PDA

View Full Version : All browsers redirected...help!



The1930sRust
2011-08-31, 23:07
Our computer has suddenly been infected with some sort of redirect virus. IE, Firefox, and even Chrome do this. Also, we cannot get to any free online scan sites.

Can anyone suggest the cause?

Thanks! Chris

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12
Run by LCSD at 14:53:33 on 2011-08-31
.
============== Running Processes ===============
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\CA\SharedComponents\Alert\ALERT.EXE
C:\Program Files\CA\SharedComponents\ThirdParty\Tomcat\5.5\Bin\Tomcat5.exe
C:\Program Files\DataVault\DataVault DataVault Online Backup\DVService.exe
C:\Program Files\CA\SharedComponents\iTechnology\igateway.exe
C:\Program Files\CA\eTrustITM\InoNmSrv.exe
C:\Program Files\CA\eTrustITM\InoRpc.exe
C:\Program Files\CA\eTrustITM\InoRT.exe
C:\Program Files\CA\eTrustITM\InoTask.exe
C:\Program Files\CA\eTrustITM\inoweb.exe
C:\Program Files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\CA\eTrustITM\realmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\DataVault\DataVault DataVault Online Backup\DVCtrl.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Documents and Settings\LCSD\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
C:\WINDOWS\system32\svchost.exe -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
.
============== Pseudo HJT Report ===============
.
uInternet Connection Wizard,ShellNext = iexplore
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: My Web Search Bar BHO: {8eab99c1-f9ec-4b64-a4ba-d9bcae8779c2} - c:\program files\mywebsearchwb\bar\1.bin\W6BAR.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Skype Plug-In: {ae805869-2e5c-4ed4-8f7b-f1f7851a4497} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.6406.1642\swg.dll
BHO: CNavExtBho Class: {bdf3e430-b101-42ad-a544-fadc6b084872} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton systemworks\norton antivirus\NavShExt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe
mRun: [AudioDeck] c:\program files\viaudioi\sbadeck\ADeck.exe 1
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [HPUsageTracking] "c:\program files\hp\hp ut\bin\hppusg.exe" "c:\program files\hp\hp ut\"
mRun: [Realtime Monitor] "c:\program files\ca\etrustitm\realmon.exe" -s
dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10d.exe
dRunOnce: [AutoLaunch] c:\program files\lavasoft\ad-aware\AutoLaunch.exe monthly
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\art\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\art\office12\REFIEBAR.DLL
Trusted Zone: cleverreach.com\novastor
Trusted Zone: google-analytics.com
Trusted Zone: msn.com\www
Trusted Zone: novastor.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166470927750
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://72.215.137.100:60110/activex/AMC.cab
DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - hxxp://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: DhcpNameServer = 192.168.10.1
TCP: Interfaces\{0E27FA16-E56F-4C49-BAB8-DB4A4EAF5276} : DhcpNameServer = 192.168.10.1
Handler: skype-ie-addon-data - {91774881-D725-4E58-B298-07617B9B86A8} - c:\program files\skype\toolbars\internet explorer\skypeieplugin.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\lcsd\application data\mozilla\firefox\profiles\dm7a1zl4.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=20011&l=dis
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
FF - plugin: c:\documents and settings\lcsd\application data\move networks\plugins\npqmp071705000014.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.3.21.53\npGoogleUpdate3.dll
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA}
FF - Ext: Skype extension: {82AF8DCA-6DE9-405D-BD5E-43525BDAD38A} - c:\program files\mozilla firefox\extensions\{82AF8DCA-6DE9-405D-BD5E-43525BDAD38A}
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: PlaySushi TextLinks : textlinks@playsushi.com - %profile%\extensions\textlinks@playsushi.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Move Media Player: moveplayer@movenetworks.com - c:\documents and settings\lcsd\application data\Move Networks
.
============= SERVICES / DRIVERS ===============
.
R? ApacheContentServer;Apache Content Server
R? ccEvtMgr;Symantec Event Manager
R? ccPwdSvc;Symantec Password Validation Service
R? gupdate1ca0643d5da7ae2;Google Update Service (gupdate1ca0643d5da7ae2)
R? gupdatem;Google Update Service (gupdatem)
R? Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service
R? navapsvc;Norton AntiVirus Auto Protect Service
R? NAVENG;NAVENG
R? NAVEX15;NAVEX15
R? NProtectService;Norton Unerase Protection
R? SAVRT;SAVRT
R? SBService;ScriptBlocking Service
S? !SASCORE;SAS Core Service
S? Alert Notification Server;Alert Notification Server
S? ApacheTomcatApplicationServer;Apache Tomcat Application Server
S? DVService;DataVault DataVault Online Backup Backup/Copy Engine
S? InoNmSrv;eTrust ITM Server Service
S? InoWeb;eTrust ITM Web Access Service
S? Lbd;Lbd
S? MBAMSwissArmy;MBAMSwissArmy
S? SASDIFSV;SASDIFSV
S? SASKUTIL;SASKUTIL
S? SAVRTPEL;SAVRTPEL
.
=============== Created Last 30 ================
.
2011-08-31 19:07:25 388096 ----a-r- c:\documents and settings\lcsd\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2011-08-31 19:07:22 -------- d-----w- c:\program files\Trend Micro
2011-08-26 16:51:41 -------- d-----w- c:\program files\SUPERAntiSpyware
2011-08-10 08:01:56 139656 -c----w- c:\windows\system32\dllcache\rdpwd.sys
2011-08-10 08:00:15 10496 -c----w- c:\windows\system32\dllcache\ndistapi.sys
.
==================== Find3M ====================
.
2011-07-15 13:29:31 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 00:52:42 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-07 00:52:42 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-24 14:10:36 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36:30 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36:30 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36:30 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05:13 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44:52 293376 ----a-w- c:\windows\system32\winsrv.dll
.
============= FINISH: 15:04:26.02 ===============

ken545
2011-09-02, 00:22
:snwelcome:


Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
While best efforts are made to assist in removing infections safely, unexpected stuff can happen. It is advisable that you back up your important data before starting any clean up procedure. Neither Safer Networking Forums nor the Analyst providing the advice may be held responsible for any loss.

