serach redirect and new window popup ads.

Great, what I am going to do is link you to our sister sites windows forum and they can help you with the recovery, then post back here when your up and running and we will make sure your clean

Let them know that this happened after a windows update, you can link them to this thread if you wish so they can see what we have done.
http://forums.whatthetech.com/Microsoft_Windows_f119.html

Ken
 
Update KB977165 seems to have been my BSOD problem.
Whatthetech got me fixed up in no time.

GooredFix by jpshortstuff (08.01.10.1)
Log created at 20:49 on 12/02/2010 (buddy)
Firefox version 3.0.17 (en-US)

========== GooredScan ==========


========== GooredLog ==========

C:\Program Files\Mozilla Firefox\extensions\
{972ce4c6-7e08-4474-a285-3208198ce6fd} [05:52 20/10/2007]
{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} [00:53 29/09/2008]
{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA} [00:47 22/11/2008]
{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} [03:34 25/12/2008]
{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} [06:36 24/04/2009]

C:\Documents and Settings\buddy\Application Data\Mozilla\Firefox\Profiles\zxic7n1h.default\extensions\
{20a82645-c095-46ed-80e3-08825760534b} [00:01 08/10/2009]
{635abd67-4fe9-1b23-4f01-e679fa7484c1} [23:26 08/07/2008]

[HKEY_LOCAL_MACHINE\Software\Mozilla\Firefox\Extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff" [00:46 22/11/2008]
"{20a82645-c095-46ed-80e3-08825760534b}"="C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\" [04:53 05/10/2009]
"{000a9d1c-beef-4f90-9363-039d445309b8}"="C:\Program Files\Google\Google Gears\Firefox\" [04:32 29/10/2009]

-=E.O.F=-
 
Great, WTT is our sister site and they are a great crew :bigthumb:

How are things running now, are you still being redirected ?
 
Ok I've got 2 small window pop ups in firefox

http://pop.doubleclick.net/popup2.php?r=n]%23_}G%60Q%22g~g]xG5Qe%40%27xe%3B%60]}F%23%60%27Px

and
http://pp.directaclick.com/popup2.php?r=GP\8nkE_VP\-c4Z%40ece-%40G%26gRRR%27I%23P.GPU\Zcx4U%23nc4%3BZPP_%26_EJec}eE4xccRZcG%23k%60%3BcG1P%3BZ_nPZgnqEPQkZxEGUQWUG_wk%40gZQgGR}JPaQ%23e]ERUqZZZ%60Q{T\%3BQaRQRPnc%60ZbZU%27nQe-Q%264xeQ~WeRP%3BkP\UgFJ%26R%27%3BFQgQ4PF~Q~wTaRQfnP6%27%60__W]%6048~U4%27}REP\RkRiwcGcZtiJ%3BcPe_
 
We are looking at your master boot record possibly being infected.


Download mbr.exe to your Desktop.
http://www2.gmer.net/mbr/mbr.exe

Right click it and select CUT

click on My Computer
Click on your C:\ drive to open it
Then up on the toolbar click on Edit > Paste or right click anywhere in C and select Paste. mbr.exe has to be in C:\

You can close my computer


Then go to Start > Run and copy and paste this in

cmd /c mbr -t>"%userprofile%\Desktop\mbr.txt"

Click OK

It will place a text file on your desktop, copy and paste it for me to see please
 
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvidesm.sys >>UNKNOWN [0x89B4D8C8]<<
kernel: MBR read successfully
user & kernel MBR OK
 
Lets dig deeper for a rootkit

Please download DeFogger to your desktop.

Double click DeFogger to run the tool.
  • The application window will appear
  • Click the Disable button to disable your CD Emulation drivers
  • Click Yes to continue
  • A 'Finished!' message will appear
  • Click OK
  • DeFogger will now ask to reboot the machine - click OK
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Do not re-enable these drivers until otherwise instructed.





Next:

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    gmer_zip.gif

  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
 
DeFogger did not give me any error message.
but it also did NOT ask to reboot.
So I did a normal restart
and I'll post the logs just in case.

defogger_disable by jpshortstuff (29.01.10.1)
Log created at 19:27 on 13/02/2010 (buddy)

Checking for autostart values...
HKCU\~\Run values retrieved.
HKLM\~\Run values retrieved.

Checking for services/drivers...


-=E.O.F=-

something else odd, while GMER was running, and the ethernet cable was unplugged, microsoft was giving me updates.??? it was KB977165

I did not let it install

and here's gmer's log

GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-13 20:31:32
Windows 5.1.2600 Service Pack 2
Running: yh3d6ukr.exe; Driver: C:\DOCUME~1\buddy\LOCALS~1\Temp\fwrirkod.sys


---- Kernel code sections - GMER 1.0.15 ----

.rsrc C:\WINDOWS\system32\drivers\nvidesm.sys entry point in ".rsrc" section [0xF771B380]
init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xF7744A1E]

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\system32\drivers\nvidesm.sys suspicious modification

---- EOF - GMER 1.0.15 ----
 
Good Morning,

  • Download TDSSKiller and save it to your Desktop.

Extract the file and run it.

