Browser Hijacker: Click GiftLoad- trouble removing it.

[Melinda]

Please ignore what I have written in my previous post!

I found the first log - TDSkiller automatically saved it.

Here it is:

---

2011/03/26 15:47:05.0511 1012 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/03/26 15:47:08.0105 1012 ================================================================================
2011/03/26 15:47:08.0105 1012 SystemInfo:
2011/03/26 15:47:08.0105 1012
2011/03/26 15:47:08.0105 1012 OS Version: 5.1.2600 ServicePack: 2.0
2011/03/26 15:47:08.0105 1012 Product type: Workstation
2011/03/26 15:47:08.0168 1012 ComputerName: MARTHA
2011/03/26 15:47:09.0027 1012 UserName: Martha
2011/03/26 15:47:09.0027 1012 Windows directory: C:\WINDOWS
2011/03/26 15:47:09.0027 1012 System windows directory: C:\WINDOWS
2011/03/26 15:47:09.0027 1012 Processor architecture: Intel x86
2011/03/26 15:47:09.0027 1012 Number of processors: 1
2011/03/26 15:47:09.0027 1012 Page size: 0x1000
2011/03/26 15:47:09.0027 1012 Boot type: Normal boot
2011/03/26 15:47:09.0027 1012 ================================================================================
2011/03/26 15:47:32.0277 1012 Initialize success
2011/03/26 15:47:44.0402 2844 ================================================================================
2011/03/26 15:47:44.0402 2844 Scan started
2011/03/26 15:47:44.0402 2844 Mode: Manual;
2011/03/26 15:47:44.0402 2844 ================================================================================
2011/03/26 15:48:20.0043 2844 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/03/26 15:48:22.0433 2844 ACPI (a10c7534f7223f4a73a948967d00e69b) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/03/26 15:48:25.0121 2844 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/03/26 15:48:28.0027 2844 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/03/26 15:48:31.0058 2844 aec (1ee7b434ba961ef845de136224c30fec) C:\WINDOWS\system32\drivers\aec.sys
2011/03/26 15:48:34.0152 2844 AFD (55e6e1c51b6d30e54335750955453702) C:\WINDOWS\System32\drivers\afd.sys
2011/03/26 15:48:37.0496 2844 agp440 (2c428fa0c3e3a01ed93c9b2a27d8d4bb) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/03/26 15:48:40.0433 2844 agpCPQ (67288b07d6aba6c1267b626e67bc56fd) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/03/26 15:48:43.0230 2844 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/03/26 15:48:45.0324 2844 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/03/26 15:48:47.0558 2844 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/03/26 15:48:50.0214 2844 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/03/26 15:48:52.0824 2844 alim1541 (f312b7cef21eff52fa23056b9d815fad) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/03/26 15:48:55.0543 2844 amdagp (675c16a3c1f8482f85ee4a97fc0dde3d) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/03/26 15:48:57.0683 2844 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/03/26 15:49:00.0496 2844 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/03/26 15:49:02.0199 2844 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/03/26 15:49:03.0527 2844 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/03/26 15:49:05.0261 2844 AsyncMac (02000abf34af4c218c35d257024807d6) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/03/26 15:49:06.0746 2844 atapi (cdfe4411a69c224bd1d11b2da92dac51) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/03/26 15:49:09.0043 2844 Atmarpc (ec88da854ab7d7752ec8be11a741bb7f) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/03/26 15:49:10.0746 2844 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/03/26 15:49:13.0480 2844 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/03/26 15:49:16.0355 2844 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/03/26 15:49:19.0652 2844 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/03/26 15:49:23.0480 2844 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/03/26 15:49:28.0199 2844 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/03/26 15:49:32.0136 2844 Cdfs (cd7d5152df32b47f4e36f710b35aae02) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/03/26 15:49:37.0543 2844 Cdrom (af9c19b3100fe010496b1a27181fbf72) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/03/26 15:49:42.0464 2844 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/03/26 15:49:46.0808 2844 cmuda (53f4cc55f3c255439c5973e31f0adce7) C:\WINDOWS\system32\drivers\cmuda.sys
2011/03/26 15:49:53.0996 2844 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/03/26 15:49:57.0605 2844 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/03/26 15:50:00.0699 2844 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/03/26 15:50:03.0918 2844 Disk (00ca44e4534865f8a3b64f7c0984bff0) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/03/26 15:50:06.0277 2844 dmboot (c0fbb516e06e243f0cf31f597e7ebf7d) C:\WINDOWS\system32\drivers\dmboot.sys
2011/03/26 15:50:09.0714 2844 dmio (f5e7b358a732d09f4bcf2824b88b9e28) C:\WINDOWS\system32\drivers\dmio.sys
2011/03/26 15:50:12.0636 2844 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/03/26 15:50:14.0996 2844 DMusic (a6f881284ac1150e37d9ae47ff601267) C:\WINDOWS\system32\drivers\DMusic.sys
