TechSpot

A familiar virus is drastically slowing down my computer

Solved
By bnttwnbnt
Oct 11, 2010
  1. Hello,

    I have been checking out this site and am impressed by the assistance and expertise offered by the many people on this forum on their own time.

    I am having a problem with my computer and I believe it's a problem that other people have had (and have been solved) on this forum.

    My computer is running painfully slow. I experience:

    1) random clicking noises (like the kind IE has when switching from one website to another).
    2) Unwanted visual pop-up advertisements whereby the browser used is IE (my default browser is Firefox)
    3) Unwanted audible advertisements
    4)overall slow performance.

    Per the topic http://www.techspot.com/vb/topic58138.html, I am providing all the information so that I can be assisted. I appreciate anyone's expertise on how I can get my computer back on track.

    A note before I start posting my log files:
    1) I ran GMER in safe mode, because I kept getting the BSOD during the scan (I did not try unchecking the "devices" square in normal mode however) Hoping the input from GMER.logI provided is sufficient.
    2) I attached "attach.txt" instead of cut and pasting it per DSS' instructions. Hoping this is acceptable.
    =================================================================
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4793

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    10/11/2010 11:49:12 AM
    mbam-log-2010-10-11 (11-49-12).txt

    Scan type: Full scan (C:\|D:\|)
    Objects scanned: 296504
    Time elapsed: 3 hour(s), 54 minute(s), 22 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 2
    Registry Keys Infected: 2
    Registry Values Infected: 3
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 23

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:\WINDOWS\wfedo2.dll (Trojan.Hiloti) -> Delete on reboot.
    c:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{fe4c2c37-edc8-4c00-b864-3c38cf3ba834} (Adware.Adshot) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\6to4 (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smise (Trojan.Hiloti) -> Delete on reboot.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\shell (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{45e901a6-2fc6-b049-8035-5a0ec242ac0e} (Trojan.ZbotR.Gen) -> Delete on reboot.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\wfedo2.dll (Trojan.Hiloti) -> Delete on reboot.
    C:\Documents and Settings\All Users\Application Data\Update\seupd.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Kevin Bento\Application Data\hotfix.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Kevin Bento\Local Settings\Temp\lgnwct.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Kevin Bento\Local Settings\Temp\ppwkvch.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Kevin Bento\Local Settings\Temp\tcpqpoo.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Kevin Bento\Local Settings\Temp\xmuqper.exe (Trojan.Hiloti) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Kevin Bento\Local Settings\Temporary Internet Files\Content.IE5\HPD7WAD5\lpkez[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Kevin Bento\Local Settings\Temporary Internet Files\Content.IE5\I5WSYUA1\qdlsn[1].htm (Trojan.Clicker) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Kevin Bento\Local Settings\Temporary Internet Files\Content.IE5\JJEZ3R5C\lpkezhfmu[1].htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Kevin Bento\Local Settings\Temporary Internet Files\Content.IE5\JJEZ3R5C\lpkezhfmu[2].htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Kevin Bento\Local Settings\Temporary Internet Files\Content.IE5\L10DK9U7\lpkezhfmu[1].htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Kevin Bento\Local Settings\Temporary Internet Files\Content.IE5\LPRDZLO4\lpkez[1].htm (Trojan.Hiloti) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Kevin Bento\Local Settings\Temporary Internet Files\Content.IE5\UNLK14FW\qdlsn[1].htm (Trojan.Clicker) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0001110.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0001111.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\AD.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\AF.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\WINDOWS\Temp\B1.tmp (Rootkit.TDSS) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\6to4v32.dll (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\certstore.dat (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Documents\Server\admin.txt (Malware.Trace) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Kevin Bento\Application Data\Meulmo\luxu.exe (Trojan.ZbotR.Gen) -> Quarantined and deleted successfully.
    =================================================================
    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit scan 2010-10-11 18:44:19
    Windows 5.1.2600 Service Pack 3
    Running: ip7qbh0k.exe; Driver: C:\DOCUME~1\KEVINB~1\LOCALS~1\Temp\kxloapog.sys


    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[1068] kernel32.dll!CreateProcessInternalW 7C8197B0 5 Bytes JMP 00B485CB

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

    Device \FileSystem\Fastfat \Fat F7936D20
    =================================================================

    DDS (Ver_10-10-10.03) - NTFSx86
    Run by Kevin Bento at 22:40:29.94 on Mon 10/11/2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.97 [GMT -4:00]

    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: ZoneAlarm Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

    ============== Running Processes ===============

    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe 4
    svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\WLTRYSVC.EXE
    svchost.exe 4
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    D:\Adobe Photoshop Elements 8\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
    C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
    C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\system32\dla\tfswctrl.exe
    C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    D:\Acrobat 9.0\Acrobat\Acrotray.exe
    C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
    D:\SuperAntiSpyWare\SUPERAntiSpyware.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\Program Files\Common Files\Corel\Standby\Standby.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Kevin Bento\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.comcast.net/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061004
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    mSearchAssistant = hxxp://www.google.com/ie
    BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
    BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: CitiUSBrowserHelper Class: {387edf53-1cf2-4523-bc2f-13462651be8c} - c:\windows\system32\BhoCitUS.dll
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\bae\BAE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    EB: &Discuss: {bdeade7f-c265-11d0-bced-00a0c90ab50f} - shdocvw.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\TomTomHOMERunner.exe"
    uRun: [SUPERAntiSpyware] d:\superantispyware\SUPERAntiSpyware.exe
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [SigmatelSysTrayApp] stsystra.exe
    mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
    mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
    mRun: [StxTrayMenu] "c:\program files\seagate\systemtray\StxMenuMgr.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
    mRun: [Adobe Acrobat Speed Launcher] "d:\acrobat 9.0\acrobat\Acrobat_sl.exe"
    mRun: [<NO NAME>]
    mRun: [Acrobat Assistant 8.0] "d:\acrobat 9.0\acrobat\Acrotray.exe"
    mRun: [avast5] c:\progra~1\alwils~1\avast5\avastUI.exe /nogui
    mRun: [Standby] "c:\program files\common files\corel\standby\Standby.exe" -START
    mRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"
    mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
    mRun: [svchost] c:\program files\internet explorer\svchost.exe
    dRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\FlashUtil10e.exe
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {4C730913-3961-439b-83D5-F4E445520422} - c:\program files\citi virtual account numbers\CitiVAN.exe
    IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
    IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: turbotax.com
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    Notify: !SASWinLogon - d:\superantispyware\SASWINLO.DLL
    Notify: AtiExtEvent - Ati2evxx.dll
    AppInit_DLLs: acaptuser32.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - d:\superantispyware\SASSEH.DLL
    Hosts: 127.0.0.1 www.spywareinfo.com