Once completed it will create a log in your C:\ drive called TDSSKiller_* (* denotes version & date)

please post the content of that log TDSSKiller
 
18:33:32:328 3948 TDSS rootkit removing tool 2.2.3 Feb 4 2010 14:34:00
18:33:32:328 3948 ================================================================================
18:33:32:328 3948 SystemInfo:

18:33:32:328 3948 OS Version: 5.1.2600 ServicePack: 2.0
18:33:32:328 3948 Product type: Workstation
18:33:32:328 3948 ComputerName: DADDY-TP53Z8UEU
18:33:32:328 3948 UserName: buddy
18:33:32:328 3948 Windows directory: C:\WINDOWS
18:33:32:328 3948 Processor architecture: Intel x86
18:33:32:328 3948 Number of processors: 1
18:33:32:328 3948 Page size: 0x1000
18:33:32:328 3948 Boot type: Normal boot
18:33:32:328 3948 ================================================================================
18:33:32:343 3948 UnloadDriverW: NtUnloadDriver error 2
18:33:32:343 3948 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2
18:33:32:359 3948 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
18:33:32:390 3948 UtilityInit: KLMD drop and load success
18:33:32:390 3948 KLMD_OpenDevice: Trying to open KLMD Device(KLMD201010)
18:33:32:390 3948 UtilityInit: KLMD open success
18:33:32:390 3948 UtilityInit: Initialize success
18:33:32:390 3948
18:33:32:390 3948 Scanning Services ...
18:33:32:390 3948 CreateRegParser: Registry parser init started
18:33:32:390 3948 DisableWow64Redirection: GetProcAddress(Wow64DisableWow64FsRedirection) error 127
18:33:32:390 3948 CreateRegParser: DisableWow64Redirection error
18:33:32:390 3948 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system
18:33:32:390 3948 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\system) returned status C0000043
18:33:32:390 3948 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:33:32:390 3948 wfopen_ex: Trying to KLMD file open
18:33:32:390 3948 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\system
18:33:32:390 3948 wfopen_ex: File opened ok (Flags 2)
18:33:32:390 3948 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\system) init success: 9C4C08
18:33:32:390 3948 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software
18:33:32:390 3948 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\config\software) returned status C0000043
18:33:32:390 3948 wfopen_ex: MyNtCreateFileW error 32 (C0000043)
18:33:32:390 3948 wfopen_ex: Trying to KLMD file open
18:33:32:390 3948 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\config\software
18:33:32:390 3948 wfopen_ex: File opened ok (Flags 2)
18:33:32:390 3948 CreateRegParser: HIVE_ADAPTER(C:\WINDOWS\system32\config\software) init success: 9C4CB0
18:33:32:390 3948 EnableWow64Redirection: GetProcAddress(Wow64RevertWow64FsRedirection) error 127
18:33:32:390 3948 CreateRegParser: EnableWow64Redirection error
18:33:32:390 3948 CreateRegParser: RegParser init completed
18:33:32:515 3948 GetAdvancedServicesInfo: Raw services enum returned 308 services
18:33:32:515 3948 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system
18:33:32:515 3948 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software
18:33:32:515 3948
18:33:32:515 3948 Scanning Kernel memory ...
18:33:32:515 3948 KLMD_GetSystemObjectAddressByNameW: Trying to get system object address by name \Driver\Disk
18:33:32:515 3948 DetectCureTDL3: \Driver\Disk PDRIVER_OBJECT: 89B87940
18:33:32:531 3948 DetectCureTDL3: KLMD_GetDeviceObjectList returned 4 DevObjects
18:33:32:531 3948
18:33:32:531 3948 DetectCureTDL3: DEVICE_OBJECT: 89B50C68
18:33:32:531 3948 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89B50C68
18:33:32:531 3948 KLMD_ReadMem: Trying to ReadMemory 0x89B50C68[0x38]
18:33:32:531 3948 DetectCureTDL3: DRIVER_OBJECT: 89B87940
18:33:32:531 3948 KLMD_ReadMem: Trying to ReadMemory 0x89B87940[0xA8]
18:33:32:531 3948 KLMD_ReadMem: Trying to ReadMemory 0xE101CE68[0x18]
18:33:32:531 3948 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:33:32:531 3948 DetectCureTDL3: IrpHandler (0) addr: F763DC30
18:33:32:531 3948 DetectCureTDL3: IrpHandler (1) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (2) addr: F763DC30
18:33:32:531 3948 DetectCureTDL3: IrpHandler (3) addr: F7637D9B
18:33:32:531 3948 DetectCureTDL3: IrpHandler (4) addr: F7637D9B
18:33:32:531 3948 DetectCureTDL3: IrpHandler (5) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (6) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (7) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (8) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (9) addr: F7638366
18:33:32:531 3948 DetectCureTDL3: IrpHandler (10) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (11) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (12) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (13) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (14) addr: F763844D
18:33:32:531 3948 DetectCureTDL3: IrpHandler (15) addr: F763BFC3
18:33:32:531 3948 DetectCureTDL3: IrpHandler (16) addr: F7638366
18:33:32:531 3948 DetectCureTDL3: IrpHandler (17) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (18) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (19) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (20) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (21) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (22) addr: F7639EF3
18:33:32:531 3948 DetectCureTDL3: IrpHandler (23) addr: F763EA24
18:33:32:531 3948 DetectCureTDL3: IrpHandler (24) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (25) addr: 804FB8DE
18:33:32:531 3948 DetectCureTDL3: IrpHandler (26) addr: 804FB8DE
18:33:32:531 3948 TDL3_FileDetect: Processing driver: Disk
18:33:32:531 3948 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:33:32:531 3948 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:33:32:531 3948 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:33:32:531 3948