2011/03/26 15:50:17.0199 2844 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/03/26 15:50:19.0808 2844 drmkaud (1ed4dbbae9f5d558dbba4cc450e3eb2e) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/03/26 15:50:23.0918 2844 Fastfat (3117f595e9615e04f05a54fc15a03b20) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/03/26 15:50:28.0089 2844 Fdc (ced2e8396a8838e59d8fd529c680e02c) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/03/26 15:50:30.0777 2844 Fips (e153ab8a11de5452bcf5ac7652dbf3ed) C:\WINDOWS\system32\drivers\Fips.sys
2011/03/26 15:50:32.0839 2844 Flpydisk (0dd1de43115b93f4d85e889d7a86f548) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/03/26 15:50:36.0058 2844 FltMgr (3d234fb6d6ee875eb009864a299bea29) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/03/26 15:50:38.0308 2844 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/03/26 15:50:40.0496 2844 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/03/26 15:50:42.0449 2844 Gpc (c0f1d4a21de5a415df8170616703debf) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/03/26 15:50:47.0246 2844 HidUsb (1de6783b918f540149aa69943bdfeba8) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/03/26 15:50:51.0371 2844 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/03/26 15:50:53.0871 2844 HSFHWBS2 (970178e8e003eb1481293830069624b9) C:\WINDOWS\system32\DRIVERS\HSFBS2S2.sys
2011/03/26 15:50:58.0277 2844 HSF_DP (ebb354438a4c5a3327fb97306260714a) C:\WINDOWS\system32\DRIVERS\HSFDPSP2.sys
2011/03/26 15:51:02.0824 2844 HTTP (9f8b0f4276f618964fd118be4289b7cd) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/03/26 15:51:04.0964 2844 i2omgmt (8f09f91b5c91363b77bcd15599570f2c) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/03/26 15:51:07.0605 2844 i2omp (ed6bf9e441fdea13292a6d30a64a24c3) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/03/26 15:51:09.0902 2844 i8042prt (5502b58eef7486ee6f93f3f164dcb808) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/03/26 15:51:12.0886 2844 Imapi (f8aa320c6a0409c0380e5d8a99d76ec6) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/03/26 15:51:14.0636 2844 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/03/26 15:51:17.0902 2844 IntelIde (2d722b2b54ab55b2fa475eb58d7b2aad) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/03/26 15:51:19.0871 2844 Ip6Fw (4448006b6bc60e6c027932cfc38d6855) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/03/26 15:51:22.0605 2844 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/03/26 15:51:25.0074 2844 IpInIp (e1ec7f5da720b640cd8fb8424f1b14bb) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/03/26 15:51:27.0574 2844 IpNat (e2168cbc7098ffe963c6f23f472a3593) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/03/26 15:51:31.0683 2844 IPSec (64537aa5c003a6afeee1df819062d0d1) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/03/26 15:51:33.0886 2844 irda (86c204836feec22510d434982d4221b8) C:\WINDOWS\system32\DRIVERS\irda.sys
2011/03/26 15:51:35.0996 2844 IRENUM (50708daa1b1cbb7d6ac1cf8f56a24410) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/03/26 15:51:37.0714 2844 irsir (0501f0b9ab08425f8c0eacbdcc04aa32) C:\WINDOWS\system32\DRIVERS\irsir.sys
2011/03/26 15:51:40.0355 2844 isapnp (e504f706ccb699c2596e9a3da1596e87) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/03/26 15:51:42.0230 2844 Kbdclass (ebdee8a2ee5393890a1acee971c4c246) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/03/26 15:51:45.0168 2844 kmixer (ba5deda4d934e6288c2f66caf58d2562) C:\WINDOWS\system32\drivers\kmixer.sys
2011/03/26 15:51:47.0918 2844 KSecDD (674d3e5a593475915dc6643317192403) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/03/26 15:51:56.0121 2844 mdmxsdk (195741aee20369980796b557358cd774) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
2011/03/26 15:51:58.0558 2844 mfeavfk (bafdd5e28baea99d7f4772af2f5ec7ee) C:\WINDOWS\system32\drivers\mfeavfk.sys
2011/03/26 15:52:02.0168 2844 mfebopk (1d003e3056a43d881597d6763e83b943) C:\WINDOWS\system32\drivers\mfebopk.sys
2011/03/26 15:52:05.0480 2844 mfehidk (317997eb32fe039e7881704e596a2ed1) C:\WINDOWS\system32\drivers\mfehidk.sys
2011/03/26 15:52:07.0339 2844 mferkdk (41fe2f288e05a6c8ab85dd56770ffbad) C:\WINDOWS\system32\drivers\mferkdk.sys
2011/03/26 15:52:09.0152 2844 mfesmfk (096b52ea918aa909ba5903d79e129005) C:\WINDOWS\system32\drivers\mfesmfk.sys
2011/03/26 15:52:11.0027 2844 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/03/26 15:52:12.0980 2844 Modem (6fc6f9d7acc36dca9b914565a3aeda05) C:\WINDOWS\system32\drivers\Modem.sys
2011/03/26 15:52:15.0418 2844 Mouclass (34e1f0031153e491910e12551400192c) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/03/26 15:52:16.0621 2844 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/03/26 15:52:18.0058 2844 MountMgr (65653f3b4477f3c63e68a9659f85ee2e) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/03/26 15:52:19.0386 2844 MPFP (bc2a92cff784555ed622f861cb34f2e6) C:\WINDOWS\system32\Drivers\Mpfp.sys
