Solve : Browser redirects and possible rootkit? – InterviewSolution

InterviewSolution

1.	Solve : Browser redirects and possible rootkit?
Answer» After installing a MS update, the computer failed to reboot. Upon checking the internet I found how to remove the update and get windows back, but am unable to find the virus/malware/rootkit. Both browsers (firefox and IE are trying to redirect me to websites that are not what I typed in. I have scanned with an updated Malwarebytes, AVG free and some online scanners but cannot figure out what is the problem. Below is my post of the HJT log. Please help me to fix this computer. Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 8:08:39 PM, on 3/1/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\AVG\AVG9\avgchsvx.exe C:\Program Files\AVG\AVG9\avgrsx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\Program Files\AVG\AVG9\avgwdsvc.exe C:\WINDOWS\system32\IoctlSvc.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\Program Files\Analog Devices\Core\smax4pnp.exe C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe C:\Program Files\AVG\AVG9\avgnsx.exe C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\AVG\AVG9\avgemc.exe C:\WINDOWS\system32\SearchIndexer.exe C:\Program Files\AVG\AVG9\avgcsrvx.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\AVG\AVG9\avgtray.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\sniper.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/http://www.yahoo.com R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\ASK.com\GenericAskToolbar.dll O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: RealPlayer Download and Record PLUGIN for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll O3 - Toolbar: Ask Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe O4 - HKLM\..\Run: [AVG9_TRAY] C:\PROGRA~1\AVG\AVG9\avgtray.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ? O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1228618616578 O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://wwwimages.adobe.com/www.adobe.com/products/acrobat/nos/gp.cab O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe -- End of file - 8375 bytes Welcome to CH. 1. Close all open Web browsers. 2. From the Start menu in Windows select Control Panel. 3. Select Add or Remove Programs. 4. Uninstall any of the following programs associated with Ask.com: (the names may be slightly different) - Ask.com - Ask Bar - Ask Desktop Search - Ask Search - Ask Toolbar - Ask Jeeves 5. Click Change/Remove for each and uninstall all found. ---------- Download Disable/Remove Windows Messenger* to the desktop to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger or Windows Live Messenger because they are not the same. Windows Messenger is a frequent cause of popups. Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply. Exit out of MessengerDisable then delete the two files that were put on the desktop. ---------- Open HijackThis and select Do a system scan only Place a check mark next to the following entries: (if there) O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) Important: Close all open windows except for HijackThis and then click Fix checked. Once completed, exit HijackThis. ---------- If you already have ComboFix be sure to delete it and download a new copy. Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop. Link #1 Link #2 Note: It is important that it is saved DIRECTLY to your Desktop Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix. Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them. Double click combofix.exe & follow the prompts. Vista users Right-Click on ComboFix.exe and select Run as administrator (you will receive a UAC prompt, please allow it) When finished ComboFix will produce a log for you. Post the ComboFix log in your next reply. Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall. Remember to re-enable your antivirus and antispyware protection when ComboFix is complete. If you have problems with ComboFix usage, see How to use ComboFix*ComboFix 10-03-03.03 - Owner 03/03/2010 21:05:36.2.1 - x86 Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1557 [GMT -6:00] Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe AV: AVG Anti-Virus Free On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF} . ((((((((((((((((((((((((( Files Created from 2010-02-04 to 2010-03-04 ))))))))))))))))))))))))))))))) . 