PDA

View Full Version : help needed with possable win32.ih, w3 iq5



mjd59
2012-03-17, 06:36
i have being trying to identify and kill a virus on my laptop for about a week now nothing i do seems to work , just as you think your winning i take a step back . access denied in rkill , and think it is updating itself instead of my security patches , cannot download the dss log , please help !!!:confused:

shelf life
2012-03-19, 02:13
hi mjd59,

Ok, since we have to start somewhere: If you have Malwarebytes installed try updating it first then do a scan, but most likely you already did this-- If you cant run it normally because of the malware tricks: then you can boot into safe mode. To reach safe mode you would tap the f8 key during a computer restart, chose the first option form the list: safe mode. Log into your account and run MBAM.

If you dont have it installed:

Please download the free version of Malwarebytes (http://www.malwarebytes.org/mbam.php) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

Try running it normally or in safe mode as described above.

Are you having browser re-direction?

mjd59
2012-03-19, 20:43
yes i was having rediretion will do the scan , and save it i also suspect my desktop is infected as modem has changed some settings ! also babylon tool bar sometimes appears

shelf life
2012-03-20, 04:27
Until your machine is clean you really shouldnt be using it other than to download and run the scans.
In fact, when not in use make sure it has no network connectivity. If your not sure how to do that then just power it off.

You can get another download to use. If you cant get to certain websites you can download the software to a USB flash drive from another machine if thats possible then transfer it to the compromised one to run.

Please download TDSS Killer.exe (http://support.kaspersky.com/downloads/utils/tdsskiller.exe) and save it to your desktop
Double click to launch the utility. After it initializes click the start scan button.

Once the scan completes you can click the continue button.

"The utility will automatically select an action (Cure or Delete) for known malcious objects. A suspicious object will be skipped by default."

"After clicking Next, the utility applies selected actions and outputs the result."

"A reboot might require after disinfection."

A report will be found in your Root drive Local Disk (C) as: TDSSKiller.2.7.9.0_05.02.2012_17.32.21_log (name, version#, date, time)

mjd59
2012-03-20, 19:48
ok, i downloaded a new mamb, scanned -nothing found, saved log
could not download tdsskiller but had an early version on my desktop which at first would not run [could not find driver] not sure but on default mode found nothing. with the tdfs files ticked found 2 files on harddisk tdss, which i quarrantiened, with everything ticked 21 problems i did not have any options and all were marked to be skipped as i scroled down the page was moving so slow and i am thinking the program is infected , anyway all problems were quarrentined and then microsoft security came up with a problem that needs cleaning , alurion -ct .i did have an alurion virus about a year ago which was cleaned by microsoft securty . i am also finding files are starting to appear all over the place , please what next steps would you want me to implement ,and thanks for you help so far .

shelf life
2012-03-20, 23:48
Tdsskiller should prompt you to check for updates before it runs. I dont know how old your version is but running the updated version would be best.
Could you get the latest tdsskiller from another machine using a USB drive to transfer the file? Also go ahead and run the version you have in safe mode before you do anything. To reach safe mode you would tap the f8 key during a computer restart, chose the first option from the list: safe mode, log into your usual account. After you run tdsskiller in safe mode, just restart like you normally would to get back to your desktop.

We will get another download also, it requires you to read a guide first. You can do this on another machine if you have to. I will assume your not running a 64bit version of XP. Combofix wont run on a 64bit XP machine.
If you manage to download it and it gives problems when running you can also run it in safe mode.
Again, no network connectivity except to grab the files, disconnect and run the scans.

Guide to using Combofix (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

mjd59
2012-03-21, 20:46
tdsskiller found 21 threats mainly unsigned files which i went through and put to quarrantine[sorry about spelling] combofix ran,at first it could not find file. and had to download a restore file from microsoft .i ran tdss again and it can up with the same files so this time i deleted the ones i thought was not needed ,rebooted and ran again, came up with 5 files also ran combofix afterwards had to run combofix in safe mode as before it saved the log in normal mode an error screen appeared for a second then computor shut down . had to do a system restore before i could run programs to get internet connection

shelf life
2012-03-22, 04:39
Did you manage to update tdsskiller? Can you post its log. Try downloading and running DDS now also. Take a look in your root drive: C:\ for a combofix.txt file
If its there please copy/paste it in your reply along with the tdsskiller log and a DDS log if you can manage to get it downloaded.