2011/03/26 15:52:20.0683 2844 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/03/26 15:52:22.0964 2844 MRxDAV (29414447eb5bde2f8397dc965dbb3156) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/03/26 15:52:25.0652 2844 MRxSmb (fb6c89bb3ce282b08bdb1e3c179e1c39) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/03/26 15:52:28.0574 2844 Msfs (561b3a4333ca2dbdba28b5b956822519) C:\WINDOWS\system32\drivers\Msfs.sys
2011/03/26 15:52:30.0339 2844 MSKSSRV (ae431a8dd3c1d0d0610cdbac16057ad0) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/03/26 15:52:32.0527 2844 MSPCLOCK (13e75fef9dfeb08eeded9d0246e1f448) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/03/26 15:52:34.0402 2844 MSPQM (1988a33ff19242576c3d0ef9ce785da7) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/03/26 15:52:36.0089 2844 mssmbios (469541f8bfd2b32659d5d463a6714bce) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/03/26 15:52:37.0339 2844 Mup (82035e0f41c2dd05ae41d27fe6cf7de1) C:\WINDOWS\system32\drivers\Mup.sys
2011/03/26 15:52:38.0605 2844 mxnic (e1cdf20697d992cf83ff86dd04df1285) C:\WINDOWS\system32\DRIVERS\mxnic.sys
2011/03/26 15:52:39.0949 2844 NDIS (558635d3af1c7546d26067d5d9b6959e) C:\WINDOWS\system32\drivers\NDIS.sys
2011/03/26 15:52:41.0964 2844 NdisTapi (08d43bbdacdf23f34d79e44ed35c1b4c) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/03/26 15:52:44.0183 2844 Ndisuio (34d6cd56409da9a7ed573e1c90a308bf) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/03/26 15:52:46.0886 2844 NdisWan (0b90e255a9490166ab368cd55a529893) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/03/26 15:52:48.0183 2844 NDProxy (59fc3fb44d2669bc144fd87826bb571f) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/03/26 15:52:49.0386 2844 NetBIOS (3a2aca8fc1d7786902ca434998d7ceb4) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/03/26 15:52:50.0543 2844 NetBT (0c80e410cd2f47134407ee7dd19cc86b) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/03/26 15:52:51.0824 2844 Npfs (4f601bcb8f64ea3ac0994f98fed03f8e) C:\WINDOWS\system32\drivers\Npfs.sys
2011/03/26 15:52:52.0949 2844 Ntfs (19a811ef5f1ed5c926a028ce107ff1af) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/03/26 15:52:54.0621 2844 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/03/26 15:52:59.0668 2844 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/03/26 15:53:05.0839 2844 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/03/26 15:53:09.0558 2844 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/03/26 15:53:11.0496 2844 NwlnkIpx (79ea3fcda7067977625b3363a2657c80) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
2011/03/26 15:53:13.0636 2844 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
2011/03/26 15:53:15.0605 2844 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
2011/03/26 15:53:17.0402 2844 P3 (3e16eff2a6fed2d8d7f5a66dfe65d183) C:\WINDOWS\system32\DRIVERS\p3.sys
2011/03/26 15:53:19.0246 2844 Parport (29744eb4ce659dfe3b4122deb45bc478) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/03/26 15:53:21.0199 2844 PartMgr (3334430c29dc338092f79c38ef7b4cd0) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/03/26 15:53:23.0230 2844 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/03/26 15:53:27.0011 2844 PCI (8086d9979234b603ad5bc2f5d890b234) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/03/26 15:53:30.0886 2844 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/03/26 15:53:32.0371 2844 Pcmcia (82a087207decec8456fbe8537947d579) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/03/26 15:53:38.0168 2844 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/03/26 15:53:39.0418 2844 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/03/26 15:53:40.0480 2844 PptpMiniport (1c5cc65aac0783c344f16353e60b72ac) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/03/26 15:53:41.0511 2844 Processor (0d97d88720a4087ec93af7dbb303b30a) C:\WINDOWS\system32\DRIVERS\processr.sys
2011/03/26 15:53:42.0449 2844 PSched (48671f327553dcf1d27f6197f622a668) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/03/26 15:53:43.0168 2844 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/03/26 15:53:44.0824 2844 PxHelp20 (1962166e0ceb740704f30fa55ad3d509) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/03/26 15:53:45.0996 2844 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/03/26 15:53:46.0902 2844 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/03/26 15:53:47.0355 2844 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/03/26 15:53:47.0746 2844 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/03/26 15:53:48.0324 2844 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/03/26 15:53:48.0918 2844 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/03/26 15:53:49.0308 2844 Rasirda (0207d26ddf796a193ccd9f83047bb5fc) C:\WINDOWS\system32\DRIVERS\rasirda.sys
2011/03/26 15:53:49.0839 2844 Rasl2tp (98faeb4a4dcf812ba1c6fca4aa3e115c) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/03/26 15:53:50.0527 2844 RasPppoe (7306eeed8895454cbed4669be9f79faa) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/03/26 15:53:50.0964 2844 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/03/26 15:53:51.0886 2844 Rdbss (03b965b1ca47f6ef60eb5e51cb50e0af) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/03/26 15:53:52.0527 2844 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/03/26 15:53:53.0402 2844 rdpdr (a2cae2c60bc37e0751ef9dda7ceaf4ad) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/03/26 15:53:54.0339 2844 RDPWD (b54cd38a9ebfbf2b3561426e3fe26f62) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/03/26 15:53:55.0433 2844 redbook (b31b4588e4086d8d84adbf9845c2402b) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/03/26 15:53:56.0136 2844 rtl8139 (d507c1400284176573224903819ffda3) C:\WINDOWS\system32\DRIVERS\RTL8139.SYS