18:33:32:531 3948 DetectCureTDL3: DEVICE_OBJECT: 89C01C68
18:33:32:531 3948 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89C01C68
18:33:32:531 3948 KLMD_ReadMem: Trying to ReadMemory 0x89C01C68[0x38]
18:33:32:531 3948 DetectCureTDL3: DRIVER_OBJECT: 89B87940
18:33:32:546 3948 KLMD_ReadMem: Trying to ReadMemory 0x89B87940[0xA8]
18:33:32:546 3948 KLMD_ReadMem: Trying to ReadMemory 0xE101CE68[0x18]
18:33:32:546 3948 DetectCureTDL3: DRIVER_OBJECT name: \Driver\Disk, Driver Name: Disk
18:33:32:546 3948 DetectCureTDL3: IrpHandler (0) addr: F763DC30
18:33:32:546 3948 DetectCureTDL3: IrpHandler (1) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (2) addr: F763DC30
18:33:32:546 3948 DetectCureTDL3: IrpHandler (3) addr: F7637D9B
18:33:32:546 3948 DetectCureTDL3: IrpHandler (4) addr: F7637D9B
18:33:32:546 3948 DetectCureTDL3: IrpHandler (5) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (6) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (7) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (8) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (9) addr: F7638366
18:33:32:546 3948 DetectCureTDL3: IrpHandler (10) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (11) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (12) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (13) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (14) addr: F763844D
18:33:32:546 3948 DetectCureTDL3: IrpHandler (15) addr: F763BFC3
18:33:32:546 3948 DetectCureTDL3: IrpHandler (16) addr: F7638366
18:33:32:546 3948 DetectCureTDL3: IrpHandler (17) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (18) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (19) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (20) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (21) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (22) addr: F7639EF3
18:33:32:546 3948 DetectCureTDL3: IrpHandler (23) addr: F763EA24
18:33:32:546 3948 DetectCureTDL3: IrpHandler (24) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (25) addr: 804FB8DE
18:33:32:546 3948 DetectCureTDL3: IrpHandler (26) addr: 804FB8DE
18:33:32:546 3948 TDL3_FileDetect: Processing driver: Disk
18:33:32:546 3948 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\DRIVERS\disk.sys
18:33:32:546 3948 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\DRIVERS\disk.sys
18:33:32:546 3948 TDL3_FileDetect: C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean
18:33:32:546 3948
18:33:32:546 3948 DetectCureTDL3: DEVICE_OBJECT: 89B5CAB8
18:33:32:546 3948 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89B5CAB8
18:33:32:546 3948 DetectCureTDL3: DEVICE_OBJECT: 89B3DA88
18:33:32:546 3948 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89B3DA88
18:33:32:546 3948 DetectCureTDL3: DEVICE_OBJECT: 89B87030
18:33:32:546 3948 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89B87030
18:33:32:546 3948 KLMD_ReadMem: Trying to ReadMemory 0x89B87030[0x38]
18:33:32:546 3948 DetectCureTDL3: DRIVER_OBJECT: 89B3EE48
18:33:32:546 3948 KLMD_ReadMem: Trying to ReadMemory 0x89B3EE48[0xA8]
18:33:32:546 3948 KLMD_ReadMem: Trying to ReadMemory 0xE153A2A0[0x1E]
18:33:32:546 3948 DetectCureTDL3: DRIVER_OBJECT name: \Driver\nvidesm, Driver Name: nvidesm
18:33:32:546 3948 DetectCureTDL3: IrpHandler (0) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (1) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (2) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (3) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (4) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (5) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (6) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (7) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (8) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (9) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (10) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (11) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (12) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (13) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (14) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (15) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (16) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (17) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (18) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (19) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (20) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (21) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (22) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (23) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (24) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (25) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: IrpHandler (26) addr: F771AEF6
18:33:32:546 3948 DetectCureTDL3: All IRP handlers pointed to one addr: F771AEF6
18:33:32:546 3948 KLMD_ReadMem: Trying to ReadMemory 0xF771AEF6[0x400]
18:33:32:546 3948 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
18:33:32:546 3948 KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]
18:33:32:546 3948 KLMD_ReadMem: Trying to ReadMemory 0x89B3E81C[0x4]
18:33:32:546 3948 TDL3_IrpHookDetect: New IrpHandler addr: 89B4D8C8
18:33:32:546 3948 KLMD_ReadMem: Trying to ReadMemory 0x89B4D8C8[0x400]
18:33:32:546 3948 TDL3_IrpHookDetect: CheckParameters: 10, FFDF0308, 510, 134, 3, 120
18:33:32:546 3948 Driver "nvidesm" Irp handler infected by TDSS rootkit ... 18:33:32:546 3948 KLMD_WriteMem: Trying to WriteMemory 0x89B4D94E[0xD]
18:33:32:546 3948 cured
18:33:32:546 3948 KLMD_ReadMem: Trying to ReadMemory 0xF748540E[0x400]
18:33:32:546 3948 TDL3_StartIoHookDetect: CheckParameters: 1, F748917C, 0
18:33:32:546 3948 TDL3_FileDetect: Processing driver: nvidesm