mjd59
2012-03-22, 19:14
here are the logs of combofix, tdsskiller and dss


dss


DDS (Ver_2011-08-26.01) - FAT32x86
Internet Explorer: 8.0.6001.18702
Run by MICK at 19:39:11 on 2012-03-22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.314 [GMT 11:00]
.
AV: PC Cleaner Pro *Disabled/Updated* {737A8864-C2D9-4337-B49A-B5E35815B9BB}
AV: Microsoft Security Essentials *Enabled/Outdated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
SVCHOST.EXE
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Acer\Empowering Technology\admServ.exe
SVCHOST.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\WINDOWS\System32\snmp.exe
SVCHOST.EXE
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxext.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe
C:\DOCUME~1\MICK\LOCALS~1\Temp\RtkBtMnt.exe
C:\WINDOWS\system32\ctfmon.exe
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKxdm021YYAU&fl=0&ptb=d2pABN5CKpHB4S6_WXKxbQ&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.homecallbroadband.com/customer/
uURLSearchHooks: H - No File
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: PopKiller Class: {9a23b8a4-c6c9-4a68-8fa6-5f905dc8ff80} - c:\program files\sysshield tools\internet eraser\pkext.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: AbsoluteShield: {ee9dd090-902d-4623-9360-fb7d8666202b} - c:\program files\sysshield tools\internet eraser\AbsoluteBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {56CF4856-ECB4-4E46-A897-A378821F97B9} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [Spybot-S&D Cleaning] "c:\program files\spybot - search & destroy 2\SDCleaner.exe" /autoclean
mRun: [SkyTel] SkyTel.EXE
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [LaunchApp] Alaunch
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [bgsmsnd.exe] c:\windows\system32\bgsmsnd.exe
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ADMTray.exe] "c:\acer\empowering technology\admtray.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
StartupFolder: c:\docume~1\mick\startm~1\programs\startup\wkcalrem.lnk - c:\program files\common files\microsoft shared\works shared\WkCalRem.exe
StartupFolder: c:\docume~1\mick\startm~1\programs\startup\absolu~1.lnk - c:\program files\sysshield tools\internet eraser\cseraser.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
Trusted Zone: mcafee.com\www
Trusted Zone: swingingheaven.co.uk
Trusted Zone: swingingheaven.co.uk\www
Trusted Zone: swingingheaven.co.uk\www.photos
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {54D53429-945C-4188-B460-C81356541882} - hxxp://photosmart.hpphoto.com/Download/HPeServicesLocalPrint.CAB
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165648]
R1 MpKsl1ee285c0;MpKsl1ee285c0;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b0a700c1-073d-4f02-b5f6-5c6810276e22}\MpKsl1ee285c0.sys [2012-3-22 28752]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-23 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-13 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]
R2 AWService;AdminWorks Agent X6;c:\acer\empowering technology\admServ.exe [2005-10-24 1314816]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-17 652360]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2012-3-15 1181104]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2012-3-15 1185704]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2012-2-27 173880]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-3-4 20464]
S1 MpKsl53772ca5;MpKsl53772ca5;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2a475bb5-88e9-45df-bb9a-44f8a897b491}\mpksl53772ca5.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{2a475bb5-88e9-45df-bb9a-44f8a897b491}\MpKsl53772ca5.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2012-2-26 217088]
S3 cpuz132;cpuz132;\??\c:\docume~1\mick\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\mick\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2012-2-26 20032]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys --> c:\windows\system32\drivers\ew_hwusbdev.sys [?]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys --> c:\windows\system32\drivers\ewusbnet.sys [?]
S3 FsUsbExDisk;FsUsbExDisk;\??\c:\windows\system32\fsusbexdisk.sys --> c:\windows\system32\FsUsbExDisk.SYS [?]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys --> c:\windows\system32\drivers\ew_jubusenum.sys [?]
S3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys --> c:\windows\system32\drivers\lv321av.sys [?]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-3-7 24064]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\908.tmp --> c:\windows\system32\908.tmp [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-10 14336]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2012-2-26 121064]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2012-2-26 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2012-2-26 136808]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\ssadserd.sys [2012-2-26 114280]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-10 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [2012-2-26 30312]
S4 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
S4 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-2-4 135664]
.
=============== Created Last 30 ================
.
2012-03-22 08:23:28 -------- d-sh--w- C:\Recycled
2012-03-22 07:51:08 4392 ----a-w- c:\windows\system32\drivers\NdisFilt.sys
2012-03-22 07:48:35 7296 ----a-w- c:\windows\system32\drivers\osaio.sys
2012-03-22 07:48:35 12106 ----a-w- c:\windows\system32\drivers\OsaFsLoc.sys
2012-03-22 07:48:25 28752 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b0a700c1-073d-4f02-b5f6-5c6810276e22}\MpKsl1ee285c0.sys
2012-03-21 08:02:10 -------- d-sha-r- C:\cmdcons
2012-03-21 07:46:11 6881616 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{b0a700c1-073d-4f02-b5f6-5c6810276e22}\mpengine.dll
2012-03-21 07:44:42 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-03-21 07:44:42 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-21 07:44:32 -------- d-----w- c:\program files\Panda Security
2012-03-21 07:44:27 -------- d-sh--w- c:\windows\system32\AI_RecycleBin