2011/03/26 15:53:56.0933 2844 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/03/26 15:53:58.0652 2844 Serenum (a2d868aeeff612e70e213c451a70cafb) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/03/26 15:53:59.0480 2844 Serial (cd9404d115a00d249f70a371b46d5a26) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/03/26 15:54:00.0386 2844 Sfloppy (0d13b6df6e9e101013a7afb0ce629fe0) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/03/26 15:54:01.0824 2844 sisagp (732d859b286da692119f286b21a2a114) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/03/26 15:54:03.0605 2844 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/03/26 15:54:05.0293 2844 splitter (0ce218578fff5f4f7e4201539c45c78f) C:\WINDOWS\system32\drivers\splitter.sys
2011/03/26 15:54:06.0808 2844 sr (e41b6d037d6cd08461470af04500dc24) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/03/26 15:54:10.0058 2844 Srv (7a4f147cc6b133f905f6e65e2f8669fb) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/03/26 15:54:12.0871 2844 swenum (03c1bae4766e2450219d20b993d6e046) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/03/26 15:54:14.0527 2844 swmidi (94abc808fc4b6d7d2bbf42b85e25bb4d) C:\WINDOWS\system32\drivers\swmidi.sys
2011/03/26 15:54:16.0855 2844 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/03/26 15:54:18.0433 2844 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/03/26 15:54:20.0730 2844 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/03/26 15:54:22.0246 2844 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/03/26 15:54:23.0496 2844 sysaudio (650ad082d46bac0e64c9c0e0928492fd) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/03/26 15:54:25.0277 2844 Tcpip (2a5554fc5b1e04e131230e3ce035c3f9) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/03/26 15:54:26.0183 2844 TDPIPE (38d437cf2d98965f239b0abcd66dcb0f) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/03/26 15:54:27.0543 2844 TDTCP (ed0580af02502d00ad8c4c066b156be9) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/03/26 15:54:28.0433 2844 TermDD (a540a99c281d933f3d69d55e48727f47) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/03/26 15:54:29.0261 2844 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/03/26 15:54:30.0558 2844 Udfs (12f70256f140cd7d52c58c7048fde657) C:\WINDOWS\system32\drivers\Udfs.sys
2011/03/26 15:54:31.0761 2844 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/03/26 15:54:34.0105 2844 Update (7b2170ee3d858ce8fbe503904cc9b663) C:\WINDOWS\system32\DRIVERS\update.sys
2011/03/26 15:54:34.0777 2844 usbccgp (bffd9f120cc63bcbaa3d840f3eef9f79) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/03/26 15:54:35.0636 2844 usbehci (15e993ba2f6946b2bfbbfcd30398621e) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/03/26 15:54:36.0136 2844 usbhub (c72f40947f92cea56a8fb532edf025f1) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/03/26 15:54:37.0168 2844 usbprint (a42369b7cd8886cd7c70f33da6fcbcf5) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/03/26 15:54:38.0246 2844 USBSTOR (6cd7b22193718f1d17a47a1cd6d37e75) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/03/26 15:54:39.0043 2844 usbuhci (f8fd1400092e23c8f2f31406ef06167b) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/03/26 15:54:40.0089 2844 VgaSave (8a60edd72b4ea5aea8202daf0e427925) C:\WINDOWS\System32\drivers\vga.sys
2011/03/26 15:54:40.0996 2844 viaagp (d92e7c8a30cfd14d8e15b5f7f032151b) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/03/26 15:54:41.0496 2844 ViaIde (59cb1338ad3654417bea49636457f65d) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/03/26 15:54:42.0277 2844 VolSnap (ee4660083deba849ff6c485d944b379b) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/03/26 15:54:43.0199 2844 Wanarp (984ef0b9788abf89974cfed4bfbaacbc) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/03/26 15:54:44.0683 2844 wdmaud (efd235ca22b57c81118c1aeb4798f1c1) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/03/26 15:54:46.0433 2844 winachsf (1225ebea76aac3c84df6c54fe5e5d8be) C:\WINDOWS\system32\DRIVERS\HSFCXTS2.sys
2011/03/26 15:54:49.0933 2844 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/03/26 15:54:49.0996 2844 ================================================================================
2011/03/26 15:54:50.0074 2844 Scan finished
2011/03/26 15:54:50.0074 2844 ================================================================================
2011/03/26 15:55:00.0324 1692 Detected object count: 1
2011/03/26 16:04:44.0355 1692 \HardDisk0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/03/26 16:04:44.0464 1692 \HardDisk0 - ok
2011/03/26 16:04:44.0496 1692 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
2011/03/26 16:06:34.0230 4048 Deinitialize success