Until we deem your system clean I am going to ask you not to install or uninstall any software or hardware except for the programs we may run.

Lets check for a ROOTKIT


Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png

The1930sRust
2011-09-02, 20:19
I downloaded aswMBR as instructed, but double clicking will not open the program. Also tried in safe mode, w/wo networking, and also using the Task Manager to start. Nothing. Thoughts? BTW, when I down load the program it shows a size of about 1.8MB not the reported 511K. Thanks! cg

ken545
2011-09-02, 22:44
Try this and then see if you can run aswMBR again

Please download exeHelper (http://www.raktor.net/exeHelper/exeHelper.com) to your desktop.

Double-click on exeHelper.com to run the fix.
A black window should pop up, press any key to close once the fix is completed.
Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).






Please download rkill (Courtesy of Bleepingcomputer.com).
There are 5 different versions of this tool. If one of them will not run, please try the next one in the list.
Note: Vista and Windows 7 Users must right click and select "Run as Administrator" to run the tool.
Note: You only need to get one of the tools to run, not all of them.




1. rkill.exe (http://download.bleepingcomputer.com/grinler/rkill.exe)
2. rkill.com (http://download.bleepingcomputer.com/grinler/rkill.com)
3. rkill.scr (http://download.bleepingcomputer.com/grinler/rkill.scr)
4. WiNlOgOn.exe (http://download.bleepingcomputer.com/grinler/WiNlOgOn.exe)
5. uSeRiNiT.exe (http://download.bleepingcomputer.com/grinler/uSeRiNiT.exe)


Note: You will likely see a message from this rogue telling you the file is infected. Ignore the message. Leave the message OPEN, do not close the message.

Run rkill repeatedly until it's able to do it's job. This may take a few tries.

You'll be able to tell rkill has done it's job when your desktop (explorer.exe) cycles off and then on again.

The1930sRust
2011-09-06, 16:53
Here is the first log file:

exeHelper by Raktor
Build 20100414
Run at 08:36:47 on 09/06/11
Now searching...
Checking for numerical processes...
Checking for sysguard processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--

And here is a second:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.

Rkill was run on 09/06/2011 at 8:39:45.
Operating System: Microsoft Windows XP


Processes terminated by Rkill or while it was running:

C:\Documents and Settings\LCSD\Desktop\exeHelper.com


Rkill completed on 09/06/2011 at 8:41:02.


I will see if this works and post back!

Thanks so much...

The1930sRust
2011-09-08, 17:03
Well, the problem persists. Even performed the above in safe mode. I am still not able to get aswMBR to run at all. And I am still suffering redirects. Curiously, if I run Google encrypted (https version) there are no redirects.

Something new has started too, and I am not sure if it is IE or something else, but I can hear commercials running, no video, just sound, even with IE closed. This just started two days ago.

I really appreciate this site. Anything else to try?

CG

ken545
2011-09-08, 19:23
your infected with a Rootkit and from what you say about adds coming through the speakers it sounds like a variant called Whistler . These infections are very serious, its your call but what I would do is back up my data, format and do a clean install of windows, but this is up to you.

aswMBR can detect and fix this rootkit, lets try something else.

If your redirected away from the download sites you will have to use a known clean computer to download the programs and transfer them by disk to the infected one

Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
Extract it to your desktop
Double click TDSSKiller.exe
Press Start Scan

Only if Malicious objects are found then ensure Cure is selected
Then click Continue > Reboot now

Copy and paste the log in your next reply

A copy of the log will be saved automatically to the root of the drive (typically C:\)









Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_FF.gif


http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

ken545
2011-09-09, 15:35
How are you coming along, if you can get Combofix to run it will remove the rootkit and then aswMBR may run and we can kill Whistler

The1930sRust
2011-09-09, 21:02
OK, the TDSSKiller would not run either. So, I had the idea of changing the name of the file to something else. Viola! It ran, and immediately identified a suspicious file (I do not recall the name). I killed it and all the other programs stated responding to .exe. And, the redirect is gone.

So far so good. Thanks again, all. You were so much help!

CG

ken545
2011-09-09, 21:14
With Malware, the absence of symthoms does not guarantee a clean computer, run Combofix and post the log.