2012-03-21 07:44:27 -------- d-----w- c:\program files\PC Cleaners
2012-03-21 07:44:10 -------- d-----w- c:\program files\iPod
2012-03-21 07:43:59 -------- d-----w- c:\program files\MediaConverter
2012-03-21 07:43:55 -------- d-----w- c:\program files\SoMud
2012-03-21 07:43:52 -------- d-----w- C:\Malwarebytes' Anti-Malware
2012-03-21 07:43:48 -------- d-----w- c:\program files\Tracks Eraser(2)
2012-03-21 05:47:55 -------- d-----w- c:\windows\LastGood(2)
2012-03-21 05:47:52 309320 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys
2012-03-21 04:49:51 -------- d-----w- C:\Recycled(2)
2012-03-21 04:34:22 -------- d-----w- C:\FOUND.002
2012-03-21 04:09:58 -------- d-----w- C:\ComboFix(2)
2012-03-21 03:11:17 -------- d---a-w- C:\cmdcons(2)
2012-03-21 01:55:36 -------- d-----w- C:\FOUND.001
2012-03-20 07:36:02 -------- d-----w- c:\program files\Smith Micro
2012-03-17 18:50:51 -------- d-----w- c:\documents and settings\mick\local settings\application data\WinZipBar
2012-03-17 18:50:49 -------- d-----w- c:\program files\WinZipBar
2012-03-17 18:48:17 -------- d-----w- c:\documents and settings\mick\local settings\application data\WinZip
2012-03-17 10:16:28 0 ----a-w- c:\windows\system32\REN2B.tmp
2012-03-17 10:16:28 0 ----a-w- c:\windows\system32\REN2A.tmp
2012-03-17 10:16:28 0 ----a-w- c:\windows\system32\REN29.tmp
2012-03-17 10:15:03 0 ----a-w- c:\windows\system32\REN22.tmp
2012-03-17 10:15:03 0 ----a-w- c:\windows\system32\REN21.tmp
2012-03-17 10:15:03 0 ----a-w- c:\windows\system32\REN20.tmp
2012-03-17 10:14:39 0 ----a-w- c:\windows\system32\REN1A.tmp
2012-03-17 10:14:39 0 ----a-w- c:\windows\system32\REN19.tmp
2012-03-17 10:14:39 0 ----a-w- c:\windows\system32\REN18.tmp
2012-03-16 17:22:07 -------- d-----w- c:\documents and settings\mick\application data\Safer Networking
2012-03-16 14:26:56 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-16 14:09:05 -------- d-----w- c:\program files\XAce
2012-03-15 07:22:54 15224 ----a-w- c:\windows\system32\sdnclean.exe
2012-03-15 07:22:46 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2012-03-15 07:03:49 -------- d-----w- c:\program files\SysShield Tools
2012-03-15 07:03:17 -------- d-----w- c:\documents and settings\mick\application data\SUPERAntiSpyware.com
2012-03-15 07:03:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-15 07:00:47 -------- d-----w- C:\FOUND.000
2012-03-15 06:56:19 -------- d-----w- c:\program files\EnglishOtto
2012-03-15 06:56:18 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-03-15 06:56:18 -------- d-----w- c:\documents and settings\all users\application data\eBay
2012-03-15 06:56:18 -------- d-----w- c:\documents and settings\all users\application data\DataCardService
2012-03-12 10:36:01 -------- d-----w- c:\program files\Safer Networking
2012-03-07 09:24:20 -------- d-----w- c:\program files\Trend Micro
2012-03-07 08:35:18 24064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-03-07 06:36:38 -------- d-----w- c:\documents and settings\mick\application data\PC Cleaners
2012-03-07 06:36:37 -------- d-----w- c:\documents and settings\mick\application data\PCPro
2012-03-07 06:36:31 -------- d-----w- c:\documents and settings\all users\application data\PC1Data
2012-03-04 07:35:18 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-03 10:09:50 -------- d-----w- c:\program files\Sophos
2012-02-27 14:42:19 726 ----a-w- c:\windows\system32\drivers\bybnrqse.dat
2012-02-27 08:01:06 -------- d-----w- C:\Netgear
2012-02-27 04:58:46 -------- d-----w- c:\documents and settings\mick\application data\QFX Software
2012-02-27 04:58:46 -------- d-----w- c:\documents and settings\all users\application data\QFX Software
2012-02-27 04:44:27 173880 ----a-w- c:\windows\system32\drivers\keyscrambler.sys
2012-02-27 04:44:26 -------- d-----w- c:\program files\KeyScrambler
2012-02-27 04:14:56 -------- d-----w- c:\documents and settings\all users\application data\SecTaskMan
2012-02-27 04:14:50 -------- d-----w- c:\program files\Security Task Manager
2012-02-27 04:14:28 2094432 ----a-w- C:\SecurityTaskManager_Setup.exe
2012-02-26 09:38:37 -------- d-----w- c:\program files\Free WMA to MP3 Converter
2012-02-26 03:01:11 114280 ----a-w- c:\windows\system32\drivers\ssadserd.sys
2012-02-26 03:01:10 30312 ----a-w- c:\windows\system32\drivers\ssadadb.sys
2012-02-26 03:01:10 136808 ----a-w- c:\windows\system32\drivers\ssadmdm.sys
2012-02-26 03:01:10 12776 ----a-w- c:\windows\system32\drivers\ssadmdfl.sys
2012-02-26 03:01:10 10472 ----a-w- c:\windows\system32\drivers\ssadcmnt.sys
2012-02-26 03:01:09 121064 ----a-w- c:\windows\system32\drivers\ssadbus.sys
2012-02-26 03:01:09 10344 ----a-w- c:\windows\system32\drivers\ssadwhnt.sys
2012-02-26 02:50:37 -------- d-----w- c:\program files\MyFree Codec
2012-02-26 01:55:31 821824 ----a-w- c:\windows\system32\dgderapi.dll
2012-02-26 01:55:31 319456 ----a-w- c:\windows\system32\DIFxAPI.dll
2012-02-26 01:55:31 20032 ----a-w- c:\windows\system32\drivers\dgderdrv.sys
2012-02-26 00:15:53 217088 ----a-w- c:\windows\system32\FsUsbExService.Exe
2012-02-26 00:15:53 110592 ----a-w- c:\windows\system32\FsUsbExDevice.Dll
2012-02-26 00:13:46 -------- d-----w- c:\program files\PC Connectivity Solution
2012-02-26 00:10:43 -------- d-----w- c:\program files\common files\Samsung
2012-02-24 21:14:08 -------- d-----w- c:\documents and settings\mick\application data\BeNaughtyChat
2012-02-24 21:14:03 -------- d-----w- c:\documents and settings\mick\application data\vcards
.
==================== Find3M ====================
.
2012-03-16 08:59:56 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-07 06:36:08 5330704 ----a-w- c:\windows\uninst.exe
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44:06 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-11 02:05:02 11139944 ----a-w- c:\windows\system32\libmfxsw32.dll
2012-01-09 16:20:26 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-12-30 06:03:08 21336 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
2010-01-09 10:33:24 203776 --sh--w- c:\windows\system32\unrar.exe
.
============= FINISH: 19:39:46.10 ===============

