Boot sector virus : mbr:// physicaldrive0

Inactive
By amb913
Jun 14, 2011
Topic Status:
Not open for further replies.
  1. hi all! i have been reading up on this virus, and actually had someone come over who knows alot about computers to try and get rid of it. i have been told i probably need to reformat the hard drive, or reinstall windows xp. i was wondering if there is a way to get rid of this virus without reformatting or reinstalling the os? i have the free version of avast and it catches the virus, but since its in the boot sector, it wont delete it, since it just shows back up when i go to reboot. grrr.

    i dont know if this is a bootkit virus or a rootkit and is there a difference?
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Welcome to TechSpot! Before I attempt to help you, I need some information that will show me what is in the system. You don't mention what your problems are though and knowing that would be very helpful.

    Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
    =====================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Reminder to be patient
    If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
  3. amb913

    amb913 Newcomer, in training Topic Starter Posts: 47

    thanks for the reply. the problem i am having is this: my computer will start up fine, but after being on for about 10 minutes it slows to the point that it freezes up and i have to restart it. i use magic jack for my phone, so i have to restart my computer every half hour or so and it gets really annoying. if i open the task manager when it starts getting slow, i see a svchost.exe process is always taking up at least 80 cpu and at least 300,000k mem usage. if i end the process, it speeds back up but i lose my win xp skins and volume for some programs. i dont know alot about computers, so please be patient with me. also, i HAVE to be able to use my computer in order to recieve and make phone calls so its important that i can still get online during the cleaning process. is that going to be a problem? i am going to install the programs mentioned in your post and paste the results in a reply asap. thanks again.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Take you time. Read the instructions carefully. Run the scans as directed. Post when ready.
  5. amb913

    amb913 Newcomer, in training Topic Starter Posts: 47

    here is the report from malware bytes :

    Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 6858

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    6/14/2011 4:13:25 PM
    mbam-log-2011-06-14 (16-13-25).txt

    Scan type: Quick scan
    Objects scanned: 252920
    Time elapsed: 39 minute(s), 29 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 16
    Registry Values Infected: 3
    Registry Data Items Infected: 0
    Folders Infected: 12
    Files Infected: 17

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0ED403E8-470A-4A8A-85A4-D7688CFE39A3} (Adware.Gamevance) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ED403E8-470A-4A8A-85A4-D7688CFE39A3} (Adware.Gamevance) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{F02FABCB-92DD-475A-98AF-14217BD50746} (Adware.Gamevance) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F02FABCB-92DD-475A-98AF-14217BD50746} (Adware.Gamevance) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{BDEA95CF-F0E6-41E0-BD3D-B00F39A4E939} (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{BEAC7DC8-E106-4C6A-931E-5A42E7362883} (Adware.GameVance) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DB38E21A-0133-419D-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Software\AppDataLow\gvtl (Adware.GameVance) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SPService (TrojanProxy.Agent) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96AFBE69-C3B0-4B00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Value: {96AFBE69-C3B0-4B00-8578-D933D2896EE2} -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Value: {96AFBE69-C3B0-4b00-8578-D933D2896EE2} -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvc (TrojanProxy.Agent) -> Value: netsvc -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    c:\documents and settings\new\application data\shoppingreport2 (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
    c:\documents and settings\new\application data\shoppingreport2\cs (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
    c:\documents and settings\new\application data\shoppingreport2\cs\db (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
    c:\documents and settings\new\application data\shoppingreport2\cs\dwld (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
    c:\documents and settings\new\application data\shoppingreport2\cs\report (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
    c:\documents and settings\new\application data\shoppingreport2\cs\res1 (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
    c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com (Adware.GamesVance) -> Quarantined and deleted successfully.
    c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\chrome (Adware.GamesVance) -> Quarantined and deleted successfully.
    c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components (Adware.GamesVance) -> Quarantined and deleted successfully.
    c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com (PUP.PlaySushi) -> Not selected for removal.
    c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\chrome (PUP.PlaySushi) -> Not selected for removal.
    c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components (PUP.PlaySushi) -> Not selected for removal.