Also, I am not sitting down in front of your computer, your my eyes and ears, I cant help you if you dont post the logs I ask for so I can see whats been removed, what has not been removed and if we need to look further

This is for TDSSKiller, I need to see the log
A copy of the log will be saved automatically to the root of the drive (typically C:\)

The1930sRust
2011-09-09, 22:04
OK. Here is the TDSS log:

2011/09/09 12:42:09.0218 1424 TDSS rootkit removing tool 2.5.20.0 Sep 7 2011 16:44:34
2011/09/09 12:42:09.0250 1424 ================================================================================
2011/09/09 12:42:09.0250 1424 SystemInfo:
2011/09/09 12:42:09.0250 1424
2011/09/09 12:42:09.0250 1424 OS Version: 5.1.2600 ServicePack: 3.0
2011/09/09 12:42:09.0250 1424 Product type: Workstation
2011/09/09 12:42:09.0250 1424 ComputerName: MAINSERVER
2011/09/09 12:42:09.0250 1424 UserName: LCSD
2011/09/09 12:42:09.0250 1424 Windows directory: C:\WINDOWS
2011/09/09 12:42:09.0250 1424 System windows directory: C:\WINDOWS
2011/09/09 12:42:09.0250 1424 Processor architecture: Intel x86
2011/09/09 12:42:09.0250 1424 Number of processors: 1
2011/09/09 12:42:09.0250 1424 Page size: 0x1000
2011/09/09 12:42:09.0250 1424 Boot type: Safe boot
2011/09/09 12:42:09.0250 1424 ================================================================================
2011/09/09 12:42:09.0875 1424 Initialize success
2011/09/09 12:42:13.0625 1440 ================================================================================
2011/09/09 12:42:13.0625 1440 Scan started
2011/09/09 12:42:13.0625 1440 Mode: Manual;
2011/09/09 12:42:13.0625 1440 ================================================================================
2011/09/09 12:42:14.0218 1440 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/09/09 12:42:14.0328 1440 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/09/09 12:42:14.0500 1440 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/09/09 12:42:14.0640 1440 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/09/09 12:42:15.0062 1440 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
2011/09/09 12:42:15.0656 1440 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/09/09 12:42:15.0750 1440 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/09/09 12:42:15.0890 1440 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/09/09 12:42:16.0015 1440 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/09/09 12:42:16.0093 1440 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/09/09 12:42:16.0343 1440 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/09/09 12:42:16.0484 1440 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/09/09 12:42:16.0546 1440 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/09/09 12:42:16.0609 1440 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/09/09 12:42:17.0046 1440 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/09/09 12:42:17.0156 1440 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/09/09 12:42:17.0265 1440 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\DRIVERS\dmio.sys
2011/09/09 12:42:17.0343 1440 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/09/09 12:42:17.0421 1440 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/09/09 12:42:17.0625 1440 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/09/09 12:42:17.0765 1440 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/09/09 12:42:17.0843 1440 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/09/09 12:42:17.0937 1440 FETND5BV (7d53d569892b46738e87f39c9aa8488a) C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
2011/09/09 12:42:18.0078 1440 FETNDISB (d3b19a8bae6c20b4d305c7a72e255eb9) C:\WINDOWS\system32\DRIVERS\fetnd5b.sys
2011/09/09 12:42:18.0171 1440 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/09/09 12:42:18.0234 1440 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/09/09 12:42:18.0312 1440 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/09/09 12:42:18.0390 1440 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/09/09 12:42:18.0437 1440 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/09/09 12:42:18.0531 1440 GEARAspiWDM (32a73a8952580b284a47290adb62032a) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
2011/09/09 12:42:18.0640 1440 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/09/09 12:42:18.0859 1440 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/09/09 12:42:19.0062 1440 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/09/09 12:42:19.0171 1440 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/09/09 12:42:19.0281 1440 InCDfs (5a4c94a8a23b8a7b7d2608dc73b1b85e) C:\WINDOWS\system32\drivers\InCDfs.sys
2011/09/09 12:42:19.0359 1440 InCDPass (57cd1170662d11a8e29dd6cf9330466a) C:\WINDOWS\system32\DRIVERS\InCDPass.sys
2011/09/09 12:42:19.0437 1440 InCDrec (af134c85c0a9912bb43c47da34dfbd95) C:\WINDOWS\system32\drivers\InCDrec.sys
2011/09/09 12:42:19.0515 1440 incdrm (195a22bc8674090ccce5c3e2b7d96aca) C:\WINDOWS\system32\drivers\incdrm.sys
2011/09/09 12:42:19.0765 1440 INO_FLPY (4eb3cd8cd2210807ada276542eb99b06) C:\WINDOWS\system32\Drivers\ino_flpy.sys
2011/09/09 12:42:19.0843 1440 INO_FLTR (ebfb9e788557aded04aef87247ae56dd) C:\WINDOWS\system32\Drivers\ino_fltr.sys
2011/09/09 12:42:20.0000 1440 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/09/09 12:42:20.0125 1440 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/09/09 12:42:20.0203 1440 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/09/09 12:42:20.0281 1440 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/09/09 12:42:20.0375 1440 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/09/09 12:42:20.0468 1440 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/09/09 12:42:20.0531 1440 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/09/09 12:42:20.0625 1440 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/09/09 12:42:20.0687 1440 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/09/09 12:42:20.0781 1440 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/09/09 12:42:20.0921 1440 Lbd (419590ebe7855215bb157ea0cf0d0531) C:\WINDOWS\system32\DRIVERS\Lbd.sys