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\kevinb~1\applic~1\mozilla\firefox\profiles\n40440e1.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/a/
    FF - prefs.js: keyword.URL - hxxp://search.start-search.net/?sid=10101065100&s=
    FF - plugin: c:\documents and settings\kevin bento\application data\mozilla\firefox\profiles\n40440e1.default\extensions\{e2883e8f-472f-4fb0-9522-ac9bf37916a7}\plugins\np_gp.dll
    FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnu.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    FF - plugin: d:\acrobat 9.0\acrobat\browser\nppdf32.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

    ---- FIREFOX POLICIES ----
    FF - user.js: browser.search.selectedEngine - Google
    FF - user.js: browser.search.order.1 - Google
    FF - user.js: keyword.URL - hxxp://search.start-search.net/?sid=10101065100&s=c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\mozilla firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);

    ============= SERVICES / DRIVERS ===============

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2008-12-25 165584]
    R1 SASDIFSV;SASDIFSV;d:\superantispyware\sasdifsv.sys [2010-2-17 12872]
    R1 SASKUTIL;SASKUTIL;d:\superantispyware\SASKUTIL.SYS [2010-5-10 67656]
    R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-7-18 532224]
    R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;d:\adobe photoshop elements 8\elements organizer 8.0\PhotoshopElementsFileAgent.exe [2009-10-9 169312]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2008-12-25 17744]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-5 40384]
    R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-11-13 92008]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\viewpoint\common\ViewpointService.exe [2009-6-16 24652]
    R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]
    R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-5 40384]
    R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast5\AvastSvc.exe [2010-2-5 40384]

    =============== Created Last 30 ================

    2010-10-11 18:12:41 -------- d-----w- C:\Microsoft
    2010-10-11 08:45:35 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-11 08:45:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-11 07:41:22 -------- d-----w- c:\docume~1\kevinb~1\applic~1\SUPERAntiSpyware.com
    2010-10-11 07:41:22 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2010-10-11 02:13:10 2256 ----a-w- c:\docume~1\kevinb~1\applic~1\sdfsfs.bat
    2010-10-11 02:13:00 147 ----a-w- c:\docume~1\kevinb~1\applic~1\dsfsds.bat
    2010-10-11 02:12:32 -------- d-----w- c:\docume~1\alluse~1\applic~1\Update

    ==================== Find3M ====================

    2010-09-07 15:12:17 38848 ----a-w- c:\windows\avastSS.scr
    2010-08-17 13:17:06 58880 ----a-w- c:\windows\system32\spoolsv.exe
    2010-07-22 15:49:15 590848 ----a-w- c:\windows\system32\rpcrt4.dll
    2010-07-22 05:57:20 5120 ----a-w- c:\windows\system32\xpsp4res.dll

    ============= FINISH: 22:46:24.48 ===============
    =================================================================
     

    Attached Files:

  2. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    Welcome aboard [​IMG]

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    =====================================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. bnttwnbnt

    bnttwnbnt TS Rookie Topic Starter

    MBRCheckxxxx.txt

    Hi Broni,

    Thanks for your quick response!

    Below is the MBRCheck log you requested. Due to character limitations, I will submit the Combofix log in another post on this same thread. Looking forward to your further recommendation and expertise!

    ===================================================================
    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000001c