2010-03-02 01:39 . 2010-03-02 01:39 503808 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-37d5c5ea-n\msvcp71.dll 2010-03-02 01:39 . 2010-03-02 01:39 499712 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-37d5c5ea-n\jmc.dll 2010-03-02 01:39 . 2010-03-02 01:39 348160 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-37d5c5ea-n\msvcr71.dll 2010-03-02 01:39 . 2010-03-02 01:39 61440 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-174915d5-n\decora-sse.dll 2010-03-02 01:39 . 2010-03-02 01:39 12800 ----a-w- c:\documents and settings\Owner\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-174915d5-n\decora-d3d.dll 2010-03-01 03:15 . 2010-03-01 03:20 0 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\prvlcl.dat 2010-03-01 01:18 . 2010-03-01 01:18 -------- d-----w- c:\program files\CCleaner 2010-03-01 01:03 . 2010-03-01 01:03 -------- d-----w- c:\program files\ESET 2010-03-01 00:52 . 2010-03-01 00:52 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure 2010-03-01 00:16 . 2010-02-27 07:20 77312 ----a-w- C:\mbr.exe 2010-02-27 07:07 . 2010-02-27 07:07 -------- d-----w- c:\program files\Trend Micro 2010-02-27 02:39 . 2010-02-27 04:54 -------- d-----w- C:\$AVG 2010-02-27 02:39 . 2010-02-27 02:39 -------- d-----w- c:\documents and settings\All Users\Application Data\avg9 2010-02-24 05:53 . 2010-02-24 05:53 52224 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll 2010-02-24 05:52 . 2010-02-25 14:00 117760 ----a-w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL 2010-02-24 05:52 . 2010-02-24 05:52 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com 2010-02-24 05:52 . 2010-02-24 05:52 -------- d-----w- c:\program files\SUPERAntiSpyware 2010-02-24 05:52 . 2010-02-24 05:52 -------- d-----w- c:\documents and settings\Owner\Application Data\SUPERAntiSpyware.com 2010-02-24 05:52 . 2010-02-24 05:52 -------- d-----w- c:\program files\Common Files\Wise Installation Wizard 2010-02-20 19:06 . 2009-02-08 00:02 2066048 -c--a-w- c:\windows\system32\dllcache\ntkrnlpa.exe 2010-02-20 19:06 . 2009-02-08 00:02 2066048 ------w- c:\windows\system32\ntkrnlpa.exe 2010-02-20 19:06 . 2009-02-06 11:08 2189056 -c--a-w- c:\windows\system32\dllcache\ntoskrnl.exe 2010-02-20 19:06 . 2009-02-06 11:08 2189056 ------w- c:\windows\system32\ntoskrnl.exe 2010-02-20 19:06 . 2009-02-06 11:06 2145280 -c--a-w- c:\windows\system32\dllcache\ntkrnlmp.exe 2010-02-20 19:06 . 2009-02-06 10:32 2023936 -c--a-w- c:\windows\system32\dllcache\ntkrpamp.exe 2010-02-20 06:54 . 2010-02-20 06:55 -------- d-----w- C:\2bdf826724bc762ab56c8ced 2010-02-19 14:02 . 2010-02-19 14:02 -------- d-----w- c:\documents and settings\Owner\Application Data\Malwarebytes 2010-02-19 14:02 . 2010-01-07 22:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2010-02-19 14:02 . 2010-02-19 14:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2010-02-19 14:02 . 2010-02-19 14:02 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2010-02-19 14:02 . 2010-01-07 22:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2010-02-19 03:06 . 2010-02-21 06:10 -------- d-----w- c:\program files\Windows Live Safety Center 2010-02-19 02:39 . 2010-02-19 02:39 -------- d-----w- c:\program files\Sophos 2010-02-19 02:37 . 2008-04-14 00:11 21504 -c--a-w- c:\windows\system32\dllcache\hidserv.dll 2010-02-19 02:37 . 2008-04-14 00:11 21504 ----a-w- c:\windows\system32\hidserv.dll 2010-02-19 01:07 . 2010-02-19 01:07 1339288 ----a-w- C:\sar_15_sfx.exe 2010-02-10 03:04 . 2009-11-21 15:51 471552 -c----w- c:\windows\system32\dllcache\aclayers.dll 2010-02-10 03:02 . 2009-10-15 16:28 81920 -c----w- c:\windows\system32\dllcache\fontsub.dll 2010-02-10 03:02 . 2009-10-15 16:28 119808 -c----w- c:\windows\system32\dllcache\t2embed.dll 2010-02-10 03:02 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll 2010-02-10 03:01 . 