2011/09/09 12:42:21.0125 1440 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/09/09 12:42:21.0234 1440 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/09/09 12:42:21.0296 1440 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/09/09 12:42:21.0343 1440 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/09/09 12:42:21.0484 1440 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/09/09 12:42:21.0593 1440 MRxSmb (7d304a5eb4344ebeeab53a2fe3ffb9f0) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/09/09 12:42:21.0703 1440 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/09/09 12:42:21.0796 1440 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/09/09 12:42:21.0906 1440 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/09/09 12:42:21.0937 1440 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/09/09 12:42:22.0015 1440 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/09/09 12:42:22.0093 1440 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/09/09 12:42:22.0281 1440 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/09/09 12:42:22.0390 1440 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/09/09 12:42:22.0453 1440 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/09/09 12:42:22.0500 1440 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/09/09 12:42:22.0578 1440 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/09/09 12:42:22.0671 1440 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/09/09 12:42:22.0750 1440 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/09/09 12:42:22.0906 1440 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/09/09 12:42:23.0000 1440 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/09/09 12:42:23.0109 1440 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/09/09 12:42:23.0218 1440 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/09/09 12:42:23.0281 1440 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/09/09 12:42:23.0406 1440 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/09/09 12:42:23.0453 1440 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/09/09 12:42:23.0515 1440 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/09/09 12:42:23.0593 1440 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/09/09 12:42:23.0750 1440 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/09/09 12:42:24.0218 1440 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/09/09 12:42:24.0281 1440 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/09/09 12:42:24.0343 1440 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/09/09 12:42:24.0671 1440 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/09/09 12:42:24.0734 1440 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/09/09 12:42:24.0828 1440 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/09/09 12:42:24.0890 1440 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/09/09 12:42:24.0968 1440 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/09/09 12:42:25.0062 1440 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/09/09 12:42:25.0125 1440 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/09/09 12:42:25.0234 1440 RDPWD (fc105dd312ed64eb66bff111e8ec6eac) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/09/09 12:42:25.0312 1440 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/09/09 12:42:25.0484 1440 RT2500 (2c70c23787f8b500eccc5c1280b72e7c) C:\WINDOWS\system32\DRIVERS\RT2500.sys
2011/09/09 12:42:25.0671 1440 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
2011/09/09 12:42:25.0703 1440 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
2011/09/09 12:42:25.0812 1440 SAVRT (916f1232167a090311950e6b87f1eab4) C:\WINDOWS\system32\Drivers\SAVRT.SYS
2011/09/09 12:42:25.0890 1440 SAVRTPEL (35f4d6f53fc698c1e00ac52cc8cd6f93) C:\WINDOWS\system32\Drivers\SAVRTPEL.SYS
2011/09/09 12:42:26.0046 1440 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/09/09 12:42:26.0171 1440 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/09/09 12:42:26.0218 1440 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/09/09 12:42:26.0328 1440 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/09/09 12:42:26.0562 1440 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/09/09 12:42:26.0656 1440 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/09/09 12:42:26.0750 1440 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/09/09 12:42:26.0859 1440 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/09/09 12:42:26.0953 1440 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/09/09 12:42:27.0218 1440 SYMREDRV (7c73b65f1bdfab9052a5076c0ca622de) C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
2011/09/09 12:42:27.0296 1440 SYMTDI (b4562798891dca27ed67ca07acbadbd9) C:\WINDOWS\System32\Drivers\SYMTDI.SYS
2011/09/09 12:42:27.0500 1440 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/09/09 12:42:27.0656 1440 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/09/09 12:42:27.0718 1440 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/09/09 12:42:27.0812 1440 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/09/09 12:42:27.0937 1440 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/09/09 12:42:28.0140 1440 uagp35 (d85938f272d1bcf3db3a31fc0a048928) C:\WINDOWS\system32\DRIVERS\uagp35.sys
2011/09/09 12:42:28.0218 1440 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/09/09 12:42:28.0359 1440 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/09/09 12:42:28.0468 1440 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/09/09 12:42:28.0546 1440 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/09/09 12:42:28.0671 1440 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/09/09 12:42:28.0765 1440 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/09/09 12:42:28.0843 1440 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/09/09 12:42:28.0937 1440 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/09/09 12:42:29.0046 1440 viagfx (0cc705db634a3bc355887e3d478dd386) C:\WINDOWS\system32\DRIVERS\vtmini.sys
2011/09/09 12:42:29.0140 1440 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/09/09 12:42:29.0203 1440 viamraid (65864aba65eee06ea586009301834e43) C:\WINDOWS\system32\drivers\viamraid.sys
2011/09/09 12:42:29.0265 1440 VIAudio (676418770f7efd7342d19116f4b8911e) C:\WINDOWS\system32\drivers\vinyl97.sys
2011/09/09 12:42:29.0328 1440 VolSnap (53c441de56f051d05c768adf41fb078d) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/09/09 12:42:29.0406 1440 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/09/09 12:42:29.0515 1440 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/09/09 12:42:29.0812 1440 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/09/09 12:42:29.0890 1440 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/09/09 12:42:30.0015 1440 MBR (0x1B8) (6f9a1d528242bc09104b85e0becf5554) \Device\Harddisk0\DR0
2011/09/09 12:42:30.0031 1440 \Device\Harddisk0\DR0 - detected Rootkit.Boot.SST.a (0)
2011/09/09 12:42:30.0062 1440 MBR (0x1B8) (5fb38429d5d77768867c76dcbdb35194) \Device\Harddisk1\DR2
2011/09/09 12:42:30.0093 1440 Boot (0x1200) (fedee1f1c0711a0e1d027e6898b2c092) \Device\Harddisk0\DR0\Partition0
2011/09/09 12:42:30.0125 1440 Boot (0x1200) (0c4576a5e2c377f17196307151d00cf9) \Device\Harddisk1\DR2\Partition0
2011/09/09 12:42:30.0156 1440 ================================================================================
2011/09/09 12:42:30.0156 1440 Scan finished
2011/09/09 12:42:30.0156 1440 ================================================================================
2011/09/09 12:42:30.0187 1432 Detected object count: 1
2011/09/09 12:42:30.0187 1432 Actual detected object count: 1
2011/09/09 12:42:41.0359 1432 \Device\Harddisk0\DR0 (Rootkit.Boot.SST.a) - will be cured after reboot
2011/09/09 12:42:41.0359 1432 \Device\Harddisk0\DR0 - ok
2011/09/09 12:42:41.0359 1432 Rootkit.Boot.SST.a(\Device\Harddisk0\DR0) - User select action: Cure
2011/09/09 12:42:45.0203 1420 Deinitialize success