    Kernel Drivers (total 151):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E4000 \WINDOWS\system32\hal.dll
    0xF8A26000 \WINDOWS\system32\KDCOM.DLL
    0xF8936000 \WINDOWS\system32\BOOTVID.dll
    0xF83F7000 ACPI.sys
    0xF8A28000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF83E6000 pci.sys
    0xF8526000 isapnp.sys
    0xF893A000 compbatt.sys
    0xF893E000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xF8AEE000 pciide.sys
    0xF87A6000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF8536000 MountMgr.sys
    0xF83C7000 ftdisk.sys
    0xF83A1000 dmio.sys
    0xF87AE000 PartMgr.sys
    0xF8546000 VolSnap.sys
    0xF8389000 atapi.sys
    0xF8556000 disk.sys
    0xF8566000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF8369000 fltmgr.sys
    0xF8357000 sr.sys
    0xF8341000 drvmcdb.sys
    0xF8576000 PxHelp20.sys
    0xF832A000 KSecDD.sys
    0xF829D000 Ntfs.sys
    0xF8270000 NDIS.sys
    0xF8586000 sbp2port.sys
    0xF8596000 ohci1394.sys
    0xF85A6000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xF8256000 Mup.sys
    0xF8616000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF822E000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xF6D51000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xF6D3D000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF6D15000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF6CAD000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
    0xF8896000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF6C89000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF889E000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF8626000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
    0xF6C75000 \SystemRoot\system32\DRIVERS\sdbus.sys
    0xF88A6000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
    0xF8636000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
    0xF6C29000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
    0xF8646000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF6BFA000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0xF8A70000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF88AE000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF88B6000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF8656000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF8A72000 \SystemRoot\system32\drivers\sscdbhk5.sys
    0xF8666000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF8676000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF6BD7000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF821E000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0xF8C49000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF86F6000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF8216000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF6BC0000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF8686000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF8696000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF88BE000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF6BAF000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF86A6000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF88C6000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF88CE000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF6B7F000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xF86B6000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF8A74000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF6B21000 \SystemRoot\system32\DRIVERS\update.sys
    0xF6F01000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF88D6000 \SystemRoot\system32\DRIVERS\omci.sys
    0xF86C6000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF299F000 \SystemRoot\system32\drivers\sthda.sys
    0xF297B000 \SystemRoot\system32\drivers\portcls.sys
    0xF8706000 \SystemRoot\system32\drivers\drmk.sys
    0xF2949000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
    0xF284C000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
    0xF279C000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
    0xF88DE000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF8716000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF8A06000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xF8A82000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF8BAB000 \SystemRoot\System32\Drivers\Null.SYS
    0xF8A84000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF88EE000 \SystemRoot\system32\drivers\ssrtln.sys
    0xF88F6000 \SystemRoot\System32\drivers\vga.sys
    0xF8A86000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF8A88000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF88FE000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF8906000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF8A0A000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xF1B29000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xF1AD0000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xF8726000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0xF1AAA000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF1A82000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xF1A01000 \SystemRoot\System32\vsdatant.sys
    0xF19DF000 \SystemRoot\System32\drivers\afd.sys
    0xF8736000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xF8756000 \SystemRoot\System32\Drivers\SCDEmu.SYS
    0xF1652000 \??\D:\SuperAntiSpyWare\SASKUTIL.SYS
    0xF1B64000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF75C3000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xF87DE000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF75B3000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xF87E6000 \??\D:\SuperAntiSpyWare\SASDIFSV.SYS
    0xF1627000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xF15B7000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF75A3000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF1590000 \SystemRoot\System32\Drivers\aswSP.SYS
    0xF19DB000 \SystemRoot\System32\Drivers\ASPI32.SYS
    0xF19D7000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
    0xF19C7000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xF8806000 \SystemRoot\System32\Drivers\Aavmker4.SYS
    0xF7563000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF1690000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF8826000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF8B8F000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF055000 \SystemRoot\System32\ati2cqag.dll
    0xBF09A000 \SystemRoot\System32\atikvmag.dll
    0xBF0DC000 \SystemRoot\System32\ati3duag.dll
    0xBF37D000 \SystemRoot\System32\ativvaxx.dll
    0xF1544000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
    0xF7593000 \SystemRoot\system32\drivers\drvnddm.sys
    0xF8C79000 \SystemRoot\system32\dla\tfsndres.sys
    0xB822B000 \SystemRoot\system32\dla\tfsnifs.sys
    0xB82A9000 \SystemRoot\system32\dla\tfsnopio.sys
    0xF8A44000 \SystemRoot\system32\dla\tfsnpool.sys
    0xF0F66000 \SystemRoot\system32\dla\tfsnboio.sys
    0xF8776000 \SystemRoot\system32\dla\tfsncofs.sys
    0xF8B22000 \SystemRoot\system32\dla\tfsndrct.sys
    0xB8212000 \SystemRoot\system32\dla\tfsnudf.sys
    0xB81F9000 \SystemRoot\system32\dla\tfsnudfa.sys
    0xB8251000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xB7DFA000 \SystemRoot\System32\Drivers\aswMon2.SYS
    0xB7C55000 \SystemRoot\system32\drivers\wdmaud.sys
    0xB8011000 \SystemRoot\system32\drivers\sysaudio.sys
    0xB7B12000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xB7A81000 \SystemRoot\System32\Drivers\HTTP.sys
    0xB7912000 \SystemRoot\system32\DRIVERS\srv.sys
    0xB7CA2000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xB78A2000 \SystemRoot\system32\DRIVERS\secdrv.sys
    0xF87F6000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0xB625A000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 55):
    0 System Idle Process
    4 System
    900 C:\WINDOWS\system32\smss.exe
    948 csrss.exe
    976 C:\WINDOWS\system32\winlogon.exe
    1040 C:\WINDOWS\system32\services.exe
    1052 C:\WINDOWS\system32\lsass.exe
    1196 C:\WINDOWS\system32\svchost.exe
    1272 C:\WINDOWS\system32\ati2evxx.exe
    1308 C:\WINDOWS\system32\svchost.exe
    1424 svchost.exe
    1444 C:\WINDOWS\system32\svchost.exe
    1596 C:\WINDOWS\system32\svchost.exe
    1724 svchost.exe
    1864 svchost.exe
    1964 C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    724 C:\WINDOWS\system32\ati2evxx.exe
    816 C:\WINDOWS\explorer.exe
    620 C:\WINDOWS\system32\WLTRYSVC.EXE
    636 C:\WINDOWS\system32\BCMWLTRY.EXE
    684 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    580 C:\WINDOWS\system32\spoolsv.exe
    1540 svchost.exe
    1340 D:\Adobe Photoshop Elements 8\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
    1664 C:\Program Files\Bonjour\mDNSResponder.exe
    1944 C:\WINDOWS\system32\svchost.exe
    2232 C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    3076 C:\Program Files\Java\jre6\bin\jqs.exe
    3208 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    3344 C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
    3508 C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    3700 svchost.exe
    3748 C:\WINDOWS\system32\svchost.exe
    3836 C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    3872 C:\Program Files\Viewpoint\Common\ViewpointService.exe
    4000 mcrdsvc.exe
    772 wmiprvse.exe
    2160 alg.exe
    2908 C:\WINDOWS\ehome\ehtray.exe
    2924 C:\WINDOWS\stsystra.exe
    2928 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    2988 C:\WINDOWS\system32\dla\tfswctrl.exe
    3008 C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
    2488 C:\Program Files\Java\jre6\bin\jusched.exe
    3304 D:\Acrobat 9.0\Acrobat\acrotray.exe
    3784 C:\PROGRA~1\ALWILS~1\Avast5\AvastUI.exe
    3800 C:\Program Files\Common Files\Corel\Standby\Standby.exe
    1516 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    2800 C:\WINDOWS\system32\ctfmon.exe
    304 C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
    3316 D:\SuperAntiSpyWare\SUPERAntiSpyware.exe
    3972 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    2900 C:\WINDOWS\system32\wbem\wmiapsrv.exe
    652 C:\Program Files\Mozilla Firefox\firefox.exe
    1488 C:\Documents and Settings\Kevin Bento\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000013`cdd44a00 (NTFS)

    PhysicalDrive0 Model Number: SAMSUNGHM120JI, Rev: YF100-15

    Size Device Name MBR Status
    --------------------------------------------
    110 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
    SHA1: C80AFA2E51BB6A5C1C73F2412E41E574CB37CACE


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!