    Files Infected:
    c:\WINDOWS\system32\winset.ini (Malware.Trace) -> Quarantined and deleted successfully.
    c:\documents and settings\new\application data\shoppingreport2\cs\Config.xml (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
    c:\documents and settings\new\application data\shoppingreport2\cs\db\Aliases.dbs (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
    c:\documents and settings\new\application data\shoppingreport2\cs\db\Sites.dbs (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
    c:\documents and settings\new\application data\shoppingreport2\cs\dwld\whitelist.xip (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
    c:\documents and settings\new\application data\shoppingreport2\cs\report\aggr_storage.xml (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
    c:\documents and settings\new\application data\shoppingreport2\cs\report\send_storage.xml (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
    c:\documents and settings\new\application data\shoppingreport2\cs\res1\whitelist.dbs (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
    c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\chrome.manifest (Adware.GamesVance) -> Quarantined and deleted successfully.
    c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\install.rdf (Adware.GamesVance) -> Quarantined and deleted successfully.
    c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\chrome\gvtextlinks.jar (Adware.GamesVance) -> Quarantined and deleted successfully.
    c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components\gvtlf.xpt (Adware.GamesVance) -> Quarantined and deleted successfully.
    c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\chrome.manifest (PUP.PlaySushi) -> Not selected for removal.
    c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\install.rdf (PUP.PlaySushi) -> Not selected for removal.
    c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\chrome\pstextlinks.jar (PUP.PlaySushi) -> Not selected for removal.
    c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components\playsushiff.dll (PUP.PlaySushi) -> Not selected for removal.
    c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components\playsushiff.xpt (PUP.PlaySushi) -> Not selected for removal.
  6. amb913

    amb913 Newcomer, in training Topic Starter Posts: 47

    gmer log

    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit quick scan 2011-06-14 16:37:02
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-7 ST3120026AS rev.3.18
    Running: j1477u75.exe; Driver: C:\DOCUME~1\Ann\LOCALS~1\Temp\agxdykoc.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xB4B99BF2]
    SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xB4B99A5D]

    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB4BF1902]
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
    Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A58C53B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A58C53B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A58C53B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A58C53B
    Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

    AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
    AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

    ---- EOF - GMER 1.0.15 ----
  7. amb913

    amb913 Newcomer, in training Topic Starter Posts: 47

    dds txt

    sorry i submitted these seperately. i was confused following the directions. but hopefully i did it right anyway. here are the 2 logs from the dds scan. i will wait for a reply from you before posting again.