And the COMBOFIX log:

ComboFix 11-09-01.03 - LCSD 09/09/2011 13:35:13.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.130 [GMT -5:00]
Running from: c:\documents and settings\LCSD\Desktop\ComboFix.exe
AV: eTrust ITM *Enabled/Updated* {33EA71EA-56CF-40B5-A06B-BD3A27397C44}
AV: Norton AntiVirus *Disabled/Outdated* {B5510F6F-87E1-47F7-A411-360BC453007C}
.
- REDUCED FUNCTIONALITY MODE -
.
.
((((((((((((((((((((((((( Files Created from 2011-08-09 to 2011-09-09 )))))))))))))))))))))))))))))))
.
.
2011-09-08 14:38 . 2011-09-03 06:01 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-09-08 14:38 . 2011-09-03 06:01 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-09-08 14:38 . 2011-09-03 06:01 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-09-08 14:38 . 2011-09-03 06:01 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-09-08 14:38 . 2011-09-03 06:01 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-09-08 14:38 . 2011-09-03 06:01 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-09-08 14:38 . 2011-09-03 06:01 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-09-08 14:38 . 2011-09-03 06:01 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-09-08 14:38 . 2011-09-02 23:26 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-09-08 14:38 . 2011-09-02 23:26 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-09-03 10:17 . 2011-09-03 10:17 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-09-01 19:16 . 2011-09-01 19:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\TeamViewer
2011-09-01 16:17 . 2011-09-01 16:17 -------- d-----w- c:\program files\7-Zip
2011-09-01 16:06 . 2011-09-01 16:06 -------- d-----w- c:\program files\TeamViewer
2011-08-31 19:07 . 2011-08-31 19:07 -------- d-----w- c:\program files\Trend Micro
2011-08-31 15:53 . 2011-08-31 15:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-08-31 15:51 . 2011-08-31 15:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2011-08-31 15:36 . 2011-08-31 15:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-08-31 15:34 . 2011-08-31 15:34 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-08-31 15:33 . 2011-08-31 15:33 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-08-26 16:51 . 2011-08-26 16:52 -------- d-----w- c:\program files\SUPERAntiSpyware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-03 10:17 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-04 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 00:52 . 2011-05-16 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-07 00:52 . 2011-05-04 18:18 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-24 14:10 . 2005-05-26 14:25 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-09-03 06:01 . 2011-09-08 14:38 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-16 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"AutoLaunch"="c:\program files\Lavasoft\Ad-Aware\AutoLaunch.exe" [2011-06-10 669936]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDeck"="c:\program files\VIAudioi\SBADeck\ADeck.exe" [2004-06-24 7932416]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2011-06-10 528832]
"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2008-05-07 36864]
"Realtime Monitor"="c:\program files\CA\eTrustITM\realmon.exe" [2008-02-08 407368]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10d.exe" [2009-10-28 257440]
"AutoLaunch"="c:\program files\Lavasoft\Ad-Aware\AutoLaunch.exe" [2011-06-10 669936]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
DataVault Online Backup Tray Control.lnk - c:\program files\DataVault\DataVault DataVault Online Backup\DVCtrl.exe [2010-7-16 191624]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 04:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck]
2004-06-24 02:28 7932416 ----a-w- c:\program files\VIAudioi\SBADeck\ADeck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2005-01-03 16:41 1385472 ----a-w- c:\program files\Ahead\InCD\InCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-06-14 21:24 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageMonitor]
2004-01-09 21:28 94208 ----a-w- c:\windows\system32\Oplmsb01.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 00:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-04 16:12 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-16 17:50 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 02:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\CA\\eTrustITM\\InoRpc.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Realmon.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Shellscn.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CA\\SharedComponents\\iTechnology\\igateway.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Apache\\bin\\Apache.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\ART\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer_Service.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R2 ApacheContentServer;Apache Content Server;c:\program files\CA\eTrustITM\Apache\Bin\Apache.exe [2007-08-20 13824]
R2 gupdate1ca0643d5da7ae2;Google Update Service (gupdate1ca0643d5da7ae2);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-16 133104]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2011-06-10 1036104]
R2 NProtectService;Norton Unerase Protection;c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2009-07-16 133104]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [2009-06-19 64160]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
S2 Alert Notification Server;Alert Notification Server;c:\program files\CA\SharedComponents\Alert\ALERT.EXE [2008-02-08 214928]
S2 ApacheTomcatApplicationServer;Apache Tomcat Application Server;c:\program files\CA\SharedComponents\ThirdParty\Tomcat\5.5\Bin\Tomcat5.exe [2007-08-20 102400]
S2 DVService;DataVault DataVault Online Backup Backup/Copy Engine;c:\program files\DataVault\DataVault DataVault Online Backup\DVService.exe [2010-07-16 265352]
S2 InoNmSrv;eTrust ITM Server Service;c:\program files\CA\eTrustITM\InoNmSrv.exe [2010-10-28 278528]
S2 InoWeb;eTrust ITM Web Access Service;c:\program files\CA\eTrustITM\inoweb.exe [2010-10-28 282624]
S2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [2011-03-17 2025336]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 13:12]
.
2011-09-09 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-12 18:31]
.
2011-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-16 18:32]
.
2011-09-09 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-16 18:32]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\ART\Office12\EXCEL.EXE/3000
Trusted Zone: cleverreach.com\novastor
Trusted Zone: google-analytics.com
Trusted Zone: msn.com\www
Trusted Zone: novastor.com
TCP: DhcpNameServer = 192.168.10.1
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://72.215.137.100:60110/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\LCSD\Application Data\Mozilla\Firefox\Profiles\dm7a1zl4.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=20011&l=dis
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-09 13:42
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\.DEFAULT\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b0,27,22,ab,a5,b2,05,42,96,5b,55,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b0,27,22,ab,a5,b2,05,42,96,5b,55,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAServer.dll
.
- - - - - - - > 'explorer.exe'(756)
c:\windows\system32\WININET.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAServer.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\CA\SharedComponents\iTechnology\igateway.exe
c:\program files\CA\eTrustITM\InoRpc.exe
c:\program files\CA\eTrustITM\InoRT.exe
c:\program files\CA\eTrustITM\InoTask.exe
c:\program files\CA\SharedComponents\PPRealtime\bin\ITMRTSVC.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Windows Media Player\WMPNetwk.exe
c:\program files\TeamViewer\Version5\TeamViewer.exe
c:\windows\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2011-09-09 14:00:03 - machine was rebooted
ComboFix-quarantined-files.txt 2011-09-09 18:59
ComboFix2.txt 2011-09-01 20:50
ComboFix3.txt 2011-05-16 13:54
.
Pre-Run: 101,798,944,768 bytes free
Post-Run: 101,876,535,296 bytes free
.
- - End Of File - - 2690E69DC83778CBE2C261576E5368C2