mjd59
2012-03-22, 19:26
9337

9338

shelf life
2012-03-24, 00:40
ok thanks for the info. Do you possibly have another combofix.txt in your root drive. This log is from the 2nd time it ran and looks ok.
Did you install this yourself: PC Cleaner Pro.
Are you still getting redirected when browsing?

mjd59
2012-03-24, 22:22
think this is the one your after , sorry about that ,i also can not recall downloading pc cleaner pro but other people have had access to the computor .also think the redirection is slowly coming back i gave it another shot of tdsskiller and about 200 files unsigned files were found . i was at hotmaikl and the browser seamed to duplicate itself as i had 2x keystroke icons in task bar ,

shelf life
2012-03-25, 23:20
unsigned files were foundunsigned files dosn't mean they have been compromised. Can you post the tdsskiller log, should be in your C:/ drive.
You can look in add/remove programs panel for a pc cleaner pro uninstaller. Or if you toggle over the software from start>programs you may find one. Another place is to look would be in its folder @ C:/Program Files/ PC Cleaner Pro


seamed to duplicate itself as i had 2x keystroke icons in task bar I assume this is related to the key scrambler software you have installed? I have never used one so I dont really know what your seeing.

We will get one more download to use;

Please download aswMBR.exe (http://public.avast.com/~gmerek/aswMBR.exe) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

On completion of the scan click save log, save it to your desktop and post in your next reply

mjd59
2012-03-27, 09:50
here are the logs you asked for ;

will have to zip the tdss killer log , also did not click fix mbr please let me know if i should try a fix on this program

mjd59
2012-03-27, 09:55
tdss killer log

shelf life
2012-03-28, 01:51
The good news is I dont recognize any malware in the logs you posted. So far we have pretty much run everything we can. I checked some of those unsigned files found by tdsskiller and the MD5 checksum number matches legit system files. So now we are back to square one. Why dont you post another DDS log since its been a couple of days.

mjd59
2012-03-28, 08:01
ok will run it again , i am still having to run it through a flash drive as the lap top will not download it , could it be my security setting have been changed and that is what is locking some of my files ? . will post dds . thanks .