    =================================================================
     
  4. bnttwnbnt

    bnttwnbnt TS Rookie Topic Starter

    ComboFix.txt

    Hi again Broni. Below is the cut and pasted results from ComboFix.txt.

    Thanks again for your help. Looking forward to the next steps!

    =================================================================
    ComboFix 10-10-11.02 - Kevin Bento 10/12/2010 1:13.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.214 [GMT -4:00]
    Running from: c:\documents and settings\Kevin Bento\Desktop\ComboFix.exe
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Microsoft
    c:\program files\Internet Explorer\svchost.exe
    c:\program files\Mozilla Firefox\searchplugins\google_search.xml
    c:\windows\desktop
    c:\windows\system32\AutoRun.inf
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At10.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At12.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At14.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At16.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At18.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At20.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At22.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At24.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At6.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At8.job
    c:\windows\Tasks\At9.job

    Infected copy of c:\windows\system32\drivers\intelppm.sys was found and disinfected
    Restored copy from - Kitty had a snack :p
    Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

    Infected copy of c:\windows\explorer.exe was found and disinfected
    Restored copy from - c:\windows\ServicePackFiles\i386\explorer.exe

    .
    \\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
    .
    \\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
    .
    ((((((((((((((((((((((((( Files Created from 2010-09-12 to 2010-10-12 )))))))))))))))))))))))))))))))
    .

    2010-10-11 21:40 . 2010-10-11 21:40 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2010-10-11 08:45 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-11 08:45 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-11 07:41 . 2010-10-11 07:41 -------- d-----w- c:\documents and settings\Kevin Bento\Application Data\SUPERAntiSpyware.com
    2010-10-11 07:41 . 2010-10-11 07:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-10-11 02:13 . 2010-10-11 07:05 2256 ----a-w- c:\documents and settings\Kevin Bento\Application Data\sdfsfs.bat
    2010-10-11 02:13 . 2010-10-11 07:05 147 ----a-w- c:\documents and settings\Kevin Bento\Application Data\dsfsds.bat
    2010-10-11 02:12 . 2010-10-11 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
    2010-10-09 23:59 . 2010-10-09 23:59 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
    2010-10-09 23:32 . 2010-10-09 23:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
    2010-10-09 23:29 . 2010-10-09 23:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2010-10-09 22:11 . 2010-10-09 22:11 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]
    "SUPERAntiSpyware"="d:\superantispyware\SUPERAntiSpyware.exe" [2010-09-28 2424560]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
    "StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "Adobe Acrobat Speed Launcher"="d:\acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
    "Acrobat Assistant 8.0"="d:\acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
    "Standby"="c:\program files\Common Files\Corel\Standby\Standby.exe" [2009-12-17 105632]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]

    c:\documents and settings\Administrator\Start Menu\Programs\Startup\
    urkyip.exe [2010-10-10 139264]

    c:\documents and settings\Default User\Start Menu\Programs\Startup\
    irag.exe [2010-10-10 139264]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\superantispyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- d:\superantispyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "d:\\Adobe Photoshop Elements 8\\Elements Organizer 8.0\\AdobePhotoshopElementsMediaServer.exe"=
    "c:\\Program Files\\AIM\\aim.exe"=
    "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/25/2008 3:48 PM 165584]
    R1 SASDIFSV;SASDIFSV;d:\superantispyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;d:\superantispyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
    R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;d:\adobe photoshop elements 8\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [10/9/2009 6:45 AM 169312]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/25/2008 3:48 PM 17744]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 7:31 AM 92008]
    R2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [6/16/2009 12:03 AM 24652]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2009-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.comcast.net/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: turbotax.com
    FF - ProfilePath - c:\documents and settings\Kevin Bento\Application Data\Mozilla\Firefox\Profiles\n40440e1.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/a/
    FF - prefs.js: keyword.URL - hxxp://search.start-search.net/?sid=10101065100&s=
    FF - plugin: c:\documents and settings\Kevin Bento\Application Data\Mozilla\Firefox\Profiles\n40440e1.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
    FF - plugin: d:\acrobat 9.0\Acrobat\browser\nppdf32.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: browser.search.selectedEngine - Google
    FF - user.js: browser.search.order.1 - Google
    FF - user.js: keyword.URL - hxxp://search.start-search.net/?sid=10101065100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    - - - - ORPHANS REMOVED - - - -

    AddRemove-Basement Ideas - f:\basement ideas\uninstall.exe


    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ca,eb,09,24,e9,f8,d7,45,bb,a1,3a,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ca,eb,09,24,e9,f8,d7,45,bb,a1,3a,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(976)
    d:\superantispyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll
    c:\windows\System32\BCMLogon.dll

    - - - - - - - > 'explorer.exe'(656)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\Ati2evxx.exe
    c:\windows\system32\Ati2evxx.exe
    c:\windows\System32\WLTRYSVC.EXE
    c:\windows\System32\bcmwltry.exe
    c:\program files\Alwil Software\Avast5\AvastSvc.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\program files\Dell\QuickSet\NICCONFIGSVC.exe
    c:\program files\Common Files\Protexis\License Service\PsiService_2.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\stsystra.exe
    .
    **************************************************************************
    .
    Completion time: 2010-10-12 01:48:18 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-10-12 05:48

    Pre-Run: 3,178,823,680 bytes free
    Post-Run: 3,122,503,680 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

    - - End Of File - - 268298CBA743346586EB62997F5FB953
    =================================================================
     
  5. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    It looks like Combofix took care of really nasty bootkit :)

    ======================================================================

    Unless you installed Viewpoint Manager knowledgeably...
    Go Start>Control Panel>Add\Remove (Programs and Features in Vista), and...
    Uninstall any of the following programs associated with Viewpoint:
    * Viewpoint Manager
    * Viewpoint Media Player
    * Viewpoint Toolbar
    This program does not do anything bad such as deliver ads or spy on you, but it is considered foistware ("drive-by-install") as it is installed without your consent through programs like AOL, AIM, Compuserve, etc.