 

[Blade81]

Good. Please try ComboFix now. Post back its report and also see if you're able to run DDS this time.

 

[Melinda]

Hurrah! DDS log results.
Ok- Im going to run combo fix now.
Thanks so much for your time and effort in the past few days! Its kind of incredible what you guys here do here.


---
.
DDS (Ver_11-03-05.01) - NTFSx86
Run by Martha at 10:33:37.75 on 27/03/2011
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.247.47 [GMT 1:00]
.
AV: McAfee VirusScan *Enabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Disabled*
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\Documents and Settings\Martha\Desktop\dds.com
.
============== Pseudo HJT Report ===============
.
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://www.urban75.net/vbulletin/
uSearch Page = hxxp://www.google.com
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
uURLSearchHooks: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5612.1312\swg.dll
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\martha\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\documents and settings\martha\start menu\programs\startup\procexp.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
uPolicies-explorer: RestrictRun = 0 (0x0)
mPolicies-explorer: RestrictRun = 0 (0x0)
IE: &Convert with ImageConverter Plus... - c:\program files\imageconverter plus\icpwebintegration.exe/200
IE: &ieSpell Options - c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\iespell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\iespell\wikipedia.HTM
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - res://c:\program files\iespell\iespell.dll/SPELLCHECK.HTM
IE: {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - res://c:\program files\iespell\iespell.dll/SPELLOPTION.HTM
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: {15B782AF-55D8-11D1-B477-006097098764} - hxxp://thirdforce.com/portals/0/webplayer7.0/awswax70.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - hxxp://go.divx.com/plugin/DivXBrowserPlugin.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168439284265
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
LSA: Notification Packages = scecli ofracp.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
============= SERVICES / DRIVERS ===============
.
R0 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2010-1-5 385536]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2010-2-5 79816]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2010-2-5 35272]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\lavasoft\ad-aware\kernexplorer.sys --> c:\program files\lavasoft\ad-aware\KernExplorer.sys [?]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2010-2-5 34248]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2010-2-5 40552]
.
=============== Created Last 30 ================
.
2011-03-19 19:09:31 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-19 19:09:31 -------- d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2011-03-19 18:12:44 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
2011-03-18 12:17:20 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-03-18 12:04:24 -------- d-----w- c:\docume~1\martha\locals~1\applic~1\Sunbelt Software
2011-03-10 10:40:36 1706800 ----a-w- c:\windows\system32\gdiplus.dll
2011-03-10 10:40:25 180224 ----a-w- c:\windows\system32\cnvshell.dll
2011-03-10 10:39:31 -------- d-----w- c:\program files\ImageConverter Plus
2011-03-09 12:53:19 -------- d-----w- c:\docume~1\martha\locals~1\applic~1\CutePDF Writer
2011-03-09 12:12:02 -------- d-----w- c:\program files\Acro Software
2011-03-09 10:29:12 -------- d-----w- c:\documents and settings\martha\Word flyer templates
2011-03-08 10:42:45 -------- d-----w- c:\docume~1\martha\applic~1\PriceGong
2011-03-07 12:11:23 -------- d-----w- c:\docume~1\martha\locals~1\applic~1\Conduit
2011-03-03 12:28:06 -------- d-----w- c:\docume~1\martha\applic~1\Serif
.
==================== Find3M ====================
.
2011-03-18 13:44:53 24576 ----a-w- c:\windows\system32\userinit.exe
.
============= FINISH: 10:42:15.85 ===============

 

[Melinda]

Hi Blade,

I ran Combofix, but I cant find the log. It isnt at C:\combofix.txt.
I ran a search and it didnt find it either.

The auto scan started, it got to stage 5 and I left the room.

When I returned half an hour later, the computer had re-booted and I had to log back on.

 

[Blade81]

Hi,

Please see if you can find the log in c:\combofix folder. If not, run ComboFix again.

 

[Melinda]

I remembered that we renamed Combofix as Something.com a few days ago.

I looked in C:\ and found the 'folder' called Something.com, but it wasnt really a folder.




When I click, it links me to the main computer directory.



I googled Qoobox, and it has something to do with Combofix?- might the log be in here somewhere ?




Only Quarantine and BankEnv folders have something inside.

This is what is inside the Quarantine folder.



'Catchme' is a text document with just the date and time of the scan.


This is what is in BackEnv



I hope some of this makes sense to you!

Anyway, I will run Combofix again.

Thanks.

 

[Melinda]

Combofix log.

It took an hour to complete! I have no idea why it didnt complete last time.

After the re-booot- a Combofix screen came up to prepare the log. This didnt happen the first tme.

Can I re-enable the AV? Or should I wait?