2009-07-10 13:27 1315328 -c----w- c:\windows\system32\dllcache\msoe.dll 2010-02-10 01:25 . 2010-02-10 01:25 -------- d-----w- c:\documents and settings\Owner\Local Settings\Application Data\The Weather Channel 2010-02-10 00:00 . 2010-02-10 00:00 -------- d-sh--w- c:\documents and settings\Owner\PrivacIE 2010-02-09 23:46 . 2010-02-09 23:44 53248 ----a-w- c:\windows\system32\palmdevc.dll 2010-02-09 23:18 . 2010-02-09 23:18 -------- d-sh--w- c:\documents and settings\Owner\IECompatCache 2010-02-09 21:09 . 2006-03-27 23:53 167808 ----a-w- c:\windows\system32\drivers\wg111v2.sys 2010-02-09 21:09 . 2002-10-02 14:57 13532 ----a-w- c:\windows\system32\drivers\SjyPkt.sys 2010-02-09 21:09 . 2010-02-09 21:09 -------- d-----w- c:\program files\NETGEAR 2010-02-09 21:09 . 2006-04-11 00:41 200704 ----a-w- c:\windows\system32\WG1v2Lib.dll 2010-02-09 21:09 . 2005-12-29 06:16 114688 ----a-r- c:\windows\system32\EnumDev111.dll 2010-02-09 21:09 . 2005-04-01 17:43 66048 ----a-w- c:\windows\system32\drivers\EAPPkt.sys 2010-02-09 21:09 . 2003-11-18 15:27 155648 ----a-w- c:\windows\system32\IpLib.dll 2010-02-09 21:09 . 2010-02-09 21:09 -------- d-----w- c:\windows\OPTIONS . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2010-03-04 02:56 . 2008-12-07 03:28 -------- d-----w- c:\program files\Spybot - Search & Destroy 2010-03-04 02:55 . 2008-12-07 03:28 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2010-03-02 02:03 . 2008-12-07 03:24 -------- d-----w- c:\program files\Common Files\Java 2010-03-02 01:39 . 2008-12-07 03:07 -------- d-----w- c:\program files\Java 2010-02-27 02:39 . 2008-12-07 03:15 360584 ----a-w- c:\windows\system32\drivers\avgtdix.sys 2010-02-27 02:39 . 2008-12-07 03:15 333192 ----a-w- c:\windows\system32\drivers\avgldx86.sys 2010-02-27 02:39 . 2008-12-07 03:15 28424 ----a-w- c:\windows\system32\drivers\avgmfx86.sys 2010-02-27 02:39 . 2008-12-07 03:15 12464 ----a-w- c:\windows\system32\avgrsstx.dll 2010-02-27 02:39 . 2008-12-07 03:14 -------- d-----w- c:\program files\AVG 2010-02-20 04:38 . 2008-12-30 07:08 -------- d-----w- c:\program files\Windows Live 2010-02-20 04:26 . 2008-12-08 21:36 46648 ----a-w- c:\documents and settings\Owner\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2010-02-19 21:13 . 2008-12-25 18:29 -------- d-----w- c:\documents and settings\Owner\Application Data\LimeWire 2010-02-15 20:15 . 2009-06-26 19:50 -------- d-----w- c:\program files\Canon 2010-02-12 06:18 . 2009-01-10 17:43 -------- d-----w- c:\program files\Microsoft Silverlight 2010-02-11 17:59 . 2008-12-25 18:29 -------- d-----w- c:\program files\LimeWire 2010-02-09 23:45 . 2008-12-21 06:32 -------- d-----w- c:\program files\Palm 2010-02-09 23:44 . 2008-12-21 06:32 16694 ----a-w- c:\windows\system32\drivers\PalmUSBD.sys 2010-02-09 23:27 . 2008-12-07 03:03 -------- d-----w- c:\program files\Google 2010-02-09 21:09 . 2008-12-07 02:52 -------- d--h--w- c:\program files\InstallShield Installation Information 2010-02-09 21:08 . 2008-12-07 02:52 -------- d-----w- c:\program files\Common Files\InstallShield 2010-02-08 05:18 . 2009-12-26 17:37 256 ----a-w- c:\windows\system32\pool.bin 2009-12-31 16:50 . 2004-08-04 05:14 353792 ----a-w- c:\windows\system32\drivers\srv.sys 2009-12-21 19:14 . 2004-08-04 06:56 916480 ------w- c:\windows\system32\wininet.dll 2009-12-17 23:14 . 2008-12-07 03:07 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-12-16 18:43 . 2008-12-06 05:58 343040 ----a-w- c:\windows\system32\mspaint.exe 2009-12-14 07:08 . 2004-08-04 06:56 33280 ----a-w- c:\windows\system32\csrsrv.dll 2009-12-04 18:22 . 2004-08-04 05:15 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys 2009-01-24 17:52 . 2009-01-24 17:52 92609500 ----a-w- c:\program files\Project_Dalaran_Version_14.exe . ((((((((((((((((((((((((((((( [email protected]_05.47.25 ))))))))))))))))))))))))))))))))))))))))) . + 2009-07-12 02:54 . 2009-07-12 02:54 65536 c:\windows\WinSxS\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e79c4723\vcomp.dll + 2009-07-12 02:32 . 2009-07-12 02:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80KOR.dll + 2009-07-12 02:32 . 