    ========================================================================

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\documents and settings\Administrator\Start Menu\Programs\Startup\urkyip.exe
    c:\documents and settings\Default User\Start Menu\Programs\Startup\irag.exe
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
    "DisableMonitoring"=-
    
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  6. bnttwnbnt

    bnttwnbnt TS Rookie Topic Starter

    Hi Broni!

    Thanks for the advice on the ViewPoint Software. I had Viewpoint Media Player which was used rarely. As such, I deleted it.

    After running ComboFix again by dragging and dropping the notepad file with the copied and pasted script, here is the log that resulted after this scan:

    ===================================================================
    ComboFix 10-10-11.02 - Kevin Bento 10/13/2010 0:10.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510.182 [GMT -4:00]
    Running from: c:\documents and settings\Kevin Bento\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Kevin Bento\Desktop\CFScript.txt
    AV: avast! Antivirus *On-access scanning disabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}
    FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}

    FILE ::
    "c:\documents and settings\Administrator\Start Menu\Programs\Startup\urkyip.exe"
    "c:\documents and settings\Default User\Start Menu\Programs\Startup\irag.exe"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Administrator\Start Menu\Programs\Startup\urkyip.exe
    c:\documents and settings\Default User\Start Menu\Programs\Startup\irag.exe

    .
    \\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
    .
    ((((((((((((((((((((((((( Files Created from 2010-09-13 to 2010-10-13 )))))))))))))))))))))))))))))))
    .

    2010-10-11 21:40 . 2010-10-11 21:40 -------- d-sh--w- c:\documents and settings\Administrator\IETldCache
    2010-10-11 08:45 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-10-11 08:45 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-10-11 07:41 . 2010-10-11 07:41 -------- d-----w- c:\documents and settings\Kevin Bento\Application Data\SUPERAntiSpyware.com
    2010-10-11 07:41 . 2010-10-11 07:41 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-10-11 02:13 . 2010-10-11 07:05 2256 ----a-w- c:\documents and settings\Kevin Bento\Application Data\sdfsfs.bat
    2010-10-11 02:13 . 2010-10-11 07:05 147 ----a-w- c:\documents and settings\Kevin Bento\Application Data\dsfsds.bat
    2010-10-11 02:12 . 2010-10-11 15:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Update
    2010-10-09 23:59 . 2010-10-09 23:59 -------- d-sh--w- c:\documents and settings\NetworkService\PrivacIE
    2010-10-09 23:32 . 2010-10-09 23:32 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
    2010-10-09 23:29 . 2010-10-09 23:29 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
    2010-10-09 22:11 . 2010-10-09 22:11 -------- d-sh--w- c:\documents and settings\LocalService\PrivacIE

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "TomTomHOME.exe"="c:\program files\TomTom HOME 2\TomTomHOMERunner.exe" [2009-11-13 247144]
    "SUPERAntiSpyware"="d:\superantispyware\SUPERAntiSpyware.exe" [2010-09-28 2424560]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2005-09-29 67584]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 282624]
    "ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
    "ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2005-05-31 122941]
    "StxTrayMenu"="c:\program files\Seagate\SystemTray\StxMenuMgr.exe" [2007-01-18 190008]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-10-11 149280]
    "Adobe Acrobat Speed Launcher"="d:\acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
    "Acrobat Assistant 8.0"="d:\acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
    "avast5"="c:\progra~1\ALWILS~1\Avast5\avastUI.exe" [2010-09-07 2838912]
    "Standby"="c:\program files\Common Files\Corel\Standby\Standby.exe" [2009-12-17 105632]
    "ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2010-06-23 1043968]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "FlashPlayerUpdate"="c:\windows\system32\Macromed\Flash\FlashUtil10e.exe" [2010-01-27 256280]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "d:\superantispyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- d:\superantispyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=c:\windows\system32\acaptuser32.dll

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "d:\\Adobe Photoshop Elements 8\\Elements Organizer 8.0\\AdobePhotoshopElementsMediaServer.exe"=
    "c:\\Program Files\\AIM\\aim.exe"=
    "c:\\WINDOWS\\system32\\ZoneLabs\\vsmon.exe"=

    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [12/25/2008 3:48 PM 165584]
    R1 SASDIFSV;SASDIFSV;d:\superantispyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;d:\superantispyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
    R2 AdobeActiveFileMonitor8.0;Adobe Active File Monitor V8;d:\adobe photoshop elements 8\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe [10/9/2009 6:45 AM 169312]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [12/25/2008 3:48 PM 17744]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [11/13/2009 7:31 AM 92008]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
    getPlusHelper REG_MULTI_SZ getPlusHelper
    .
    Contents of the 'Scheduled Tasks' folder

    2009-12-30 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 16:34]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.comcast.net/
    uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
    uInternet Settings,ProxyOverride = *.local
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: intuit.com\ttlc
    Trusted Zone: turbotax.com
    FF - ProfilePath - c:\documents and settings\Kevin Bento\Application Data\Mozilla\Firefox\Profiles\n40440e1.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT2611275&SearchSource=3&q={searchTerms}
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.comcast.net/a/
    FF - prefs.js: keyword.URL - hxxp://search.start-search.net/?sid=10101065100&s=
    FF - plugin: c:\documents and settings\Kevin Bento\Application Data\Mozilla\Firefox\Profiles\n40440e1.default\extensions\{E2883E8F-472F-4fb0-9522-AC9BF37916A7}\plugins\np_gp.dll
    FF - plugin: c:\program files\Google\Picasa3\npPicasa3.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdnupdater2.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
    FF - plugin: d:\acrobat 9.0\Acrobat\browser\nppdf32.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: browser.search.selectedEngine - Google
    FF - user.js: browser.search.order.1 - Google
    FF - user.js: keyword.URL - hxxp://search.start-search.net/?sid=10101065100&s=c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
    .
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ca,eb,09,24,e9,f8,d7,45,bb,a1,3a,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,ca,eb,09,24,e9,f8,d7,45,bb,a1,3a,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(984)
    d:\superantispyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\Ati2evxx.dll
    c:\windows\System32\BCMLogon.dll
    .
    Completion time: 2010-10-13 00:44:29
    ComboFix-quarantined-files.txt 2010-10-13 04:43
    ComboFix2.txt 2010-10-12 05:48

    Pre-Run: 3,010,867,200 bytes free
    Post-Run: 2,954,547,200 bytes free

    - - End Of File - - 8DCD295B5B030631E0759EBF2690CCF2
     
  7. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    Please, rerun MBRCheck and post fresh log.
     
