1\ConduitEngine
2011-03-19 15:40:30 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-03-19 15:40:29 -------- d-----w- c:\program files\ConduitEngine
2011-03-19 15:20:05 -------- d-----w- c:\program files\Computing.Net
2011-03-19 15:18:39 -------- d-----w- c:\docume~1\vhccli~1\locals~1\applic~1\Conduit
2011-03-19 15:18:38 -------- d-----w- c:\program files\Conduit
2011-03-19 15:18:36 -------- d-----w- c:\docume~1\vhccli~1\locals~1\applic~1\PC_Safety_Suite
2011-03-08 18:49:27 25048 ----a-w- c:\program files\mozilla firefox\components\browserdirprovider.dll
2011-03-08 18:49:27 140248 ----a-w- c:\program files\mozilla firefox\components\brwsrcmp.dll
2011-03-08 18:49:23 16856 ----a-w- c:\program files\mozilla firefox\plugin-container.exe
2011-03-08 18:49:22 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-03-04 23:09:52 -------- d-----w- c:\program files\Microsoft Security Client
2011-03-04 18:03:25 -------- dc-h--w- c:\windows\ie8
2011-03-04 14:58:44 -------- d--h--w- c:\windows\msdownld.tmp
.
==================== Find3M ====================
.
2011-02-09 13:53:52 270848 ----a-w- c:\windows\system32\sbe.dll
2011-02-09 13:53:52 186880 ----a-w- c:\windows\system32\encdec.dll
2011-02-02 23:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
2011-02-02 07:58:35 2067456 ----a-w- c:\windows\system32\mstscax.dll
2011-01-27 11:57:06 677888 ----a-w- c:\windows\system32\mstsc.exe
2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2008-05-07 08:34:00 15523560 ----a-w- c:\program files\U1 Setup.exe
.
============= FINISH: 8:43:01.53 ===============

MBAM LOG:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6201

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

3/29/2011 6:30:20 AM
mbam-log-2011-03-29 (06-30-20).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 232431
Time elapsed: 1 hour(s), 12 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\vhcclient001\my documents\downloads\pcfix-v302-en.exe (Adware.PCFixCleaner) -> Quarantined and deleted successfully.

shelf life
2011-03-30, 00:31
hi,

ok thanks for the info. Look in your add/remove programs panel and uninstall:

conduit or conduit engine, reboot machine then delete the folder: c:\program files\conduitengine\ if present

also look here:
c:\docume~1\vhccli~1\locals~1\applic~1\ConduitEngine

c:/documents and settings/vhccil (a user)/local settings/application data/

Also with firefox open look under: Tools>add ons for Conduit and uninstall there also