    .
    DDS (Ver_2011-06-12.02) - NTFSx86
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
    Run by Ann at 17:04:04 on 2011-06-14
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1519.965 [GMT -5:00]
    .
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    svchost.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
    C:\Program Files\Analog Devices\SoundMAX\smax4.exe
    C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
    C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\AVAST Software\Avast\avastUI.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
    C:\Documents and Settings\All Users\SanDiskMediaManager-Launcher.EXE
    C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
    C:\WINDOWS\system32\rsvp.exe
    C:\Program Files\AVAST Software\Avast\setup\avast.setup
    C:\WINDOWS\system32\wscntfy.exe
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.google.com/
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uInternet Connection Wizard,ShellNext = hxxp://login.yahoo.com/config/reset_cookies_token?.token=VJWm1PelzYHMlI5yv1NSPzHQkgOC5HdfspxVvUQ4zdeJJbYP.3Sh0Q8TX4mMsgUnGiAjZ6Errot0R0R95qymTRe5SRC7aWqpLoWGla1XT8DZ1.p3Mlhrztg_GKeGExpdsHGx0lMEBNmaxv9n2hOwcf_Ll5J3Ml96ABq_mRMo_deyHw08CXiT0NYsXnxoboAyHw58Dg3WlFKCj4iNatL8B6ulFqmBd1C4j_X5InPz0wZh2w8mF5ILNoEEzrj3bjOhSnI6b4deybM8yWTYbtBTHdrC8BcpiZJLy5bYquPfT4WohE356mJ9xJS4BgoEFY41tDRWixTXjtwQ0KGm22Och60cIKrWG4CMJ9zpTzDq_Q36X2lJQvSEPCRfZcMWKDAbM1kWyW2KZUxyPea9uE7hzOZ77jO582Z0rdkAXtMZcd2NaRGWc8I-&.done=http%3A%2F%2Fus%2Erd%2Eyahoo%2Ecom%2Fmessenger%2Fclient%2F%3Fhttp%3A%2F%2Fmail%2Eyahoo%2Ecom%2F
    mSearchAssistant = hxxp://search.live.com/sphome.aspx
    uURLSearchHooks: N/A: {1c583e40-0629-4bb9-ab68-1cf539f2f782} - c:\program files\retrogamer_2z\bar\1.bin\2zSrcAs.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - c:\program files\startnow toolbar\Toolbar32.dll
    BHO: {6ffed9d8-942f-4384-aa29-d3bd083a346a} - No File
    BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: WhiteSmoke Toolbar: {e4709dfb-a47d-451c-957d-e78d25263cb8} - c:\program files\whitesmoketoolbar\vmntemplateX.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
    TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - c:\program files\startnow toolbar\Toolbar32.dll
    TB: WhiteSmoke Toolbar: {e4709dfb-a47d-451c-957d-e78d25263cb8} - c:\program files\whitesmoketoolbar\vmntemplateX.dll
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB: {30AA252E-B1DF-4AA2-9C5E-194C67A7C623} - No File
    TB: &Inbox Toolbar: {d7e97865-918f-41e4-9cd0-25ab1c574ce8} - c:\progra~1\inboxt~1\Inbox.dll
    uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Aim6]
    uRun: [ares] "c:\program files\ares\ares.exe" -h
    uRun: [cdloader] "c:\documents and settings\ann\application data\mjusbsp\cdloader2.exe" MAGICJACK
    mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
    mRun: [SoundMAX] "c:\program files\analog devices\soundmax\smax4.exe" /tray
    mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
    mRun: [GhostStartTrayApp] c:\program files\symantec\norton ghost 2003\GhostStartTrayApp.exe
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
    dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
    StartupFolder: c:\docume~1\ann\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\SANDIS~1.LNK -
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
    DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
    DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
    DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 127.0.0.1 www.spywareinfo.com
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\ann\application data\mozilla\firefox\profiles\6biwtmo5.default\
    FF - component: c:\program files\microsoft\search enhancement pack\default manager\dmextension\components\FFGlobalExtension.dll
    FF - component: c:\program files\microsoft\search enhancement pack\search helper\firefoxextension\searchhelperextension\components\SEPsearchhelperff.dll
    FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
    FF - plugin: c:\program files\gametap\bin\release\npgametaptool.dll
    FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\extensions\gametapplayer@gametap.com\plugins\npGameTapWebPlayer.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\retrogamer_2z\bar\1.bin\NP2zStub.dll
    FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    .
    ============= SERVICES / DRIVERS ===============
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-10 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-5-10 307928]
    R1 GhPciScan;GhostPciScanner;c:\program files\symantec\norton ghost 2003\GhPciScan.sys [2003-12-17 5632]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-5-10 19544]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-5-10 42184]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-14 366640]
    R2 Toolbar Updater Service;Toolbar Updater Service;c:\program files\startnow toolbar\ToolbarUpdaterService.exe [2011-3-24 199904]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-6-14 22712]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-12 135664]
    S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-12 135664]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-14 39984]
    S3 ntportio;ntportio;\??\c:\docume~1\new\locals~1\temp\u\1285210895\ntportio.sys --> c:\docume~1\new\locals~1\temp\u\1285210895\ntportio.sys [?]
    .
    =============== Created Last 30 ================
    .
    2011-06-14 20:31:40 -------- d-----w- c:\documents and settings\ann\application data\Malwarebytes
    2011-06-14 20:31:29 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-14 20:31:28 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-06-14 20:31:22 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-14 20:31:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-14 06:03:00 -------- d-----w- c:\documents and settings\ann\application data\vmntemplate
    2011-06-13 20:19:02 19416 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
    2011-06-13 20:19:01 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
    2011-06-13 20:19:01 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    2011-06-13 20:19:01 125912 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
    2011-06-13 20:19:00 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
    2011-06-13 20:18:59 924632 ----a-w- c:\program files\mozilla firefox\firefox.exe
    2011-06-13 20:18:58 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
    2011-06-13 20:18:58 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
    2011-06-13 20:18:58 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
    2011-06-13 20:18:58 269272 ----a-w- c:\program files\mozilla firefox\freebl3.dll
    2011-06-13 20:18:58 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
    2011-06-13 20:18:57 715736 ----a-w- c:\program files\mozilla firefox\mozcrt19.dll
    2011-06-13 20:18:56 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
    2011-06-13 20:18:56 203736 ----a-w- c:\program files\mozilla firefox\nspr4.dll
    2011-06-13 20:18:56 1850328 ----a-w- c:\program files\mozilla firefox\mozjs.dll
    2011-06-12 22:30:40 -------- d-----w- c:\documents and settings\ann\application data\whitesmoketoolbar
    2011-06-08 05:53:27 -------- d-----w- c:\program files\ishutdown
    2011-05-30 19:41:23 -------- d-----w- c:\program files\whitesmoketoolbar
    2011-05-21 08:18:52 -------- d-----w- c:\program files\StartNow Toolbar
    2011-05-21 00:27:31 -------- d-----w- c:\program files\common files\SWF Studio
    2011-05-21 00:27:14 -------- d-----w- c:\program files\Bingo Palace
    2011-05-17 01:23:56 -------- d-----w- c:\documents and settings\ann\local settings\application data\WMTools Downloaded Files
    .
    ==================== Find3M ====================
    .
    2011-05-20 03:15:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-10 12:10:59 40112 ----a-w- c:\windows\avastSS.scr
    2011-05-10 12:03:54 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-05-01 05:30:32 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
    2011-04-05 16:03:24 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2011-04-05 16:03:24 348160 ----a-w- c:\windows\system32\msvcr71.dll
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST3120026AS rev.3.18 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-7
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A5C46F0]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a5caa10]; MOV EAX, [0x8a5caa8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A670AB8]
    3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000069[0x8A66B948]
    5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x8A66A940]
    \Driver\atapi[0x8A64A910] -> IRP_MJ_CREATE -> 0x8A5C46F0
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8A5C453B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 17:07:39.95 ===============