  8. bnttwnbnt

    bnttwnbnt TS Rookie Topic Starter

    Hi Broni,

    As you requested: here is the lates MBRCheck Log:

    ===================================================================
    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000001c

    Kernel Drivers (total 155):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E4000 \WINDOWS\system32\hal.dll
    0xF8A26000 \WINDOWS\system32\KDCOM.DLL
    0xF8936000 \WINDOWS\system32\BOOTVID.dll
    0xF83F7000 ACPI.sys
    0xF8A28000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF83E6000 pci.sys
    0xF8526000 isapnp.sys
    0xF893A000 compbatt.sys
    0xF893E000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xF8AEE000 pciide.sys
    0xF87A6000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF8536000 MountMgr.sys
    0xF83C7000 ftdisk.sys
    0xF83A1000 dmio.sys
    0xF87AE000 PartMgr.sys
    0xF8546000 VolSnap.sys
    0xF8389000 atapi.sys
    0xF8556000 disk.sys
    0xF8566000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF8369000 fltmgr.sys
    0xF8357000 sr.sys
    0xF8341000 drvmcdb.sys
    0xF8576000 PxHelp20.sys
    0xF832A000 KSecDD.sys
    0xF829D000 Ntfs.sys
    0xF8270000 NDIS.sys
    0xF8586000 sbp2port.sys
    0xF8596000 ohci1394.sys
    0xF85A6000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xF8256000 Mup.sys
    0xF8646000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF8A16000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xF72FA000 \SystemRoot\system32\DRIVERS\ati2mtag.sys
    0xF72E6000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF72BE000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xF7256000 \SystemRoot\system32\DRIVERS\bcmwl5.sys
    0xF886E000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF7232000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF8876000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF8656000 \SystemRoot\system32\DRIVERS\bcm4sbxp.sys
    0xF721E000 \SystemRoot\system32\DRIVERS\sdbus.sys
    0xF887E000 \SystemRoot\system32\DRIVERS\rimmptsk.sys
    0xF8666000 \SystemRoot\system32\DRIVERS\rimsptsk.sys
    0xF71D2000 \SystemRoot\system32\DRIVERS\rixdptsk.sys
    0xF8676000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xF71A3000 \SystemRoot\system32\DRIVERS\SynTP.sys
    0xF8A4C000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xF8886000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF888E000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF8686000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xF8A4E000 \SystemRoot\system32\drivers\sscdbhk5.sys
    0xF8696000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF86A6000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xF7180000 \SystemRoot\system32\DRIVERS\ks.sys
    0xF822E000 \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
    0xF8B40000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF86B6000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF8226000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF7169000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF86C6000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF86D6000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF889E000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF7158000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF86E6000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF88A6000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF88AE000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF7088000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xF86F6000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF8A54000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF702A000 \SystemRoot\system32\DRIVERS\update.sys
    0xF74AE000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF88B6000 \SystemRoot\system32\DRIVERS\omci.sys
    0xF8706000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF2EA8000 \SystemRoot\system32\drivers\sthda.sys
    0xF2E84000 \SystemRoot\system32\drivers\portcls.sys
    0xF8736000 \SystemRoot\system32\drivers\drmk.sys
    0xF2E52000 \SystemRoot\system32\DRIVERS\HSFHWAZL.sys
    0xF2D55000 \SystemRoot\system32\DRIVERS\HSF_DPV.sys
    0xF2CA5000 \SystemRoot\system32\DRIVERS\HSF_CNXT.sys
    0xF88C6000 \SystemRoot\System32\Drivers\Modem.SYS
    0xF8746000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF8A02000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xF8A68000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xF8C26000 \SystemRoot\System32\Drivers\Null.SYS
    0xF8A6A000 \SystemRoot\System32\Drivers\Beep.SYS
    0xF88D6000 \SystemRoot\system32\drivers\ssrtln.sys
    0xF88DE000 \SystemRoot\System32\drivers\vga.sys
    0xF8A6C000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF8A6E000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xF88E6000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xF88EE000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xF8A06000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xF2C22000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xF2BC9000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xF8756000 \SystemRoot\System32\Drivers\aswTdi.SYS
    0xF2BA3000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xF2B7B000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xF2AFA000 \SystemRoot\System32\vsdatant.sys
    0xF2AD8000 \SystemRoot\System32\drivers\afd.sys
    0xF8766000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xF8786000 \SystemRoot\System32\Drivers\SCDEmu.SYS
    0xF0E9C000 \??\D:\SuperAntiSpyWare\SASKUTIL.SYS
    0xF2AB4000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xF85E6000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xF8916000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xF85F6000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xF891E000 \??\D:\SuperAntiSpyWare\SASDIFSV.SYS
    0xF0E71000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xF0E01000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xF8606000 \SystemRoot\System32\Drivers\Fips.SYS
    0xF2AA4000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xF0DDA000 \SystemRoot\System32\Drivers\aswSP.SYS
    0xF2AA0000 \SystemRoot\System32\Drivers\ASPI32.SYS
    0xF2A9C000 \SystemRoot\SYSTEM32\DRIVERS\APPDRV.SYS
    0xF892E000 \SystemRoot\System32\Drivers\Aavmker4.SYS
    0xF8626000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xF0D9A000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xF8AD2000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xF2C45000 \SystemRoot\System32\drivers\Dxapi.sys
    0xF87BE000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF8BCD000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\ati2dvag.dll
    0xBF055000 \SystemRoot\System32\ati2cqag.dll
    0xBF09A000 \SystemRoot\System32\atikvmag.dll
    0xBF0DC000 \SystemRoot\System32\ati3duag.dll
    0xBF37D000 \SystemRoot\System32\ativvaxx.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xF2C3D000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
    0xF0EFE000 \SystemRoot\system32\drivers\drvnddm.sys
    0xF8C22000 \SystemRoot\system32\dla\tfsndres.sys
    0xEEC44000 \SystemRoot\system32\dla\tfsnifs.sys
    0xEECCE000 \SystemRoot\system32\dla\tfsnopio.sys
    0xF8A5A000 \SystemRoot\system32\dla\tfsnpool.sys
    0xF87F6000 \SystemRoot\system32\dla\tfsnboio.sys
    0xF0EEE000 \SystemRoot\system32\dla\tfsncofs.sys
    0xF8BF5000 \SystemRoot\system32\dla\tfsndrct.sys
    0xEEC2B000 \SystemRoot\system32\dla\tfsnudf.sys
    0xEEC12000 \SystemRoot\system32\dla\tfsnudfa.sys
    0xEEC72000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xEE7C3000 \SystemRoot\System32\Drivers\aswMon2.SYS
    0xEE5F6000 \SystemRoot\system32\drivers\wdmaud.sys
    0xEE81A000 \SystemRoot\system32\drivers\sysaudio.sys
    0xEE57B000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xEE44A000 \SystemRoot\System32\Drivers\HTTP.sys
    0xEE303000 \SystemRoot\system32\DRIVERS\srv.sys
    0xEE497000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xEE6B3000 \SystemRoot\system32\DRIVERS\secdrv.sys
    0xF87FE000 \SystemRoot\System32\Drivers\aswRdr.SYS
    0xF8AB2000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
    0xF8866000 \??\C:\DOCUME~1\KEVINB~1\LOCALS~1\Temp\catchme.sys
    0xF884E000 \??\C:\DOCUME~1\KEVINB~1\LOCALS~1\Temp\mbr.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 49):
    0 System Idle Process
    4 System
    892 C:\WINDOWS\system32\smss.exe
    948 csrss.exe
    984 C:\WINDOWS\system32\winlogon.exe
    1028 C:\WINDOWS\system32\services.exe
    1040 C:\WINDOWS\system32\lsass.exe
    1236 C:\WINDOWS\system32\ati2evxx.exe
    1252 C:\WINDOWS\system32\svchost.exe
    1336 svchost.exe
    1480 C:\WINDOWS\system32\svchost.exe
    1632 svchost.exe
    1708 svchost.exe
    1760 C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    288 C:\WINDOWS\system32\ati2evxx.exe
    1276 C:\WINDOWS\system32\BCMWLTRY.EXE
    1416 C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
    2028 C:\WINDOWS\system32\spoolsv.exe
    1172 svchost.exe
    1112 D:\Adobe Photoshop Elements 8\Elements Organizer 8.0\PhotoshopElementsFileAgent.exe
    1560 C:\Program Files\Bonjour\mDNSResponder.exe
    1592 C:\WINDOWS\system32\svchost.exe
    1908 C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
    2200 C:\Program Files\Java\jre6\bin\jqs.exe
    2216 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    2268 C:\Program Files\Dell\QuickSet\NicConfigSvc.exe
    2372 C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
    2616 svchost.exe
    2652 C:\WINDOWS\system32\svchost.exe
    2744 C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    2812 mcrdsvc.exe
    3740 wmiprvse.exe
    3840 alg.exe
    2336 C:\WINDOWS\ehome\ehtray.exe
    2388 C:\WINDOWS\stsystra.exe
    2456 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    2528 C:\WINDOWS\system32\dla\tfswctrl.exe
    2700 C:\Program Files\Java\jre6\bin\jusched.exe
    2452 D:\Acrobat 9.0\Acrobat\acrotray.exe
    2824 C:\PROGRA~1\ALWILS~1\Avast5\AvastUI.exe
    3200 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    3352 C:\Program Files\TomTom HOME 2\TomTomHOMERunner.exe
    1840 C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
    3908 C:\WINDOWS\system32\notepad.exe
    3844 C:\WINDOWS\explorer.exe
    268 C:\Program Files\Mozilla Firefox\firefox.exe
    1672 C:\Program Files\Mozilla Firefox\plugin-container.exe
    2960 C:\Program Files\Common Files\Corel\Standby\Standby.exe
    724 C:\Documents and Settings\Kevin Bento\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02f10c00 (NTFS)
    \\.\D: --> \\.\PhysicalDrive0 at offset 0x00000013`cdd44a00 (NTFS)