2009-07-12 02:32 49152 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80JPN.dll + 2009-07-12 02:32 . 2009-07-12 02:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ITA.dll + 2009-07-12 02:32 . 2009-07-12 02:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80FRA.dll + 2009-07-12 02:32 . 2009-07-12 02:32 61440 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ESP.dll + 2009-07-12 02:32 . 2009-07-12 02:32 57344 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80ENU.dll + 2009-07-12 02:32 . 2009-07-12 02:32 65536 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80DEU.dll + 2009-07-12 02:32 . 2009-07-12 02:32 45056 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHT.dll + 2009-07-12 02:32 . 2009-07-12 02:32 40960 c:\windows\WinSxS\x86_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_0ccc058c\mfc80CHS.dll + 2009-07-12 07:07 . 2009-07-12 07:07 57856 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80u.dll + 2009-07-12 07:19 . 2009-07-12 07:19 69632 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfcm80.dll + 2010-03-04 02:50 . 2010-03-04 02:50 16384 c:\windows\Temp\Perflib_Perfdata_19c.dat + 2010-02-24 05:52 . 2010-02-24 05:52 65024 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe + 2010-02-24 05:52 . 2010-02-24 05:52 18944 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe + 2010-02-24 05:52 . 2010-02-24 05:52 5120 c:\windows\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF16.exe + 2009-07-12 07:12 . 2009-07-12 07:12 632656 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcr80.dll + 2009-07-12 07:09 . 2009-07-12 07:09 554832 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcp80.dll + 2009-07-12 07:08 . 2009-07-12 07:08 479232 c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\msvcm80.dll + 2010-03-02 01:39 . 2009-12-17 23:14 153376 c:\windows\system32\javaws.exe + 2010-03-02 01:39 . 2009-12-17 23:14 145184 c:\windows\system32\javaw.exe + 2010-03-02 01:39 . 2009-12-17 23:14 145184 c:\windows\system32\java.exe + 2010-03-02 02:03 . 2010-03-02 02:03 180224 c:\windows\Installer\ec06f43.msi + 2010-02-27 02:39 . 2010-02-27 02:39 424448 c:\windows\Installer\a4bfe1e.msi + 2009-07-12 02:46 . 2009-07-12 02:46 1093120 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80u.dll + 2009-07-12 02:46 . 2009-07-12 02:46 1105920 c:\windows\WinSxS\x86_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_b77cec8e\mfc80.dll + 2010-02-24 05:52 . 2010-02-24 05:52 1583616 c:\windows\Installer\110e55fe.msi . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2008-01-22 152872] "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-02-18 2012912] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824] "igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688] "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928] "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-02-18 248040] c:\documents and settings\All Users\Start Menu\Programs\Startup\ WG111v2 Smart Wizard Wireless Setting.lnk - c:\program files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2010-2-9 745472] [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks] "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-25 304128] "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon] 2009-09-03 20:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter] 2010-02-27 02:39 12464 ----a-w- c:\windows\system32\avgrsstx.dll [HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk] path=c:\documents and settings\Owner\Start Menu\Programs\Startup\LimeWire On Startup.lnk backup=c:\windows\pss\LimeWire On Startup.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zzzHPSETUP] d:\setup.exe \RESET [X] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] 2009-02-27 22:10 35696 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW6] 2009-02-11 13:35 801904 ------w- c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck] 2008-05-28 14:27 570664 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray] 2008-03-06 22:19 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] 2008-12-09 03:47 185872 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue RegistryBooster 2009] 2008-08-26 16:48 2019624 ----a-w- c:\program files\Uniblue\RegistryBooster\RegistryBooster.