**************

Thanks! CG

ken545
2011-09-09, 22:17
OK, thanks. For some reason Combofix ran in reduced mode, this is what you need to do, drag Combofix to the trash and download a fresh copy and run a new scan, post the log please.

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)


* IMPORTANT !!! Save ComboFix.exe to your Desktop


Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.


As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.


Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



http://img.photobucket.com/albums/v706/ried7/RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

The1930sRust
2011-09-10, 19:40
Ken:

I followed the steps. Here is the new log:

ComboFix 11-09-10.02 - LCSD 09/10/2011 11:19:04.4.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.447.230 [GMT -5:00]
Running from: c:\documents and settings\LCSD\Desktop\ComboFix.exe
AV: eTrust ITM *Enabled/Updated* {33EA71EA-56CF-40B5-A06B-BD3A27397C44}
AV: Norton AntiVirus *Disabled/Outdated* {B5510F6F-87E1-47F7-A411-360BC453007C}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\windows\offitems.log
.
.
((((((((((((((((((((((((( Files Created from 2011-08-10 to 2011-09-10 )))))))))))))))))))))))))))))))
.
.
2011-09-08 14:38 . 2011-09-03 06:01 134104 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-09-08 14:38 . 2011-09-03 06:01 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-09-08 14:38 . 2011-09-03 06:01 785368 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-09-08 14:38 . 2011-09-03 06:01 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-09-08 14:38 . 2011-09-03 06:01 478168 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-09-08 14:38 . 2011-09-03 06:01 1846232 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-09-08 14:38 . 2011-09-03 06:01 16856 ----a-w- c:\program files\Mozilla Firefox\plugin-container.exe
2011-09-08 14:38 . 2011-09-03 06:01 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-09-08 14:38 . 2011-09-02 23:26 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-09-08 14:38 . 2011-09-02 23:26 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-09-03 10:17 . 2011-09-03 10:17 599040 -c----w- c:\windows\system32\dllcache\crypt32.dll
2011-09-01 19:16 . 2011-09-01 19:16 -------- d-----w- c:\documents and settings\Administrator\Application Data\TeamViewer
2011-09-01 16:17 . 2011-09-01 16:17 -------- d-----w- c:\program files\7-Zip
2011-09-01 16:06 . 2011-09-01 16:06 -------- d-----w- c:\program files\TeamViewer
2011-08-31 19:07 . 2011-08-31 19:07 -------- d-----w- c:\program files\Trend Micro
2011-08-31 15:53 . 2011-08-31 15:53 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2011-08-31 15:51 . 2011-08-31 15:51 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\Google
2011-08-31 15:36 . 2011-08-31 15:36 -------- d-----w- c:\documents and settings\Administrator\Application Data\SUPERAntiSpyware.com
2011-08-31 15:34 . 2011-08-31 15:34 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2011-08-31 15:33 . 2011-08-31 15:33 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
2011-08-26 16:51 . 2011-08-26 16:52 -------- d-----w- c:\program files\SUPERAntiSpyware
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-03 10:17 . 2004-08-04 12:00 599040 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-07-08 14:02 . 2004-08-04 12:00 10496 ----a-w- c:\windows\system32\drivers\ndistapi.sys
2011-07-07 00:52 . 2011-05-16 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-07 00:52 . 2011-05-04 18:18 41272 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-24 14:10 . 2005-05-26 14:25 139656 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-06-23 18:36 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-06-23 18:36 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-06-23 18:36 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-06-23 12:05 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-06-20 17:44 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-09-03 06:01 . 2011-09-08 14:38 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-09-01_20.36.18 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-09-09 18:39 . 2011-09-09 18:39 16384 c:\windows\temp\Perflib_Perfdata_ed8.dat
+ 2011-09-09 05:28 . 2011-09-09 05:28 22016 c:\windows\Installer\2dc04ed.msi
+ 2005-05-26 14:35 . 2011-09-09 18:44 4030464 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-05-26 14:35 . 2011-09-01 15:45 4030464 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-05-26 14:35 . 2011-09-09 18:44 1097728 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-05-26 14:35 . 2011-09-01 15:45 1097728 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-01-16 39408]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-08-12 4603264]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDeck"="c:\program files\VIAudioi\SBADeck\ADeck.exe" [2004-06-24 7932416]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2011-06-10 528832]
"HPUsageTracking"="c:\program files\HP\HP UT\bin\hppusg.exe" [2008-05-07 36864]
"Realtime Monitor"="c:\program files\CA\eTrustITM\realmon.exe" [2008-02-08 407368]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10d.exe" [2009-10-28 257440]
"AutoLaunch"="c:\program files\Lavasoft\Ad-Aware\AutoLaunch.exe" [2011-06-10 669936]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