Thanks

---
ComboFix 11-03-26.02 - Martha 27/03/2011 18:54:44.2.1 - x86
Running from: c:\documents and settings\Martha\Desktop\Something.com.exe
AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Anthea Parker\Local Settings\Application Data\{B8CA2B3C-AD44-4FE1-8F6A-DE7155E09B50}
c:\documents and settings\Anthea Parker\Local Settings\Application Data\{B8CA2B3C-AD44-4FE1-8F6A-DE7155E09B50}\chrome.manifest
c:\documents and settings\Anthea Parker\Local Settings\Application Data\{B8CA2B3C-AD44-4FE1-8F6A-DE7155E09B50}\chrome\content\overlay.xul
c:\documents and settings\Anthea Parker\Local Settings\Application Data\{B8CA2B3C-AD44-4FE1-8F6A-DE7155E09B50}\install.rdf
c:\documents and settings\Martha\Application Data\PriceGong
c:\documents and settings\Martha\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\z.xml
c:\windows\system\SET62.tmp
.
.
((((((((((((((((((((((((( Files Created from 2011-02-27 to 2011-03-27 )))))))))))))))))))))))))))))))
.
.
2011-03-20 08:15 . 2011-03-20 08:16 -------- d-----w- c:\program files\ERUNT
2011-03-19 19:09 . 2011-03-20 17:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-19 19:09 . 2011-03-20 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-19 18:12 . 2011-03-19 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-18 12:17 . 2011-03-18 12:17 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-03-18 12:04 . 2011-03-18 12:04 -------- d-----w- c:\documents and settings\Martha\Local Settings\Application Data\Sunbelt Software
2011-03-18 11:55 . 2011-03-19 11:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-03-16 15:56 . 2011-03-16 15:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-13 14:47 . 2011-03-14 11:07 -------- d-----w- c:\documents and settings\Martha\Application Data\FileZilla
2011-03-13 13:01 . 2011-03-13 13:05 -------- d-----w- c:\program files\FileZilla FTP Client
2011-03-10 10:40 . 2004-04-19 17:53 1706800 ----a-w- c:\windows\system32\gdiplus.dll
2011-03-10 10:40 . 2009-02-06 19:33 180224 ----a-w- c:\windows\system32\cnvshell.dll
2011-03-10 10:39 . 2011-03-10 11:20 -------- d-----w- c:\program files\ImageConverter Plus
2011-03-09 12:53 . 2011-03-09 12:53 -------- d-----w- c:\documents and settings\Martha\Local Settings\Application Data\CutePDF Writer
2011-03-09 12:12 . 2011-03-13 00:10 -------- d-----w- c:\program files\Acro Software
2011-03-09 10:29 . 2011-03-09 10:29 -------- d-----w- c:\documents and settings\Martha\Word flyer templates
2011-03-07 12:11 . 2011-03-07 12:11 -------- d-----w- c:\documents and settings\Martha\Local Settings\Application Data\Conduit
2011-03-03 12:28 . 2011-03-03 12:28 -------- d-----w- c:\documents and settings\Martha\Application Data\Serif
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-27 09:51 . 2011-03-27 09:51 5154 ----a-w- C:\DDSLogAttach.zip
2011-03-18 13:44 . 2005-04-25 23:06 24576 ----a-w- c:\windows\system32\userinit.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2010-12-09 12:51 3911776 ----a-w- c:\program files\uTorrentBar\tbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
c:\documents and settings\Martha\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
procexp.exe [2010-8-3 3887480]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2011-01-31 08:44 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - PROCEXP141
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-27 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-20 15:07]
.
2011-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-20 23:00]
.
2011-03-27 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-20 23:00]
.
2011-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-05 12:22]
.
2011-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-05 12:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.urban75.net/vbulletin/
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Convert with ImageConverter Plus... - c:\program files\ImageConverter Plus\icpwebintegration.exe/200
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
HKLM-Run-Cmaudio - cmicnfg.cpl
MSConfigStartUp-Triqadewiyohupof - c:\windows\ucuperam.dll
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-27 19:49
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3652)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\progra~1\McAfee\MSC\mcmscsvc.exe
c:\progra~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\progra~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\progra~1\McAfee\VIRUSS~1\mcshield.exe
c:\program files\McAfee\MPF\MPFSrv.exe
c:\program files\McAfee\MSK\MskSrver.exe
c:\windows\system32\wdfmgr.exe
c:\progra~1\mcafee.com\agent\mcagent.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2011-03-27 19:59:38 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-27 18:59
.
Pre-Run: 6,508,109,824 bytes free
Post-Run: 7,882,293,248 bytes free
.
- - End Of File - - 016C519642542EAAE3EC4289BE3AC585

 

[Blade81]

Hi again,

Disable Spybot's TeaTimer to make sure it won't interfere with fixes. You can re-enable it when you're clean again:

• Run Spybot-S&D in Advanced Mode
• If it is not already set to do this, go to the Mode menu
  select
  Advanced Mode
  
• On the left hand side, click on Tools
• Then click on the Resident icon in the list
• Uncheck
  Resident TeaTimer
  and OK any prompts.
• Restart your computer

Open notepad and copy/paste the text in the quotebox below into it:

Folder::
c:\program files\utorrentbar
DDS::
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
TB: uTorrentBar Toolbar: {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - c:\program files\utorrentbar\tbuTor.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File

Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

Close all browser windows and refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Uninstall old Adobe Reader versions and get the latest one ((Adobe Reader X + 10.0.1 update for it)) here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here.


Update MBAM and run a full scan with it. Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log. How's the system running?