mjd59
2012-03-28, 12:49
.
DDS (Ver_2011-08-26.01) - FAT32x86
Internet Explorer: 8.0.6001.18702
Run by MICK at 20:24:47 on 2012-03-28
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.364 [GMT 11:00]
.
AV: PC Cleaner Pro *Disabled/Updated* {737A8864-C2D9-4337-B49A-B5E35815B9BB}
AV: Microsoft Security Essentials *Enabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost.exe -k DcomLaunch
svchost.exe
C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Spybot - Search & Destroy 2\SDTray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft Security Client\msseces.exe
C:\PROGRA~1\LAUNCH~1\LManager.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\igfxext.exe
C:\Acer\Empowering Technology\admtray.exe
C:\My Downloads\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SASCORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\DOCUME~1\MICK\LOCALS~1\Temp\RtkBtMnt.exe
C:\Acer\Empowering Technology\admServ.exe
svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Spybot - Search & Destroy 2\SDFSSvc.exe
C:\WINDOWS\System32\snmp.exe
svchost.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Spybot - Search & Destroy 2\SDUpdSvc.exe
C:\Program Files\Common Files\NewTech Infosystems\scheduler\Schdlr32.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\WINDOWS\system32\dllhost.exe
.
============== Pseudo HJT Report ===============
.
uSearchMigratedDefaultUrl = hxxp://www.mywebsearch.com/jsp/cfg_redir2.jsp?id=ZKxdm021YYAU&fl=0&ptb=d2pABN5CKpHB4S6_WXKxbQ&url=http://edits.mywebsearch.com/toolbaredits/barsearch.jhtml&st=sb&searchfor={searchTerms}
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.homecallbroadband.com/customer/
uURLSearchHooks: H - No File
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: KeyScramblerBHO Class: {2b9f5787-88a5-4945-90e7-c4b18563bc5e} - c:\program files\keyscrambler\KeyScramblerIE.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy 2\SDHelper.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: PopKiller Class: {9a23b8a4-c6c9-4a68-8fa6-5f905dc8ff80} - c:\program files\sysshield tools\internet eraser\pkext.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.7.7227.1100\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Acer eDataSecurity Management: {5cbe3b7c-1e47-477e-a7dd-396db0476e29} - c:\windows\system32\eDStoolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: AbsoluteShield: {ee9dd090-902d-4623-9360-fb7d8666202b} - c:\program files\sysshield tools\internet eraser\AbsoluteBar.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No File
TB: {56CF4856-ECB4-4E46-A897-A378821F97B9} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [Spybot-S&D Cleaning] "c:\program files\spybot - search & destroy 2\SDCleaner.exe" /autoclean
mRun: [SkyTel] SkyTel.EXE
mRun: [SDTray] "c:\program files\spybot - search & destroy 2\SDTray.exe"
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ntiMUI] c:\program files\newtech infosystems\nti cd & dvd-maker 7\ntiMUI.exe
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [MsmqIntCert] regsvr32 /s mqrt.dll
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [LogitechVideoTray] c:\program files\logitech\video\LogiTray.exe
mRun: [LogitechVideoRepair] c:\program files\logitech\video\ISStart.exe
mRun: [LManager] c:\progra~1\launch~1\LManager.exe
mRun: [LaunchApp] Alaunch
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [bgsmsnd.exe] c:\windows\system32\bgsmsnd.exe
mRun: [AzMixerSel] c:\program files\realtek\installshield\AzMixerSel.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [ADMTray.exe] "c:\acer\empowering technology\admtray.exe"
mRun: [Malwarebytes' Anti-Malware] "c:\my downloads\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
StartupFolder: c:\docume~1\mick\startm~1\programs\startup\wkcalrem.lnk - c:\program files\common files\microsoft shared\works shared\WkCalRem.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\autoru~1\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - {B745F984-EF2E-40D6-A9AC-D8CED7230E61} - c:\program files\keyscrambler\KeyScramblerIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\program files\spybot - search & destroy 2\SDHelper.dll
Trusted Zone: mcafee.com\www
Trusted Zone: swingingheaven.co.uk
Trusted Zone: swingingheaven.co.uk\www
Trusted Zone: swingingheaven.co.uk\www.photos
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\yinsthelper.dll
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
DPF: {54D53429-945C-4188-B460-C81356541882} - hxxp://photosmart.hpphoto.com/Download/HPeServicesLocalPrint.CAB