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Common Files\\Ahead\\Nero Web\\SetupX.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Mozilla Firefox\\firefox.exe"= "c:\\Program Files\\World of Warcraft Trial\\Launcher.exe"= "c:\\Program Files\\World of Warcraft Trial\\BackgroundDownloader.exe"= "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"= "c:\\WINDOWS\\system32\\mmc.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"= "c:\\Program Files\\AVG\\AVG9\\avgemc.exe"= "c:\\Program Files\\AVG\\AVG9\\avgupd.exe"= "c:\\Program Files\\AVG\\AVG9\\avgnsx.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [12/6/2008 9:15 PM 333192] R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [12/6/2008 9:15 PM 360584] R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 10:25 AM 12872] R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2010 10:15 AM 66632] R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2/26/2010 8:39 PM 906520] R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2/26/2010 8:39 PM 285392] R2 EAPPkt;Realtek EAPPkt Protocol;c:\windows\system32\drivers\EAPPkt.sys [2/9/2010 3:09 PM 66048] R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [3/31/2009 5:44 PM 54752] R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2010 10:15 AM 12872] S3 fsssvc;Windows Live Family Safety Service;c:\program files\Windows Live\Family Safety\fsssvc.exe [8/5/2009 10:48 PM 704864] S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\71.tmp --> c:\windows\system32\71.tmp [?] S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [4/30/2009 1:14 AM 18688] S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [4/30/2009 1:14 AM 8320] S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [4/30/2009 1:14 AM 42112] S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;c:\windows\system32\drivers\wg111v2.sys [2/9/2010 3:09 PM 167808] S3 SjyPkt;SjyPkt;c:\windows\system32\drivers\SjyPkt.sys [2/9/2010 3:09 PM 13532] . . ------- Supplementary Scan ------- . uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8 uStart Page = www.google.com uInternet Connection Wizard,ShellNext = iexplore uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/http://www.yahoo.com FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\2c6h7mlf.default\ FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q= FF - prefs.js: browser.search.selectedEngine - Google FF - prefs.js: browser.startup.homepage - www.google.com FF - prefs.js: keyword.URL - hxxp://www.google.com/search?ie=UTF-8&oe=UTF-8&sourceid=navclient&gfns=1&q= FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ ---- FIREFOX POLICIES ---- c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_popup_windows", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.enable_click_image_resizing", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("accessibility.browsewithcaret_shortcut. enabled", true); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.high_water_mark", 32); c:\program files\Mozilla Firefox\greprefs\all.js - pref("javascript.options.mem.gc_frequency", 1600); c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.trackpoint_hack.enabled", -1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.debug", false); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.agedWeight", 2); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.bucketSize", 1); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.maxTimeGroupings", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.timeGroupingSize", 604800); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.boundaryWeight", 25); c:\program files\Mozilla Firefox\greprefs\all.js - pref("browser.formfill.prefixWeight", 5); c:\program files\Mozilla Firefox\greprefs\all.js - pref("html5.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.download.backgroundInterval", 600); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("app.update.url.manual", "http://www.firefox.