DataVault Online Backup Tray Control.lnk - c:\program files\DataVault\DataVault DataVault Online Backup\DVCtrl.exe [2010-7-16 191624]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2008-01-12 04:16 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck]
2004-06-24 02:28 7932416 ----a-w- c:\program files\VIAudioi\SBADeck\ADeck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 00:12 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
2005-01-03 16:41 1385472 ----a-w- c:\program files\Ahead\InCD\InCD.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-06-14 21:24 278528 ----a-w- c:\program files\iTunes\iTunesHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageMonitor]
2004-01-09 21:28 94208 ----a-w- c:\windows\system32\Oplmsb01.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 15:50 155648 ----a-w- c:\windows\system32\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
2003-11-01 00:42 32768 ----a-w- c:\program files\CyberLink\PowerDVD\PDVDServ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-03-04 16:12 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
2009-01-16 17:50 39408 ----a-w- c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-19 02:05 204288 ------w- c:\program files\Windows Media Player\wmpnscfg.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ComputerAssociatesAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
"DisableNotifications"= 1 (0x1)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\CA\\eTrustITM\\InoRpc.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Realmon.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Shellscn.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\CA\\SharedComponents\\iTechnology\\igateway.exe"=
"c:\\Program Files\\CA\\eTrustITM\\Apache\\bin\\Apache.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Microsoft Office\\ART\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer_Service.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [6/19/2009 10:24 AM 64160]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [7/22/2011 11:27 AM 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [7/12/2011 4:55 PM 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCore.exe [8/11/2011 6:38 PM 116608]
R2 ApacheTomcatApplicationServer;Apache Tomcat Application Server;c:\program files\CA\SharedComponents\ThirdParty\Tomcat\5.5\bin\tomcat5.exe [8/20/2007 4:54 PM 102400]
R2 DVService;DataVault DataVault Online Backup Backup/Copy Engine;c:\program files\DataVault\DataVault DataVault Online Backup\DVService.exe [7/16/2010 1:36 PM 265352]
R2 InoNmSrv;eTrust ITM Server Service;c:\program files\CA\eTrustITM\InoNmSrv.exe [2/8/2008 5:58 PM 278528]
R2 InoWeb;eTrust ITM Web Access Service;c:\program files\CA\eTrustITM\InoWeb.exe [2/8/2008 5:58 PM 282624]
R2 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [9/1/2011 11:06 AM 2025336]
S2 Alert Notification Server;Alert Notification Server;c:\program files\CA\SharedComponents\Alert\alert.exe [10/28/2010 9:41 AM 214928]
S2 ApacheContentServer;Apache Content Server;c:\program files\CA\eTrustITM\Apache\bin\Apache.exe [8/20/2007 4:53 PM 13824]
S2 gupdate1ca0643d5da7ae2;Google Update Service (gupdate1ca0643d5da7ae2);c:\program files\Google\Update\GoogleUpdate.exe [7/16/2009 1:32 PM 133104]
S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [3/9/2009 2:06 PM 1036104]
S2 NProtectService;Norton Unerase Protection;"c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE" --> c:\program files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [7/16/2009 1:32 PM 133104]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder
.
2011-09-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 13:12]
.
2011-09-10 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-12 18:31]
.
2011-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-16 18:32]
.
2011-09-10 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-07-16 18:32]
.
.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\ART\Office12\EXCEL.EXE/3000
Trusted Zone: cleverreach.com\novastor
Trusted Zone: google-analytics.com
Trusted Zone: msn.com\www
Trusted Zone: novastor.com
TCP: DhcpNameServer = 192.168.10.1
DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} - hxxp://72.215.137.100:60110/activex/AMC.cab
FF - ProfilePath - c:\documents and settings\LCSD\Application Data\Mozilla\Firefox\Profiles\dm7a1zl4.default\
FF - prefs.js: browser.search.selectedEngine - Ask
FF - prefs.js: browser.startup.homepage - hxxp://www.ask.com/?o=20011&l=dis
FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=20008&gct=&gc=1&q=
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-09-10 11:31
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\.DEFAULT\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b0,27,22,ab,a5,b2,05,42,96,5b,55,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,b0,27,22,ab,a5,b2,05,42,96,5b,55,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(656)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CACheck.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAHook.dll
c:\program files\CA\SharedComponents\PPRealtime\bin\CAServer.dll
.
Completion time: 2011-09-10 11:38:01
ComboFix-quarantined-files.txt 2011-09-10 16:37
ComboFix2.txt 2011-09-09 19:00
ComboFix3.txt 2011-09-01 20:50
ComboFix4.txt 2011-05-16 13:54
.
Pre-Run: 101,853,052,928 bytes free
Post-Run: 101,828,907,008 bytes free
.
- - End Of File - - E07F89464E4B429DBC19AD2139EF7B41