18:33:32:546 3948 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\nvidesm.sys
18:33:32:546 3948 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\nvidesm.sys
18:33:32:625 3948 TDL3_FileDetect: C:\WINDOWS\system32\drivers\nvidesm.sys - Verdict: Infected
18:33:32:625 3948 File C:\WINDOWS\system32\drivers\nvidesm.sys infected by TDSS rootkit ... 18:33:32:625 3948 TDL3_FileCure: Processing driver file: C:\WINDOWS\system32\drivers\nvidesm.sys
18:33:32:625 3948 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\*) error 3
18:33:32:625 3948 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\driver.cab
18:33:32:703 3948 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp1.cab
18:33:32:750 3948 CABFileCallback: Processing cab-file: C:\WINDOWS\Driver Cache\i386\sp2.cab
18:33:32:796 3948 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\OemDir\*) error 3
18:33:33:265 3948 TDL3_FileCure: Backup copy not found, trying to cure infected file..
18:33:33:265 3948 TDL3_FileCure: Cure success, using it..
18:33:33:265 3948 TDL3_FileCure: Dumping cured buffer to file C:\WINDOWS\system32\drivers\tsk396.tmp
18:33:33:265 3948 TDL3_FileCure: New / Old Image paths: (system32\drivers\tsk396.tmp, system32\drivers\nvidesm.sys)
18:33:33:265 3948 TDL3_FileCure: KLMD jobs schedule success
18:33:33:265 3948 will be cured on next reboot
18:33:33:265 3948
18:33:33:265 3948 DetectCureTDL3: DEVICE_OBJECT: 89B5C030
18:33:33:265 3948 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89B5C030
18:33:33:265 3948 DetectCureTDL3: DEVICE_OBJECT: 89B3DBA0
18:33:33:265 3948 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89B3DBA0
18:33:33:265 3948 DetectCureTDL3: DEVICE_OBJECT: 89B3BA38
18:33:33:265 3948 KLMD_GetLowerDeviceObject: Trying to get lower device object for 89B3BA38
18:33:33:265 3948 KLMD_ReadMem: Trying to ReadMemory 0x89B3BA38[0x38]
18:33:33:265 3948 DetectCureTDL3: DRIVER_OBJECT: 89B3EE48
18:33:33:265 3948 KLMD_ReadMem: Trying to ReadMemory 0x89B3EE48[0xA8]
18:33:33:265 3948 KLMD_ReadMem: Trying to ReadMemory 0xE153A2A0[0x1E]
18:33:33:265 3948 DetectCureTDL3: DRIVER_OBJECT name: \Driver\nvidesm, Driver Name: nvidesm
18:33:33:265 3948 DetectCureTDL3: IrpHandler (0) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (1) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (2) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (3) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (4) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (5) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (6) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (7) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (8) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (9) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (10) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (11) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (12) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (13) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (14) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (15) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (16) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (17) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (18) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (19) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (20) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (21) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (22) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (23) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (24) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (25) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: IrpHandler (26) addr: F771AEF6
18:33:33:265 3948 DetectCureTDL3: All IRP handlers pointed to one addr: F771AEF6
18:33:33:265 3948 KLMD_ReadMem: Trying to ReadMemory 0xF771AEF6[0x400]
18:33:33:265 3948 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr
18:33:33:265 3948 KLMD_ReadMem: Trying to ReadMemory 0xFFDF0308[0x4]
18:33:33:265 3948 KLMD_ReadMem: Trying to ReadMemory 0x89B3E81C[0x4]
18:33:33:265 3948 TDL3_IrpHookDetect: New IrpHandler addr: 89B4D8C8
18:33:33:265 3948 KLMD_ReadMem: Trying to ReadMemory 0x89B4D8C8[0x400]
18:33:33:265 3948 TDL3_IrpHookDetect: TDL3 is already cured
18:33:33:265 3948 KLMD_ReadMem: Trying to ReadMemory 0xF748540E[0x400]
18:33:33:265 3948 TDL3_StartIoHookDetect: CheckParameters: 1, F748917C, 0
18:33:33:265 3948 TDL3_FileDetect: Processing driver: nvidesm
18:33:33:265 3948 TDL3_FileDetect: Processing driver file: C:\WINDOWS\system32\drivers\tsk396.tmp
18:33:33:265 3948 KLMD_CreateFileW: Trying to open file C:\WINDOWS\system32\drivers\tsk396.tmp
18:33:33:265 3948 TDL3_FileDetect: C:\WINDOWS\system32\drivers\tsk396.tmp - Verdict: Clean
18:33:33:265 3948 UtilityBootReinit: Reboot required for cure complete..
18:33:33:265 3948 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmdb.sys) returned status 00000000
18:33:33:281 3948 UtilityBootReinit: KLMD drop success
18:33:33:281 3948 KLMD_ApplyPendList: Pending buffer(4A2A_5C1F, 624) dropped successfully
18:33:33:281 3948 UtilityBootReinit: Cure on reboot scheduled successfully
18:33:33:281 3948
18:33:33:281 3948 Completed
18:33:33:281 3948
18:33:33:281 3948 Results:
18:33:33:281 3948 Memory objects infected / cured / cured on reboot: 1 / 1 / 0
18:33:33:281 3948 Registry objects infected / cured / cured on reboot: 0 / 0 / 0
18:33:33:281 3948 File objects infected / cured / cured on reboot: 1 / 0 / 1
18:33:33:281 3948
18:33:33:281 3948 UnloadDriverW: NtUnloadDriver error 1
18:33:33:281 3948 KLMD_Unload: UnloadDriverW(klmd21) error 1
18:33:33:281 3948 MyNtCreateFileW: NtCreateFile(\??\C:\WINDOWS\system32\drivers\klmd.sys) returned status 00000000
18:33:33:281 3948 UtilityDeinit: KLMD(ARK) unloaded successfully
 