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-ja", "mozff"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add", "addons.mozilla.org"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("xpinstall.whitelist.add.36", "getpersonas.com"); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("lightweightThemes.update.enabled", true); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.allTabs.previews", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.hide_infobar_for_outdated_plugi n", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("toolbar.customization.usesheet", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.enable", false); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.max", 20); c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("browser.taskbar.previews.cachetime", 20); . - - - - ORPHANS REMOVED - - - - WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file) MSConfigStartUp-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis\HijackThis.exe *********************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2010-03-03 21:10 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net device: opened successfully user: MBR read successfully called modules: ntoskrnl.exe catchme.sys CLASSPNP.SYS disk.sys atapi.sys >>UNKNOWN [0x89BD18C8]<< kernel: MBR read successfully detected MBR rootkit hooks: \Driver\Disk -> CLASSPNP.SYS 0xf763bf28 \Driver\ACPI -> ACPI.sys 0xf75aecb8 \Driver\atapi -> atapi.sys 0xf74c9b3a IoDeviceObjectType -> DeleteProcedure -> ntoskrnl.exe 0x805a05a8 ParseProcedure -> ntoskrnl.exe 0x8056c1d6 \Device\Harddisk0\DR0 -> DeleteProcedure -> ntoskrnl.exe 0x805a05a8 ParseProcedure -> ntoskrnl.exe 0x8056c1d6 NDIS: Intel(R) PRO/100 VE Network Connection -> SendCompleteHandler -> NDIS.sys 0xf744cbb0 PacketIndicateHandler -> NDIS.sys 0xf7459a21 SendHandler -> NDIS.sys 0xf743787b user & kernel MBR OK ********************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2] "ImagePath"="\??\c:\windows\system32\71.tmp" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(656) c:\program files\SUPERAntiSpyware\SASWINLO.dll c:\windows\system32\WININET.dll - - - - - - - > 'explorer.exe'(1648) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll c:\windows\system32\WPDShServiceObj.dll c:\windows\system32\PortableDeviceTypes.dll c:\windows\system32\PortableDeviceApi.dll . Completion time: 2010-03-03 21:12:52 ComboFix-quarantined-files.txt 2010-03-04 03:12 ComboFix2.txt 2010-02-24 05:50 Pre-Run: 116,591,640,576 bytes free Post-Run: 117,029,257,216 bytes free - - End Of File - - A664204F0C1E8BB6A69F06331C74817C Download TDSSKiller** and save it to your desktop. * Right click on the file and choose extract all extract the file to your desktop then run it. * Once completed it will create a log in your C:\ drive with a name similar to 'TDSSKiller.2.1.1_27.12.2009_14.17.04_log.txt'. * Please post the contents of that log.16:32:02:156 1120 TDSS rootkit removing tool 2.2.7.1 Feb 27 2010 13:29:25 16:32:02:156 1120 ================================================================================ 16:32:02:156 1120 SystemInfo: 16:32:02:156 1120 OS Version: 5.1.2600 ServicePack: 3.0 16:32:02:156 1120 Product type: Workstation 16:32:02:156 1120 ComputerName: COMPUTER2400 16:32:02:156 1120 UserName: Owner 16:32:02:156 1120 Windows directory: C:\WINDOWS 16:32:02:156 1120 Processor architecture: Intel x86 16:32:02:156 1120 Number of processors: 1 16:32:02:156 1120 Page size: 0x1000 16:32:02:171 1120 Boot type: Normal boot 16:32:02:171 1120 ================================================================================ 16:32:02:171 1120 UnloadDriverW: NtUnloadDriver error 2 16:32:02:171 1120 ForceUnloadDriverW: UnloadDriverW(klmd21) error 2 16:32:02:203 1120 Initialize success 16:32:02:218 1120 16:32:02:218 1120 Scanning Services ... 