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E77F23EB-E7AB-4502-8F37-247DBAF1A147} - hxxp://gfx2.hotmail.com/mail/w4/pr01/photouploadcontrol/MSNPUpld.cab
DPF: {F7EDBBEA-1AD2-4EBF-AA07-D453CC29EE65} - hxxps://plugins.valueactive.eu/flashax/iefax.cab
Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
Notify: SDWinLogon - SDWinLogon.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
LSA: Authentication Packages = msv1_0 nwprovau
.
============= SERVICES / DRIVERS ===============
.
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165648]
R1 MpKsl35ed9052;MpKsl35ed9052;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3875909a-53ea-4bf0-97d3-c7ca3f8675a3}\MpKsl35ed9052.sys [2012-3-28 29904]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2011-7-23 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2011-7-13 67664]
R2 !SASCORE;SAS Core Service;c:\program files\superantispyware\SASCore.exe [2011-8-12 116608]
R2 AWService;AdminWorks Agent X6;c:\acer\empowering technology\admServ.exe [2005-10-24 1314816]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-1-17 652360]
R2 SDScannerService;Spybot-S&D 2 Scanner Service;c:\program files\spybot - search & destroy 2\SDFSSvc.exe [2012-3-15 1181104]
R2 SDUpdateService;Spybot-S&D 2 Updating Service;c:\program files\spybot - search & destroy 2\SDUpdSvc.exe [2012-3-15 1185704]
R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2012-2-27 173880]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-3-4 20464]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 FsUsbExService;FsUsbExService;c:\windows\system32\FsUsbExService.Exe [2012-2-26 217088]
S2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 cpuz132;cpuz132;\??\c:\docume~1\mick\locals~1\temp\cpuz132\cpuz132_x32.sys --> c:\docume~1\mick\locals~1\temp\cpuz132\cpuz132_x32.sys [?]
S3 dgderdrv;dgderdrv;c:\windows\system32\drivers\dgderdrv.sys [2012-2-26 20032]
S3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\drivers\ew_hwusbdev.sys --> c:\windows\system32\drivers\ew_hwusbdev.sys [?]
S3 ewusbnet;HUAWEI USB-NDIS miniport;c:\windows\system32\drivers\ewusbnet.sys --> c:\windows\system32\drivers\ewusbnet.sys [?]
S3 FsUsbExDisk;FsUsbExDisk;\??\c:\windows\system32\fsusbexdisk.sys --> c:\windows\system32\FsUsbExDisk.SYS [?]
S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\drivers\ew_jubusenum.sys --> c:\windows\system32\drivers\ew_jubusenum.sys [?]
S3 lv321av;Logitech USB PC Camera (VC0321);c:\windows\system32\drivers\lv321av.sys --> c:\windows\system32\drivers\lv321av.sys [?]
S3 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys [2012-3-23 24064]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\908.tmp --> c:\windows\system32\908.tmp [?]
S3 nosGetPlusHelper;getPlus(R) Helper 3004;c:\windows\system32\svchost.exe -k nosGetPlusHelper [2004-8-10 14336]
S3 ssadbus;SAMSUNG Android USB Composite Device driver (WDM);c:\windows\system32\drivers\ssadbus.sys [2012-2-26 121064]
S3 ssadmdfl;SAMSUNG Android USB Modem (Filter);c:\windows\system32\drivers\ssadmdfl.sys [2012-2-26 12776]
S3 ssadmdm;SAMSUNG Android USB Modem Drivers;c:\windows\system32\drivers\ssadmdm.sys [2012-2-26 136808]
S3 ssadserd;SAMSUNG Android USB Diagnostic Serial Port (WDM);c:\windows\system32\drivers\ssadserd.sys [2012-2-26 114280]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [2004-8-10 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S4 androidusb;SAMSUNG Android Composite ADB Interface Driver;c:\windows\system32\drivers\ssadadb.sys [2012-2-26 30312]
S4 gupdate;Google Update Service (gupdate);"c:\program files\google\update\googleupdate.exe" /svc --> c:\program files\google\update\GoogleUpdate.exe [?]
S4 gupdatem;Google Update Service (gupdatem);"c:\program files\google\update\googleupdate.exe" /medsvc --> c:\program files\google\update\GoogleUpdate.exe [?]
.
=============== Created Last 30 ================
.
2012-03-28 08:53:23 29904 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3875909a-53ea-4bf0-97d3-c7ca3f8675a3}\MpKsl35ed9052.sys
2012-03-27 06:05:50 6582328 ----a-w- c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{3875909a-53ea-4bf0-97d3-c7ca3f8675a3}\mpengine.dll
2012-03-24 13:47:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-03-23 11:35:38 -------- d--h--w- c:\windows\ie8
2012-03-22 13:05:20 24064 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2012-03-22 12:34:17 4392 ----a-w- c:\windows\system32\drivers\NdisFilt.sys
2012-03-22 12:31:44 7296 ----a-w- c:\windows\system32\drivers\osaio.sys
2012-03-22 12:31:44 12106 ----a-w- c:\windows\system32\drivers\OsaFsLoc.sys
2012-03-22 12:24:16 133208 ----a-w- c:\windows\system32\drivers\57370852.sys