Make sure you reboot after running TDSSKiller. Drag Combofix to the trash and grab a fresh copy as its updated on a regular basis.


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2


CF_download_FF.gif



CF_download_rename.gif


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


RC1.png


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
RC2-1.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.
 
Last edited:
hey...
that 's not what you said to do before.

I ran combo fix from the old icon on my desktop.
it said that there was a new version and downloaded it.

here's the log from that scan.

and I'll redo it following the instructions you just posted.

ComboFix 10-02-12.01 - buddy 02/14/2010 20:20:18.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1727 [GMT -6:00]
Running from: c:\documents and settings\buddy\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2010-01-15 to 2010-02-15 )))))))))))))))))))))))))))))))
.

2010-02-13 23:48 . 2010-02-13 23:48 77312 ----a-w- C:\mbr.exe
2010-02-10 10:08 . 2009-08-04 14:00 2180352 -c--a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-10 10:08 . 2009-08-04 14:00 2180352 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-02-10 10:08 . 2009-08-04 13:58 2136064 -c--a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-10 10:08 . 2009-08-04 13:13 2015744 -c--a-w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-10 10:08 . 2009-08-04 13:13 2057728 -c--a-w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-10 10:08 . 2009-08-04 13:13 2057728 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-02-05 02:00 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-05 02:00 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-03 08:32 . 2010-02-03 08:32 144160 ----a-w- c:\documents and settings\buddy\Application Data\Move Networks\uninstall.exe
2010-02-03 08:32 . 2010-02-03 08:32 1436320 ----a-w- c:\documents and settings\buddy\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2010-02-03 08:19 . 2010-02-03 08:19 1956072 ----a-w- c:\documents and settings\buddy\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-02-03 03:48 . 2010-02-03 03:48 -------- d-----w- c:\program files\ERUNT
2010-02-03 00:58 . 2010-02-03 00:58 -------- d-----w- c:\program files\Trend Micro
2010-02-01 02:49 . 2010-02-02 03:35 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-31 02:40 . 2010-01-31 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-30 14:18 . 2010-02-03 02:51 0 ----a-w- c:\documents and settings\buddy\Local Settings\Application Data\prvlcl.dat
2010-01-28 06:41 . 2010-01-28 06:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-28 06:40 . 2010-02-03 03:22 -------- d-----w- c:\documents and settings\buddy\Application Data\SUPERAntiSpyware.com
2010-01-28 06:40 . 2010-02-03 03:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-28 02:58 . 2010-01-28 02:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-28 02:25 . 2010-01-28 02:25 -------- d-----w- c:\documents and settings\buddy\Application Data\Malwarebytes
2010-01-28 02:25 . 2010-02-05 02:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-28 02:25 . 2010-01-28 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-27 08:22 . 2010-01-27 08:22 -------- d-----w- C:\ComputerRequirementsTemp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-15 00:34 . 2007-10-20 04:07 20224 ----a-w- c:\windows\system32\drivers\nvidesm.sys
2010-02-03 08:35 . 2008-04-17 23:37 -------- d-----w- c:\documents and settings\buddy\Application Data\Move Networks
2010-02-03 08:32 . 2009-12-10 19:26 4187512 ----a-w- c:\documents and settings\buddy\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-02-03 03:22 . 2007-10-20 06:14 -------- d-----w- c:\program files\SpywareGuard
2010-02-01 00:59 . 2007-10-20 06:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-30 07:01 . 2009-04-18 01:00 -------- d-----w- c:\program files\AVG
2010-01-27 08:11 . 2007-10-20 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-22 07:14 . 2009-03-14 05:41 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-05 10:00 . 2002-09-03 20:03 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2007-10-20 02:43 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2002-09-03 19:35 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:14 . 2002-09-03 19:57 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 12:58 . 2007-10-20 02:20 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2002-09-03 19:35 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-10 19:27 . 2009-12-10 19:27 97144 ----a-w- c:\documents and settings\buddy\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-12-04 14:41 . 2002-09-03 19:45 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:33 . 2002-09-03 19:52 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:33 . 2001-08-17 22:36 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:37 . 2002-09-03 19:48 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37 . 2002-09-03 19:47 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37 . 2002-09-03 19:33 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:37 . 2001-08-17 22:36 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-21 16:36 . 2002-09-03 19:32 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-02-09_01.21.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-15 02:13 . 2010-02-15 02:13 16384 c:\windows\Temp\Perflib_Perfdata_1c0.dat
+ 2009-11-27 17:33 . 2009-11-27 17:33 17920 c:\windows\system32\dllcache\msyuv.dll
+ 2002-09-03 19:48 . 2009-11-27 16:37 28672 c:\windows\system32\dllcache\msvidc32.dll
+ 2009-11-27 16:37 . 2009-11-27 16:37 11264 c:\windows\system32\dllcache\msrle32.dll
+ 2009-11-27 16:37 . 2009-11-27 16:37 48128 c:\windows\system32\dllcache\iyuv_32.dll
+ 2009-12-14 07:35 . 2009-12-14 07:35 33280 c:\windows\system32\dllcache\csrsrv.dll
- 2009-06-10 14:21 . 2009-06-10 14:21 84992 c:\windows\system32\dllcache\avifil32.dll
+ 2009-06-10 14:21 . 2009-11-27 16:37 84992 c:\windows\system32\dllcache\avifil32.dll
+ 2009-11-27 17:33 . 2009-11-27 17:33 17920 c:\windows\Driver Cache\i386\msyuv.dll
+ 2009-11-27 16:37 . 2009-11-27 16:37 48128 c:\windows\Driver Cache\i386\iyuv_32.dll
+ 2009-11-27 16:37 . 2009-11-27 16:37 8704 c:\windows\system32\dllcache\tsbyuv.dll
+ 2009-11-27 16:37 . 2009-11-27 16:37 8704 c:\windows\Driver Cache\i386\tsbyuv.dll
+ 2002-09-03 19:55 . 2009-12-08 08:59 474112 c:\windows\system32\shlwapi.dll
- 2002-09-03 19:55 . 2007-08-22 12:55 474112 c:\windows\system32\shlwapi.dll
+ 2006-08-14 10:34 . 2009-12-31 16:14 352640 c:\windows\system32\dllcache\srv.sys
+ 2007-08-22 13:12 . 2009-12-08 08:59 474112 c:\windows\system32\dllcache\shlwapi.dll
- 2007-08-22 13:12 . 2007-08-22 12:55 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2009-12-16 12:58 . 2009-12-16 12:58 343040 c:\windows\system32\dllcache\mspaint.exe
+ 2006-05-05 09:41 . 2009-12-04 14:41 453760 c:\windows\system32\dllcache\mrxsmb.sys
+ 2006-05-05 09:41 . 2009-12-04 14:41 453760 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2007-10-29 22:43 . 2009-11-27 17:33 1291264 c:\windows\system32\dllcache\quartz.dll
+ 2010-02-10 10:08 . 2009-08-04 14:00 2180352 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2005-03-02 00:59 . 2009-08-04 14:00 2180352 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2005-03-02 00:34 . 2009-08-04 13:13 2015744 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2010-02-10 10:08 . 2009-08-04 13:13 2015744 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2010-02-10 10:08 . 2009-08-04 13:13 2057728 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2005-03-02 00:34 . 2009-08-04 13:13 2057728 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2010-02-10 10:08 . 2009-08-04 13:58 2136064 c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2005-03-02 00:57 . 2009-08-04 13:58 2136064 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2007-10-20 05:27 . 2010-02-01 19:26 30364104 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"nwiz"="nwiz.exe" [2007-09-17 1626112]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-11 198160]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 HCW848NT;Hauppauge Win/TV;c:\windows\system32\drivers\HCW848NT.sys [10/19/2007 10:25 PM 140440]
R3 PSC60x;Philips PCI Audio Driver (WDM);c:\windows\system32\drivers\pscaudio.sys [10/21/2007 1:28 AM 365460]
S2 gupdate1c97e9c79feed18;Google Update Service (gupdate1c97e9c79feed18);c:\program files\Google\Update\GoogleUpdate.exe [1/24/2009 9:24 PM 133104]
S3 rootrepeal2;rootrepeal2;\??\c:\windows\system32\drivers\rootrepeal2.sys --> c:\windows\system32\drivers\rootrepeal2.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-01-25 03:24]