    PhysicalDrive0 Model Number: SAMSUNGHM120JI, Rev: YF100-15

    Size Device Name MBR Status
    --------------------------------------------
    110 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
     
  9. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    Looks good :)

    How is computer doing at the moment?

    My bed time is coming, so I'll leave you with a homework :)

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
  10. bnttwnbnt

    bnttwnbnt TS Rookie Topic Starter

    Broni,

    My computer is already running 1000 times smoother so far. Thanks! :)

    OTL.txt and Extras.txt are too large and exceed the character limit for replies. Hope you dont mind if I attach them instead.

    Looking forward to your further expertise!
     

    Attached Files:

  11. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    I'm glad to hear very good news :)

    Your computer would greatly benefit from installing another 512MB of RAM.

    You're running dangerously low on C drive free space:
    Your computer may not boot anymore one morning.
    It's high time to start moving some stuff out.

    =======================================================================

    Update your Java version here: http://www.java.com/en/download/installed.jsp

    Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

    Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

    Now, we need to remove old Java version and its remnants...

    Download JavaRa to your desktop and unzip it to its own folder
    • Run JavaRa.exe (Vista users! Right click on JavaRa.exe, click Run As Administrator), pick the language of your choice and click Select. Then click Remove Older Versions.
    • Accept any prompts.