2012-03-22 10:18:28 -------- d-----w- c:\documents and settings\mick\SecurityScans
2012-03-22 10:17:31 -------- d-----w- c:\program files\Microsoft Baseline Security Analyzer 2
2012-03-22 08:23:28 -------- d-sh--w- C:\Recycled
2012-03-21 08:02:10 -------- d-sha-r- C:\cmdcons
2012-03-21 07:44:42 -------- d-----w- c:\windows\system32\wbem\repository\FS
2012-03-21 07:44:42 -------- d-----w- c:\windows\system32\wbem\Repository
2012-03-21 07:44:32 -------- d-----w- c:\program files\Panda Security
2012-03-21 07:44:27 -------- d-sh--w- c:\windows\system32\AI_RecycleBin
2012-03-21 07:44:27 -------- d-----w- c:\program files\PC Cleaners
2012-03-21 07:44:10 -------- d-----w- c:\program files\iPod
2012-03-21 07:43:59 -------- d-----w- c:\program files\MediaConverter
2012-03-21 07:43:48 -------- d-----w- c:\program files\Tracks Eraser(2)
2012-03-21 05:47:55 -------- d-----w- c:\windows\LastGood(2)
2012-03-21 05:47:52 309320 ----a-w- c:\windows\system32\drivers\TrufosAlt.sys
2012-03-21 04:49:51 -------- d-----w- C:\Recycled(2)
2012-03-21 04:34:22 -------- d-----w- C:\FOUND.002
2012-03-21 04:09:58 -------- d-----w- C:\ComboFix(2)
2012-03-21 03:11:17 -------- d---a-w- C:\cmdcons(2)
2012-03-21 01:55:36 -------- d-----w- C:\FOUND.001
2012-03-20 07:36:02 -------- d-----w- c:\program files\Smith Micro
2012-03-17 18:50:51 -------- d-----w- c:\documents and settings\mick\local settings\application data\WinZipBar
2012-03-17 18:50:49 -------- d-----w- c:\program files\WinZipBar
2012-03-17 18:48:17 -------- d-----w- c:\documents and settings\mick\local settings\application data\WinZip
2012-03-17 10:16:28 0 ----a-w- c:\windows\system32\REN2B.tmp
2012-03-17 10:16:28 0 ----a-w- c:\windows\system32\REN2A.tmp
2012-03-17 10:16:28 0 ----a-w- c:\windows\system32\REN29.tmp
2012-03-17 10:15:03 0 ----a-w- c:\windows\system32\REN22.tmp
2012-03-17 10:15:03 0 ----a-w- c:\windows\system32\REN21.tmp
2012-03-17 10:15:03 0 ----a-w- c:\windows\system32\REN20.tmp
2012-03-17 10:14:39 0 ----a-w- c:\windows\system32\REN1A.tmp
2012-03-17 10:14:39 0 ----a-w- c:\windows\system32\REN19.tmp
2012-03-17 10:14:39 0 ----a-w- c:\windows\system32\REN18.tmp
2012-03-16 17:22:07 -------- d-----w- c:\documents and settings\mick\application data\Safer Networking
2012-03-16 14:26:56 -------- d-----w- C:\TDSSKiller_Quarantine
2012-03-16 14:09:05 -------- d-----w- c:\program files\XAce
2012-03-15 07:22:54 15224 ----a-w- c:\windows\system32\sdnclean.exe
2012-03-15 07:22:46 -------- d-----w- c:\program files\Spybot - Search & Destroy 2
2012-03-15 07:03:49 -------- d-----w- c:\program files\SysShield Tools
2012-03-15 07:03:17 -------- d-----w- c:\documents and settings\mick\application data\SUPERAntiSpyware.com
2012-03-15 07:03:16 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-03-15 07:00:47 -------- d-----w- C:\FOUND.000
2012-03-15 06:56:19 -------- d-----w- c:\program files\EnglishOtto
2012-03-15 06:56:18 -------- d-----w- c:\documents and settings\all users\application data\SUPERAntiSpyware.com
2012-03-15 06:56:18 -------- d-----w- c:\documents and settings\all users\application data\eBay
2012-03-15 06:56:18 -------- d-----w- c:\documents and settings\all users\application data\DataCardService
2012-03-12 10:36:01 -------- d-----w- c:\program files\Safer Networking
2012-03-07 09:24:20 -------- d-----w- c:\program files\Trend Micro
2012-03-07 06:36:38 -------- d-----w- c:\documents and settings\mick\application data\PC Cleaners
2012-03-07 06:36:37 -------- d-----w- c:\documents and settings\mick\application data\PCPro
2012-03-07 06:36:31 -------- d-----w- c:\documents and settings\all users\application data\PC1Data
2012-03-04 07:35:18 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-03-03 10:09:50 -------- d-----w- c:\program files\Sophos
2012-02-27 14:42:19 726 ----a-w- c:\windows\system32\drivers\bybnrqse.dat
.
==================== Find3M ====================
.
2012-03-24 13:57:44 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-24 13:47:24 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-03-07 06:36:08 5330704 ----a-w- c:\windows\uninst.exe
2012-02-27 04:14:36 2094432 ----a-w- C:\SecurityTaskManager_Setup.exe
2012-02-03 09:22:18 1860096 ----a-w- c:\windows\system32\win32k.sys
2012-01-31 12:44:06 237072 ------w- c:\windows\system32\MpSigStub.exe
2012-01-11 02:05:02 11139944 ----a-w- c:\windows\system32\libmfxsw32.dll
2012-01-09 16:20:26 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-12-30 06:03:08 21336 ----a-w- c:\windows\system32\RegistryDefragBootTime.exe
2010-01-09 10:33:24 203776 --sh--w- c:\windows\system32\unrar.exe
.
============= FINISH: 20:31:15.45 ===============