2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-01-25 03:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ondemand5.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\buddy\Application Data\Mozilla\Firefox\Profiles\zxic7n1h.default\
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff30\gears.dll
FF - plugin: c:\documents and settings\buddy\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npjwp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-14 20:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1340)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-14 20:30:41
ComboFix-quarantined-files.txt 2010-02-15 02:30
ComboFix2.txt 2010-02-09 01:25

Pre-Run: 4,071,571,456 bytes free
Post-Run: 4,036,108,288 bytes free

- - End Of File - - 47772846F493495778239AD8E769B899
 
ComboFix 10-02-12.01 - buddy 02/14/2010 20:52:40.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1721 [GMT -6:00]
Running from: c:\documents and settings\buddy\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((( Files Created from 2010-01-15 to 2010-02-15 )))))))))))))))))))))))))))))))
.

2010-02-13 23:48 . 2010-02-13 23:48 77312 ----a-w- C:\mbr.exe
2010-02-10 10:08 . 2009-08-04 14:00 2180352 -c--a-w- c:\windows\system32\dllcache\ntoskrnl.exe
2010-02-10 10:08 . 2009-08-04 14:00 2180352 ------w- c:\windows\system32\ntoskrnl.exe
2010-02-10 10:08 . 2009-08-04 13:58 2136064 -c--a-w- c:\windows\system32\dllcache\ntkrnlmp.exe
2010-02-10 10:08 . 2009-08-04 13:13 2015744 -c--a-w- c:\windows\system32\dllcache\ntkrpamp.exe
2010-02-10 10:08 . 2009-08-04 13:13 2057728 -c--a-w- c:\windows\system32\dllcache\ntkrnlpa.exe
2010-02-10 10:08 . 2009-08-04 13:13 2057728 ------w- c:\windows\system32\ntkrnlpa.exe
2010-02-05 02:00 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-05 02:00 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-03 08:32 . 2010-02-03 08:32 144160 ----a-w- c:\documents and settings\buddy\Application Data\Move Networks\uninstall.exe
2010-02-03 08:32 . 2010-02-03 08:32 1436320 ----a-w- c:\documents and settings\buddy\Application Data\Move Networks\MoveMediaPlayerWinSilent_071505000011.exe
2010-02-03 08:19 . 2010-02-03 08:19 1956072 ----a-w- c:\documents and settings\buddy\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2010-02-03 03:48 . 2010-02-03 03:48 -------- d-----w- c:\program files\ERUNT
2010-02-03 00:58 . 2010-02-03 00:58 -------- d-----w- c:\program files\Trend Micro
2010-02-01 02:49 . 2010-02-02 03:35 56816 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2010-01-31 02:40 . 2010-01-31 02:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-30 14:18 . 2010-02-03 02:51 0 ----a-w- c:\documents and settings\buddy\Local Settings\Application Data\prvlcl.dat
2010-01-28 06:41 . 2010-01-28 06:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2010-01-28 06:40 . 2010-02-03 03:22 -------- d-----w- c:\documents and settings\buddy\Application Data\SUPERAntiSpyware.com
2010-01-28 06:40 . 2010-02-03 03:22 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-01-28 02:58 . 2010-01-28 02:58 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2010-01-28 02:25 . 2010-01-28 02:25 -------- d-----w- c:\documents and settings\buddy\Application Data\Malwarebytes
2010-01-28 02:25 . 2010-02-05 02:00 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-01-28 02:25 . 2010-01-28 02:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-01-27 08:22 . 2010-01-27 08:22 -------- d-----w- C:\ComputerRequirementsTemp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-15 00:34 . 2007-10-20 04:07 20224 ----a-w- c:\windows\system32\drivers\nvidesm.sys
2010-02-03 08:35 . 2008-04-17 23:37 -------- d-----w- c:\documents and settings\buddy\Application Data\Move Networks
2010-02-03 08:32 . 2009-12-10 19:26 4187512 ----a-w- c:\documents and settings\buddy\Application Data\Move Networks\plugins\npqmp071505000011.dll
2010-02-03 03:22 . 2007-10-20 06:14 -------- d-----w- c:\program files\SpywareGuard
2010-02-01 00:59 . 2007-10-20 06:19 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-01-30 07:01 . 2009-04-18 01:00 -------- d-----w- c:\program files\AVG
2010-01-27 08:11 . 2007-10-20 06:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-01-22 07:14 . 2009-03-14 05:41 -------- d-----w- c:\program files\Microsoft Silverlight
2010-01-05 10:00 . 2002-09-03 20:03 832512 ------w- c:\windows\system32\wininet.dll
2010-01-05 10:00 . 2007-10-20 02:43 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-01-05 10:00 . 2002-09-03 19:35 17408 ------w- c:\windows\system32\corpol.dll