 

[Melinda]

Hey Blade Hope you've had a good day!


Quick update.


1. Ran the Spybot scan in advanced mode. It took hours and hours.

2. Re- booted

3. Saved the CFScript

4. Uninstalled Adobe Readers, Installed version 10 plus the new security patch

5. Just about to run the new Combofix. Will post the log when its done.

 

[Melinda]

Also, the spybot scan found 32 problems!

I think you dont need to see the log?

 

[Melinda]

Latest Combofix log
---

ComboFix 11-03-28.01 - Martha 28/03/2011 21:21:09.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.247.133 [GMT 1:00]
Running from: c:\documents and settings\Martha\Desktop\Something.com.exe
AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Martha\Application Data\PriceGong
c:\documents and settings\Martha\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Martha\Application Data\PriceGong\Data\z.xml
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-28 )))))))))))))))))))))))))))))))
.
.
2011-03-27 21:44 . 2011-03-27 21:44 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-03-20 08:15 . 2011-03-20 08:16 -------- d-----w- c:\program files\ERUNT
2011-03-19 19:09 . 2011-03-20 17:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-19 19:09 . 2011-03-20 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-19 18:12 . 2011-03-19 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-18 12:17 . 2011-03-18 12:17 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-03-18 12:04 . 2011-03-18 12:04 -------- d-----w- c:\documents and settings\Martha\Local Settings\Application Data\Sunbelt Software
2011-03-18 11:55 . 2011-03-19 11:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-03-16 15:56 . 2011-03-16 15:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-13 14:47 . 2011-03-14 11:07 -------- d-----w- c:\documents and settings\Martha\Application Data\FileZilla
2011-03-13 13:01 . 2011-03-13 13:05 -------- d-----w- c:\program files\FileZilla FTP Client
2011-03-10 10:40 . 2004-04-19 17:53 1706800 ----a-w- c:\windows\system32\gdiplus.dll
2011-03-10 10:40 . 2009-02-06 19:33 180224 ----a-w- c:\windows\system32\cnvshell.dll
2011-03-10 10:39 . 2011-03-10 11:20 -------- d-----w- c:\program files\ImageConverter Plus
2011-03-09 12:53 . 2011-03-09 12:53 -------- d-----w- c:\documents and settings\Martha\Local Settings\Application Data\CutePDF Writer
2011-03-09 12:12 . 2011-03-13 00:10 -------- d-----w- c:\program files\Acro Software
2011-03-09 10:29 . 2011-03-09 10:29 -------- d-----w- c:\documents and settings\Martha\Word flyer templates
2011-03-07 12:11 . 2011-03-07 12:11 -------- d-----w- c:\documents and settings\Martha\Local Settings\Application Data\Conduit
2011-03-03 12:28 . 2011-03-03 12:28 -------- d-----w- c:\documents and settings\Martha\Application Data\Serif
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-27 09:51 . 2011-03-27 09:51 5154 ----a-w- C:\DDSLogAttach.zip
2011-03-18 13:44 . 2005-04-25 23:06 24576 ----a-w- c:\windows\system32\userinit.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2010-12-09 12:51 3911776 ----a-w- c:\program files\uTorrentBar\tbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-15 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
c:\documents and settings\Martha\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
procexp.exe [2010-8-3 3887480]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/04/2010 00:01 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - PROCEXP141
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-20 15:07]
.
2011-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-20 23:00]
.
2011-03-28 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-20 23:00]
.
2011-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-05 12:22]
.
2011-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-05 12:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.urban75.net/vbulletin/
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Convert with ImageConverter Plus... - c:\program files\ImageConverter Plus\icpwebintegration.exe/200
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-28 21:32
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-03-28 21:38:02
ComboFix-quarantined-files.txt 2011-03-28 20:37
ComboFix2.txt 2011-03-27 18:59
.
Pre-Run: 6,623,940,608 bytes free
Post-Run: 6,891,884,544 bytes free
.
- - End Of File - - DCA074EBD0BBE520AA75A94CBF27344C

 

[Melinda]

MBAM and DDS logs are next.

Just to say the system has been SO much quicker today.

The only thing that slowed things down today was McAfee and it daily update which took forever and made it impossible to work on anything else. But that is probably because of the very low RAM on this computer?

 

[Blade81]

Hi,

Please post fresh dds logs. Also, post spybot results if you have those handy.

 

[Melinda]

MBAM log from last night.
---

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6199

Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702

28/03/2011 23:06:53
mbam-log-2011-03-28 (23-06-52).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 226482
Time elapsed: 1 hour(s), 22 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

[Melinda]

Spybot logs from last night.

I had to zip it.

 

[Melinda]

I tried to get DDS to run, but it would not.

I'll try again.

 

[Melinda]

Ok- downloaded a fresh dds tool.

The black window appears on screen for a fraction of a second and then closes.

Nothing happened.

 

[Blade81]

Hi,

Run ComboFix again and let it update itself if prompted. Post back the report and see if you're able to run DDS.