    =========================================================================

    Run OTL
    • Under the Custom Scans/Fixes box at the bottom, paste in the following

      Code:
      :OTL
      O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab (Reg Error: Key error.)
      [2010/03/14 17:32:27 | 000,000,088 | RHS- | C] () -- C:\Documents and Settings\All Users\Application Data\AED75B494C.sys
      [2006/10/14 00:08:45 | 000,000,088 | RHS- | C] () -- C:\WINDOWS\System32\406232B632.sys
      [2010/10/12 23:57:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
      [2010/10/12 23:57:45 | 000,000,000 | ---D | M] -- C:\Documents and Settings\Kevin Bento\Application Data\Viewpoint
      @Alternate Data Stream - 127 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:4B7BEAFF
      
      
      :Services
      
      :Reg
      [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]
      "DisableMonitoring" =-
      
      :Files
      
      :Commands
      [purity]
      [emptytemp]
      [emptyflash]
      [Reboot]
      
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • You will get a log that shows the results of the fix. Please post it.

    =====================================================================

    Last scans....

    1. Download Security Check from HERE, and save it to your Desktop.
    • Double-click SecurityCheck.exe
    • Follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt; please post the contents of that document.


    2. Download Temp File Cleaner (TFC)
    • Double click on TFC.exe to run the program.
    • Click on Start button to begin cleaning process.
    • TFC will close all running programs, and it may ask you to restart computer.


    3. Please run a free online scan with the ESET Online Scanner

    • Disable your antivirus program
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • IMPORTANT! UN-check Remove found threats
    • Accept any security warnings from your browser.
    • Check Scan archives
    • Click Start
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, push List of found threats
    • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • NOTE. If Eset won't find any threats, it won't produce any log.
     
     
  12. bnttwnbnt

    bnttwnbnt TS Rookie Topic Starter

    Broni,

    Thanks for the computer advice. I am going to free up more space on my hard drive, as I have an external drive that I can use. My iTunes and Music Library is taking up ALOT of space. I have to see what I can do.

    I will also research the best places to purchase and the prices on 512 MB RAM.

    I installed Java as you asked.

    I also ran OTL as you asked. I have attached the log. It is the first attachment.

    Attached also is the Security Check log. It is the second attachment

    I ran TFC with success and rebooted my computer

    I then ran ESET. I didnt quite follow the instructions after the scan was done. It seemed to produce a log even tough I didnt push "list of threats found" and "export to text file". I have attached the aforementioned log as attachment 3.

    If any of the above scans need to be redone, please let me know. I will be glad to scan in again for the sake of fixing my computer and your expert advice!

    Thanks as always and looking forward to next steps later on tonight (I have access to this computer again tonight around 11 pm ET).
     

    Attached Files:

  13. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    All files found by Eset will be removed in our next, last step.....

    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

    Run OTL

    • Under the Custom Scans/Fixes box at the bottom, paste in the following:

    Code:
    :OTL
    :Commands
    [purity]
    [emptytemp]
    [EMPTYFLASH]
    [CLEARALLRESTOREPOINTS]
    [Reboot]
    • Then click the Run Fix button at the top
    • Let the program run unhindered, reboot the PC when it is done
    • Post resulting log.

    2. Now, we'll remove all tools, we used during our cleaning process

    Clean up with OTL:

    • Double-click OTL.exe to start the program.
    • Close all other programs apart from OTL as this step will require a reboot
    • On the OTL main screen, press the CLEANUP button
    • Say Yes to the prompt and then allow the program to reboot your computer.

    If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

    3. Make sure, Windows Updates are current.

    4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

    7. Run Temporary File Cleaner (TFC) weekly.

    8. Download and install Secunia Personal Software Inspector (PSI): http://secunia.com/vulnerability_scanning/personal/. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

    9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
    The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

    10. Run defrag at your convenience.

    11. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    12. Please, let me know, how is your computer doing.
     
  14. bnttwnbnt

    bnttwnbnt TS Rookie Topic Starter

    Hi Broni,

    Looks like we are coming close to the end!

    I took your advice and downloaded all the programs you recommended. I allowed PSI to update all my programs.

    I wanted to run the ESET Virus scanner again and follow your directions this time (I had to rush through the ESET steps the last time). ESET found one threat still however. I attached the log of the scan as attachment 1.

    I then ran a quick scan of Malware Bytes. It found no threats. I posted the log of the scan as attachment 2.

    I would like to know why there was something found for ESET but not for Malware Bytes. Could it be that ESET picked a random file on my computer and called it a threat even though it was not? I know some anti-virus/malware programs do this to encourage a user to upgrade to the registered version.

    I am also wondering why you don't recommend that a program like ESET remove the threats it finds, rather you'd want someone to remove via OTL. Should I follow this procedure everytime ESET or Malware Bytes finds a threat?

    You don't seem to recommend ESET to use on a regular basis in your last post. Should I get rid of it?

    For attachment 3, I provided the log for the OTL Custom Scan Fix as you requested in your last reply.

    Please review all the attached along with the questions to provide your expertise.

    Finally, as mentioned, my computer runs great now. Start up is a bit slow, but I'd hope that once I free up more C:\ space, I'll do better. One thing I notice on startup is a small window that opens up and closes very quickly to the point where I can't even read what it says (if it says anything at all). I'm wondering if you have any idea?

    I would like to once again say THANK YOU for providing your expertise and time to help me. My life is on my computer. And you saved my computer. So does that mean you saved my life? Pretty much! ;) This will not go overlooked. I promise you.

    Looking forward to hearing from you further.
     

    Attached Files:

  15. Broni

    Broni Malware Annihilator Posts: 47,719   +268

    You're welcome and I'm glad to see you and your computer happy.

    There is a reason, why we run different scans.
    No single tool is perfect. Something missed by one will be found by another tool.
    Keygens will trigger many programs, even, if the file is perfectly clean. Keygen's structure may be simply matching some malicious files patterns.
    Whenever in doubt, there are couple of places, you can upload suspicious file for security check:
    http://www.virustotal.com/
    http://virusscan.jotti.org/en-gb

    Scanners make mistakes (false positives) and since this is not my computer, but yours, I want to make sure, no important file is about to be removed. Just feeling responsible for your computer :)
    You can keep Eset and run it, if you wish to.
    Just....if any doubt about some finding...we're around here to help :)

    Good luck and stay safe :)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.