2009-12-31 16:14 . 2002-09-03 19:57 352640 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-16 12:58 . 2007-10-20 02:20 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:35 . 2002-09-03 19:35 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-10 19:27 . 2009-12-10 19:27 97144 ----a-w- c:\documents and settings\buddy\Application Data\Move Networks\ie_bin\MovePlayerUpgrade.exe
2009-12-04 14:41 . 2002-09-03 19:45 453760 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:33 . 2002-09-03 19:52 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:33 . 2001-08-17 22:36 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:37 . 2002-09-03 19:48 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:37 . 2002-09-03 19:47 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:37 . 2002-09-03 19:33 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:37 . 2001-08-17 22:36 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:37 . 2001-08-17 22:36 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-21 16:36 . 2002-09-03 19:32 470528 ----a-w- c:\windows\AppPatch\aclayers.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-02-09_01.21.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-15 02:47 . 2010-02-15 02:47 16384 c:\windows\Temp\Perflib_Perfdata_1b8.dat
+ 2009-11-27 17:33 . 2009-11-27 17:33 17920 c:\windows\system32\dllcache\msyuv.dll
+ 2002-09-03 19:48 . 2009-11-27 16:37 28672 c:\windows\system32\dllcache\msvidc32.dll
+ 2009-11-27 16:37 . 2009-11-27 16:37 11264 c:\windows\system32\dllcache\msrle32.dll
+ 2009-11-27 16:37 . 2009-11-27 16:37 48128 c:\windows\system32\dllcache\iyuv_32.dll
+ 2009-12-14 07:35 . 2009-12-14 07:35 33280 c:\windows\system32\dllcache\csrsrv.dll
- 2009-06-10 14:21 . 2009-06-10 14:21 84992 c:\windows\system32\dllcache\avifil32.dll
+ 2009-06-10 14:21 . 2009-11-27 16:37 84992 c:\windows\system32\dllcache\avifil32.dll
+ 2009-11-27 17:33 . 2009-11-27 17:33 17920 c:\windows\Driver Cache\i386\msyuv.dll
+ 2009-11-27 16:37 . 2009-11-27 16:37 48128 c:\windows\Driver Cache\i386\iyuv_32.dll
+ 2009-11-27 16:37 . 2009-11-27 16:37 8704 c:\windows\system32\dllcache\tsbyuv.dll
+ 2009-11-27 16:37 . 2009-11-27 16:37 8704 c:\windows\Driver Cache\i386\tsbyuv.dll
+ 2002-09-03 19:55 . 2009-12-08 08:59 474112 c:\windows\system32\shlwapi.dll
- 2002-09-03 19:55 . 2007-08-22 12:55 474112 c:\windows\system32\shlwapi.dll
+ 2006-08-14 10:34 . 2009-12-31 16:14 352640 c:\windows\system32\dllcache\srv.sys
+ 2007-08-22 13:12 . 2009-12-08 08:59 474112 c:\windows\system32\dllcache\shlwapi.dll
- 2007-08-22 13:12 . 2007-08-22 12:55 474112 c:\windows\system32\dllcache\shlwapi.dll
+ 2009-12-16 12:58 . 2009-12-16 12:58 343040 c:\windows\system32\dllcache\mspaint.exe
+ 2006-05-05 09:41 . 2009-12-04 14:41 453760 c:\windows\system32\dllcache\mrxsmb.sys
+ 2006-05-05 09:41 . 2009-12-04 14:41 453760 c:\windows\Driver Cache\i386\mrxsmb.sys
+ 2007-10-29 22:43 . 2009-11-27 17:33 1291264 c:\windows\system32\dllcache\quartz.dll
+ 2010-02-10 10:08 . 2009-08-04 14:00 2180352 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2005-03-02 00:59 . 2009-08-04 14:00 2180352 c:\windows\Driver Cache\i386\ntoskrnl.exe
- 2005-03-02 00:34 . 2009-08-04 13:13 2015744 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2010-02-10 10:08 . 2009-08-04 13:13 2015744 c:\windows\Driver Cache\i386\ntkrpamp.exe
+ 2010-02-10 10:08 . 2009-08-04 13:13 2057728 c:\windows\Driver Cache\i386\ntkrnlpa.exe
- 2005-03-02 00:34 . 2009-08-04 13:13 2057728 c:\windows\Driver Cache\i386\ntkrnlpa.exe
+ 2010-02-10 10:08 . 2009-08-04 13:58 2136064 c:\windows\Driver Cache\i386\ntkrnlmp.exe
- 2005-03-02 00:57 . 2009-08-04 13:58 2136064 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2007-10-20 05:27 . 2010-02-01 19:26 30364104 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-09-17 8491008]
"nwiz"="nwiz.exe" [2007-09-17 1626112]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-09-17 81920]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-03-11 198160]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R3 HCW848NT;Hauppauge Win/TV;c:\windows\system32\drivers\HCW848NT.sys [10/19/2007 10:25 PM 140440]
R3 PSC60x;Philips PCI Audio Driver (WDM);c:\windows\system32\drivers\pscaudio.sys [10/21/2007 1:28 AM 365460]
S2 gupdate1c97e9c79feed18;Google Update Service (gupdate1c97e9c79feed18);c:\program files\Google\Update\GoogleUpdate.exe [1/24/2009 9:24 PM 133104]
S3 rootrepeal2;rootrepeal2;\??\c:\windows\system32\drivers\rootrepeal2.sys --> c:\windows\system32\drivers\rootrepeal2.sys [?]
.
Contents of the 'Scheduled Tasks' folder