16:32:02:218 1120 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\system 16:32:02:218 1120 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 16:32:02:218 1120 wfopen_ex: Trying to KLMD file open 16:32:02:218 1120 wfopen_ex: File opened ok (Flags 2) 16:32:02:218 1120 wfopen_ex: Trying to open file C:\WINDOWS\system32\config\software 16:32:02:218 1120 wfopen_ex: MyNtCreateFileW error 32 (C0000043) 16:32:02:218 1120 wfopen_ex: Trying to KLMD file open 16:32:02:218 1120 wfopen_ex: File opened ok (Flags 2) 16:32:02:609 1120 GetAdvancedServicesInfo: Raw services enum returned 342 services 16:32:02:609 1120 fclose_ex: Trying to close file C:\WINDOWS\system32\config\system 16:32:02:609 1120 fclose_ex: Trying to close file C:\WINDOWS\system32\config\software 16:32:02:609 1120 16:32:02:609 1120 Scanning Kernel memory ... 16:32:02:609 1120 Devices to scan: 2 16:32:02:609 1120 16:32:02:609 1120 Driver Name: Disk 16:32:02:609 1120 IRP_MJ_CREATE : F763DBB0 16:32:02:609 1120 IRP_MJ_CREATE_NAMED_PIPE : 804FA87E 16:32:02:609 1120 IRP_MJ_CLOSE : F763DBB0 16:32:02:609 1120 IRP_MJ_READ : F7637D1F 16:32:02:609 1120 IRP_MJ_WRITE : F7637D1F 16:32:02:609 1120 IRP_MJ_QUERY_INFORMATION : 804FA87E 16:32:02:609 1120 IRP_MJ_SET_INFORMATION : 804FA87E 16:32:02:609 1120 IRP_MJ_QUERY_EA : 804FA87E 16:32:02:609 1120 IRP_MJ_SET_EA : 804FA87E 16:32:02:609 1120 IRP_MJ_FLUSH_BUFFERS : F76382E2 16:32:02:609 1120 IRP_MJ_QUERY_VOLUME_INFORMATION : 804FA87E 16:32:02:609 1120 IRP_MJ_SET_VOLUME_INFORMATION : 804FA87E 16:32:02:609 1120 IRP_MJ_DIRECTORY_CONTROL : 804FA87E 16:32:02:609 1120 IRP_MJ_FILE_SYSTEM_CONTROL : 804FA87E 16:32:02:609 1120 IRP_MJ_DEVICE_CONTROL : F76383BB 16:32:02:609 1120 IRP_MJ_INTERNAL_DEVICE_CONTROL : F763BF28 16:32:02:609 1120 IRP_MJ_SHUTDOWN : F76382E2 16:32:02:609 1120 IRP_MJ_LOCK_CONTROL : 804FA87E 16:32:02:609 1120 IRP_MJ_CLEANUP : 804FA87E 16:32:02:609 1120 IRP_MJ_CREATE_MAILSLOT : 804FA87E 16:32:02:609 1120 IRP_MJ_QUERY_SECURITY : 804FA87E 16:32:02:609 1120 IRP_MJ_SET_SECURITY : 804FA87E 16:32:02:609 1120 IRP_MJ_POWER : F7639C82 16:32:02:609 1120 IRP_MJ_SYSTEM_CONTROL : F763E99E 16:32:02:609 1120 IRP_MJ_DEVICE_CHANGE : 804FA87E 16:32:02:609 1120 IRP_MJ_QUERY_QUOTA : 804FA87E 16:32:02:609 1120 IRP_MJ_SET_QUOTA : 804FA87E 16:32:02:609 1120 TDL3_StartIoLastChanceHookDetect: Unable to dump StartIo handler code 16:32:02:609 1120 sion 16:32:02:625 1120 C:\WINDOWS\system32\DRIVERS\disk.sys - Verdict: Clean 16:32:02:625 1120 16:32:02:625 1120 Driver Name: atapi 16:32:02:625 1120 IRP_MJ_CREATE : F74C9B3A 16:32:02:625 1120 IRP_MJ_CREATE_NAMED_PIPE : F74C9B3A 16:32:02:625 1120 IRP_MJ_CLOSE : F74C9B3A 16:32:02:625 1120 IRP_MJ_READ : F74C9B3A 16:32:02:625 1120 IRP_MJ_WRITE : F74C9B3A 16:32:02:625 1120 IRP_MJ_QUERY_INFORMATION : F74C9B3A 16:32:02:625 1120 IRP_MJ_SET_INFORMATION : F74C9B3A 16:32:02:625 1120 IRP_MJ_QUERY_EA : F74C9B3A 16:32:02:625 1120 IRP_MJ_SET_EA : F74C9B3A 16:32:02:625 1120 IRP_MJ_FLUSH_BUFFERS : F74C9B3A 16:32:02:625 1120 IRP_MJ_QUERY_VOLUME_INFORMATION : F74C9B3A 16:32:02:625 1120 IRP_MJ_SET_VOLUME_INFORMATION : F74C9B3A 16:32:02:625 1120 IRP_MJ_DIRECTORY_CONTROL : F74C9B3A 16:32:02:625 1120 IRP_MJ_FILE_SYSTEM_CONTROL : F74C9B3A 16:32:02:625 1120 IRP_MJ_DEVICE_CONTROL : F74C9B3A 16:32:02:625 1120 IRP_MJ_INTERNAL_DEVICE_CONTROL : F74C9B3A 16:32:02:625 1120 IRP_MJ_SHUTDOWN : F74C9B3A 16:32:02:625 1120 IRP_MJ_LOCK_CONTROL : F74C9B3A 16:32:02:625 1120 IRP_MJ_CLEANUP : F74C9B3A 16:32:02:625 1120 IRP_MJ_CREATE_MAILSLOT : F74C9B3A 16:32:02:625 1120 IRP_MJ_QUERY_SECURITY : F74C9B3A 16:32:02:625 1120 IRP_MJ_SET_SECURITY : F74C9B3A 16:32:02:625 1120 IRP_MJ_POWER : F74C9B3A 16:32:02:625 1120 IRP_MJ_SYSTEM_CONTROL : F74C9B3A 16:32:02:625 1120 IRP_MJ_DEVICE_CHANGE : F74C9B3A 16:32:02:625 1120 IRP_MJ_QUERY_QUOTA : F74C9B3A 16:32:02:625 1120 IRP_MJ_SET_QUOTA : F74C9B3A 16:32:02:625 1120 TDL3_IrpHookDetect: TDL3 Stub signature found, trying to get hook true addr 16:32:02:625 1120 TDL3_IrpHookDetect: New IrpHandler addr: 89BD18C8 16:32:02:625 1120 ihd: 10, FFDF0308, 510, 134, 3, 120, 0 16:32:02:625 1120 Driver "atapi" Irp handler infected by TDSS rootkit ... 16:32:02:625 1120 cured 16:32:02:625 1120 siohd: 0 16:32:02:640 1120 C:\WINDOWS\system32\DRIVERS\atapi.sys - Verdict: Infected 16:32:02:640 1120 File C:\WINDOWS\system32\DRIVERS\atapi.sys infected by TDSS rootkit ... 