 

[Melinda]

Latest Spybot log.
---


ComboFix 11-03-28.05 - Martha 29/03/2011 18:11:48.4.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.247.119 [GMT 1:00]
Running from: c:\documents and settings\Martha\Desktop\Something.com.exe
AV: McAfee VirusScan *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *Disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.
.
((((((((((((((((((((((((( Files Created from 2011-02-28 to 2011-03-29 )))))))))))))))))))))))))))))))
.
.
2011-03-27 21:44 . 2011-03-27 21:44 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-03-20 08:15 . 2011-03-20 08:16 -------- d-----w- c:\program files\ERUNT
2011-03-19 19:09 . 2011-03-20 17:21 -------- d-----w- c:\program files\Spybot - Search & Destroy
2011-03-19 19:09 . 2011-03-20 00:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2011-03-19 18:12 . 2011-03-19 18:12 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
2011-03-18 12:17 . 2011-03-18 12:17 98392 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-03-18 12:04 . 2011-03-18 12:04 -------- d-----w- c:\documents and settings\Martha\Local Settings\Application Data\Sunbelt Software
2011-03-18 11:55 . 2011-03-19 11:29 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2011-03-16 15:56 . 2011-03-16 15:58 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
2011-03-13 14:47 . 2011-03-14 11:07 -------- d-----w- c:\documents and settings\Martha\Application Data\FileZilla
2011-03-13 13:01 . 2011-03-13 13:05 -------- d-----w- c:\program files\FileZilla FTP Client
2011-03-10 10:40 . 2004-04-19 17:53 1706800 ----a-w- c:\windows\system32\gdiplus.dll
2011-03-10 10:40 . 2009-02-06 19:33 180224 ----a-w- c:\windows\system32\cnvshell.dll
2011-03-10 10:39 . 2011-03-10 11:20 -------- d-----w- c:\program files\ImageConverter Plus
2011-03-09 12:53 . 2011-03-09 12:53 -------- d-----w- c:\documents and settings\Martha\Local Settings\Application Data\CutePDF Writer
2011-03-09 12:12 . 2011-03-13 00:10 -------- d-----w- c:\program files\Acro Software
2011-03-09 10:29 . 2011-03-09 10:29 -------- d-----w- c:\documents and settings\Martha\Word flyer templates
2011-03-07 12:11 . 2011-03-07 12:11 -------- d-----w- c:\documents and settings\Martha\Local Settings\Application Data\Conduit
2011-03-03 12:28 . 2011-03-03 12:28 -------- d-----w- c:\documents and settings\Martha\Application Data\Serif
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-03-27 09:51 . 2011-03-27 09:51 5154 ----a-w- C:\DDSLogAttach.zip
2011-03-18 13:44 . 2005-04-25 23:06 24576 ----a-w- c:\windows\system32\userinit.exe
.
.
((((((((((((((((((((((((((((( SnapShot@2011-03-28_20.32.22 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-04-25 23:31 . 2011-03-29 14:37 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-04-25 23:31 . 2011-03-28 18:45 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2005-04-25 23:31 . 2011-03-29 14:37 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-04-25 23:31 . 2011-03-28 18:45 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2011-03-27 19:51 . 2011-03-28 18:45 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2011-03-27 19:51 . 2011-03-29 14:37 32768 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2010-03-05 11:42 . 2011-03-29 14:37 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
- 2010-03-05 11:42 . 2011-03-28 18:45 245760 c:\windows\system32\config\systemprofile\IETldCache\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2010-12-09 12:51 3911776 ----a-w- c:\program files\uTorrentBar\tbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{BF7380FA-E3B4-4DB2-AF3E-9D8783A45BFC}"= "c:\program files\uTorrentBar\tbuTor.dll" [2010-12-09 3911776]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-13 68856]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-10-29 1218008]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 35736]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-15 932288]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]
.
c:\documents and settings\Martha\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
procexp.exe [2010-8-3 3887480]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
.
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [21/04/2010 00:01 136176]
S3 Lavasoft Kernexplorer;Lavasoft helper driver;\??\c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys --> c:\program files\Lavasoft\Ad-Aware\KernExplorer.sys [?]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MBACKMONITOR
*Deregistered* - PROCEXP141
.
Contents of the 'Scheduled Tasks' folder
.
2011-03-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-09-20 15:07]
.
2011-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-20 23:00]
.
2011-03-29 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-04-20 23:00]
.
2011-02-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-05 12:22]
.
2011-03-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2010-02-05 12:22]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.urban75.net/vbulletin/
uInternet Settings,ProxyOverride = local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: &Convert with ImageConverter Plus... - c:\program files\ImageConverter Plus\icpwebintegration.exe/200
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
IE: Lookup on Merriam Webster - file://c:\program files\ieSpell\Merriam Webster.HTM
IE: Lookup on Wikipedia - file://c:\program files\ieSpell\wikipedia.HTM
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-29 18:23
Windows 5.1.2600 Service Pack 2 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10n_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2011-03-29 18:29:02
ComboFix-quarantined-files.txt 2011-03-29 17:28
ComboFix2.txt 2011-03-28 20:38
ComboFix3.txt 2011-03-27 18:59
.
Pre-Run: 7,158,325,248 bytes free
Post-Run: 7,138,684,928 bytes free
.
- - End Of File - - 355B8D17F03209D7D69F1411D67BBEE7

 

[Melinda]

DDS still will not run.