The1930sRust
2011-09-10, 19:41
I should add the the eTrust antivirus WAS disable before clicking OK on the second warning...

ken545
2011-09-10, 20:17
Great, thank you,

now lets see if you can run aswMBR, why dont you do the same thing as with Combofix, drag it to the trash and download a fresh copy

Download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) ( 511KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan
http://public.avast.com/~gmerek/aswMBR1.png

On completion of the scan click save log, save it to your desktop and post in your next reply
http://public.avast.com/~gmerek/aswMBR2.png

The1930sRust
2011-09-13, 16:50
Stand by...

The1930sRust
2011-09-13, 18:41
OK, here goes...
******

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-13 08:47:46
-----------------------------
08:47:46.906 OS Version: Windows 5.1.2600 Service Pack 3
08:47:46.906 Number of processors: 1 586 0xA00
08:47:46.906 ComputerName: MAINSERVER UserName: LCSD
08:47:49.781 Initialize success
08:53:20.312 AVAST engine defs: 11091301
09:03:53.687 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\viamraid1Port2Path0Target0Lun0
09:03:53.718 Disk 0 Vendor: WDC_WD12 08.0 Size: 114473MB BusType: 1
09:03:53.734 Device \Driver\viamraid -> DriverStartIo SCSIPORT.SYS f75c740e
09:03:53.750 Disk 0 MBR read successfully
09:03:53.765 Disk 0 MBR scan
09:03:53.906 Disk 0 Windows XP default MBR code
09:03:53.953 Disk 0 scanning sectors +234420480
09:03:54.093 Disk 0 scanning C:\WINDOWS\system32\drivers
09:04:22.437 Service scanning
09:04:25.625 Service GMSIPCI D:\INSTALL\GMSIPCI.SYS **LOCKED** 21
09:04:28.250 Modules scanning
09:04:32.921 Disk 0 trace - called modules:
09:04:32.921 ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll viamraid.sys
09:04:32.937 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x84f9b7a8]
09:04:32.937 3 CLASSPNP.SYS[f76ebfd7] -> nt!IofCallDriver -> \Device\Scsi\viamraid1Port2Path0Target0Lun0[0x84f9a030]
09:04:34.640 AVAST engine scan C:\WINDOWS
09:05:21.859 AVAST engine scan C:\WINDOWS\system32
09:09:28.953 AVAST engine scan C:\WINDOWS\system32\drivers
09:09:55.015 AVAST engine scan C:\Documents and Settings\LCSD
09:21:40.515 AVAST engine scan C:\Documents and Settings\All Users
09:26:56.656 Scan finished successfully
10:39:16.218 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\LCSD\Desktop\MBR.dat"
10:39:16.343 The log file has been saved successfully to "C:\Documents and Settings\LCSD\Desktop\aswMBR.txt"

ken545
2011-09-13, 19:15
Great, looks like its gone, but we need to check further. Run Malwarebytes and in the meantime I need to look over your Combofix log

Please download Malwarebytes from Here (http://www.malwarebytes.org/mbam-download.php) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)


Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform quick scan, then click Scan.
http://i24.photobucket.com/albums/c30/ken545/MBAMCapture.jpg
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected .
When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Post the report please

The1930sRust
2011-09-14, 22:20
Here it is!

Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 7716

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

9/14/2011 2:19:03 PM
mbam-log-2011-09-14 (14-19-03).txt

Scan type: Quick scan
Objects scanned: 225463
Time elapsed: 13 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ken545
2011-09-14, 23:41
Wonderful, how are things running now ?

The1930sRust
2011-09-15, 18:32
Absolutely perfectly! We cannot thank you enough. I did not actually cause this infection. Smeone was browsing a fatnasy football site, when sudenly he got a BSOD. Upon reboot, we had the rediect. Can you refresh my memory as to exactly what it is called and how it hapened? We run ativirus this and that, but got us!

CG

The1930sRust
2011-09-15, 18:36
Geewhiz! Sorry about the typos. Got distracted by the boss when replying...

CG


Absolutely perfectly! We cannot thank you enough. I did not actually cause this infection. Smeone was browsing a fatnasy football site, when sudenly he got a BSOD. Upon reboot, we had the rediect. Can you refresh my memory as to exactly what it is called and how it hapened? We run ativirus this and that, but got us!

CG

ken545
2011-09-15, 19:14
You somewhat got a double whammy, you where infected with a Rootkit and possibly a Bootkit. Antivirus cant block these things. Are you still gettnig adds thru the speakers or has that stopped ?