16:32:02:640 1120 Processing driver file: C:\WINDOWS\system32\DRIVERS\atapi.sys 16:32:02:640 1120 ProcessDirEnumEx: FindFirstFile(C:\WINDOWS\system32\DriverStore\FileRepository\) error 3 16:32:02:734 1120 vfvi6 16:32:02:875 1120 !dsvbh1 16:32:03:625 1120 dsvbh2 16:32:03:625 1120 fdfb2 16:32:03:625 1120 Backup copy found, using it.. 16:32:03:671 1120 will be cured on next reboot 16:32:03:671 1120 Reboot required for cure complete.. 16:32:03:671 1120 Cure on reboot scheduled successfully 16:32:03:671 1120 16:32:03:671 1120 Completed 16:32:03:671 1120 16:32:03:671 1120 Results: 16:32:03:671 1120 Memory objects infected / cured / cured on reboot: 1 / 1 / 0 16:32:03:671 1120 Registry objects infected / cured / cured on reboot: 0 / 0 / 0 16:32:03:671 1120 File objects infected / cured / cured on reboot: 1 / 0 / 1 16:32:03:671 1120 16:32:03:671 1120 UnloadDriverW: NtUnloadDriver error 1 16:32:03:671 1120 KLMD_Unload: UnloadDriverW(klmd21) error 1 16:32:03:687 1120 KLMD(ARK) unloaded successfully Download the latest version of Kaspersky GetSystemInfo (GSI)* and save it to your desktop. * Close all other applications running on your system. * Double click GetSystemInfo.exe to open it. * Click the Settings button. * Set it to Maximum * IMPORTANT! Click Customize - choose Driver / Ports tab and * Uncheck Scan Ports. * Click Create Report to run it. * It will create a zip folder called GetSystemInfo_XXXXXXXXXXXXXX.zip on your desktop. * Upload the zip folder to the Kaspersky GetSystemInfo (GSI) and click the Submit button. Copy and paste the URL (link in the address bar) of the GSI Parser report (not the log) in your next reply.http://www.getsysteminfo.com/read.php?file=5de245770f3d642a01d629e4a2187d6cLooks okay. How is the computer running now?Much better, I appreciate the help more than you know. I will definitely recommend this SITE to others. Thanks so much.Your welcome. Let's clear out the programs we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if launched accidentally. These steps will also help secure the work you have done. * Click START then RUN * Now type Combofix /Uninstall in the runbox * Make sure there's a space between Combofix and /Uninstall * Then hit Enter. The above procedure will: * Delete: ComboFix and its associated files and folders. * Reset the clock settings. * Hide file extensions, if required. * Hide System/Hidden files, if required. * Set a new, clean Restore Point. ---------- Clean out your temporary internet files and temp files. Download TFC by OldTimer to your desktop. Double-click TFC.exe to run it. Note: If you are running on Vista, right-click on the file and choose Run As Administrator TFC will close all programs when run, so make sure you have saved all your work before you begin. * Click the Start button to begin the cleaning process. * Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. * Please let TFC run uninterrupted until it is finished. Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning. ---------- Use the Secunia Software Inspector to check for out of date software. * Click Start Scanner * Check the box next to Enable thorough system INSPECTION. * Click Start * Allow the scan to finish and scroll down to see if any updates are needed. * Update anything listed. ---------- Go to Microsoft Windows Update and get all critical updates. ---------- If you are using or have installed IE6 you are using an outdated and soon to be unsupported version of Internet Explorer and I strongly suggest you update to the latest version directly from Microsoft Internet Explorer 8: Home page. ---------- I recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no realtime protection so will not interfere with each other. They do not use any significant amount of resources (except a little disk space) until you run a scan. I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free. SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. * Using SpywareBlaster to protect your computer from Spyware and Malware * If you don't know what ActiveX controls are, see here Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. * Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

Discussion

No Comment Found

Related InterviewSolutions