2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-01-25 03:24]

2010-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-01-25 03:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ondemand5.com/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath - c:\documents and settings\buddy\Application Data\Mozilla\Firefox\Profiles\zxic7n1h.default\
FF - component: c:\program files\Google\Google Gears\Firefox\lib\ff30\gears.dll
FF - plugin: c:\documents and settings\buddy\Application Data\Move Networks\plugins\npqmp071505000011.dll
FF - plugin: c:\program files\Google\Update\1.2.183.13\npGoogleOneClick8.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npjwp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-14 20:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3732)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-02-14 21:01:45
ComboFix-quarantined-files.txt 2010-02-15 03:01
ComboFix2.txt 2010-02-09 01:25

Pre-Run: 4,039,999,488 bytes free
Post-Run: 3,996,803,072 bytes free

- - End Of File - - FF10CDD83C982F5C9FE3FC30C441E06F

.
.
.
.
.
.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:03:16 PM, on 2/14/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16981)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Google\Update\1.2.183.13\GoogleCrashHandler.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ondemand5.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.33.0\gears.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.5/installer.exe
O23 - Service: Google Update Service (gupdate1c97e9c79feed18) (gupdate1c97e9c79feed18) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5355 bytes
 
Hi,

I edited my post after I posted because I just wanted to make sure you had the latest version of Combofix, no harm done


What happened here is a Rootkit type of infection infected your NVIDIA graphic driver and it looks like TDSSKiller fixed it. This Rootkit was also responsible for blue screening your computer so it would not start, it was not the fault of the windows update. This has just come to lite, PAWS that helped you at WhattheTech informed me that he has fixed a dozen or so computers on account of this and further investigation has found that the rootkit was responsible.

How are things running now ?
 
Last edited:
I think I am good.

But maybe you should leave this thread open for a week and close it if I don't report back again.

I am a little peeved that I had AVG and spybot running and nothing stopped it.

I must give spybot S&D some credit though, I knew something happened because of all of the "access blocked" windows that popped up in the lower right corner of the screen.

Thanks for the help.

please don't take offense, but I hope I don't see you for a long time.

Buddy Craigg
 
Good Morning Buddy,

I will leave this open for you for a week, if you have problems in the future and this is closed, just start a new topic.

Thanks for your offer of a donation, the link is up on the top right of this page, any donation big or small just goes to help keep us online.

No offense takin :) This garbage is not fun and getting harder and harder to clean as time goes on.

Buddy, there is no one silver bullet to prevent all this garbage from installing but I am going to link you to some free tools to install that will all help. Every little bit helps. One thing is your operating system is outdated as is your Internet Explorer browser, updating them is part of the security plan. Open IE and go to Tools > Windows Updates and download and install all critical updates including Service Pack 3 and Internet Explorer 8




Go to your Control Panel and click on the Java Icon ( looks like a little coffee cup ) click on About and you should have Version 6 Update 18, if not proceed with the instructions.

Download the latest version Here save it, do not install it yet.

Java SE Runtime Environment (JRE)JRE 6 Update 18 <--The wording is confusing but this is what you need

  • Go to your Add Remove Programs in the Control Panel and uninstall any previous versions of Java
  • Reboot your computer
  • Install the latest version
You can verify the installation Here





Now to remove most of the tools that we have used in fixing your machine:
  • Make sure you have an Internet Connection.
  • Download OTC to your desktop and run it
  • A list of tool components used in the cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OTC to reach the Internet, please allow the application to do so.
  • Click Yes to begin the cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the cleanup process. If you are asked to reboot the machine choose Yes.



Malwarebytes is the free version and yours to keep, update it and run a scan once a week or so






Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster and Spyware Guard, they will conflict with the TeaTimer in Spybot , you can still install Spybot Search and Destroy but do not enable the TeaTimer .
Click to expand...


Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community
  • Spybot Search and Destroy 1.6
    Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
  • Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
  • Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
  • IE-Spyad
    IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • Firefox 3 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.


Safe Surfn
Ken
 
You must log in or register to reply here.
Back
Top