shelf life
2012-03-29, 04:58
will not download it
Can you download other files ok? What about tdsskiller, combofix and aswmbr? They downloaded ok? Is your AV up to date, could you update it manually, can you update malwarebytes and spybot ok?

mjd59
2012-04-02, 14:16
i have noticed spybot has been updating but it did not seam to be installing the updates ,also latly i have not being able to download even microsoft security essential as a pop up comes up informing me :this download has been blocked to protect windows essential services . something to do with DEP i think . anyhow while i was on the microsoft web site , dont know how , but i ended up with an application compatibillty toolkit which after looking and reading a few chapters i ran a fix on a few exe. files mainley security and it seams to have worked a little have since ran a automated fix and though it has not brought the computor back to a1 condition i can now access the internet and update spybot and MBAB confidant that the downloads are being installed , could it have been possable that the two alurion c viruses that securty essentials picked up and quarretined [ at the point when tdsskiller was quarretining them ] are responsable for altering some files on the harddrive and making there own root menu.

i do still have some problems with being locked out of files but think in time with this application and following the instructions i will be able to fully or as much as possable be able to overcome this with the knollage that i am virus free . if you think or want any more reports from scans please advise as i am quite willing to follow your lead . if your quite satisfied that you can do no more , i would like to thank you for your time and effort in resolving my problem with this situation and will be making a small donation in the near futer thank you so much
mick

shelf life
2012-04-03, 02:54
hi,

Thanks for the info. Data Execution Prevention dosnt necessarily mean its malware related. Check to see that you only have one real time protection security software running and only one Antivirus. MS security essentials is your AV and is the only AV that should be running. If you have the trial version or paid version of Malwarebytes then it does have a real time component. Spybot has a real time component also. Make sure only one is running. If you see icons from both near the clock then both are running. Superantispyware might have real time feature also, not sure. If you see its icon then its also active. If you toggle over the icons it should tell you what software it is. If multiply ones are running you can look in the software settings/options/preferences etc for a option not to start with Windows.
After resetting any options in the software reboot your machine.

You might also temporarily disable your key scrambler software as well.

You can also try resetting IE back to its defaults, with IE closed:
Start>settings>control panel>internet options>advanced tab>click on the reset button.
See if any of the above helps.

If you did have a rootkit on your machine then anything is possible including creating/modifying files and accounts.