    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-12.02)
    .
    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 10/13/2008 1:45:14 PM
    System Uptime: 6/14/2011 4:57:29 PM (1 hours ago)
    .
    Motherboard: Intel Corporation | | D865GLC
    Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | J2E1 | 2793/200mhz
    .
    ==== Disk Partitions =========================
    .
    A: is Removable
    C: is FIXED (NTFS) - 112 GiB total, 67.655 GiB free.
    F: is CDROM ()
    .
    ==== Disabled Device Manager Items =============
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: Video Controller (VGA Compatible)
    Device ID: PCI\VEN_8086&DEV_2572&SUBSYS_4C438086&REV_02\3&267A616A&0&10
    Manufacturer:
    Name: Video Controller (VGA Compatible)
    PNP Device ID: PCI\VEN_8086&DEV_2572&SUBSYS_4C438086&REV_02\3&267A616A&0&10
    Service:
    .
    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: PCI Simple Communications Controller
    Device ID: PCI\VEN_14F1&DEV_10B4&SUBSYS_9300141D&REV_89\4&2E98101C&0&08F0
    Manufacturer:
    Name: PCI Simple Communications Controller
    PNP Device ID: PCI\VEN_14F1&DEV_10B4&SUBSYS_9300141D&REV_89\4&2E98101C&0&08F0
    Service:
    .
    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Intel(R) PRO/100 VE Network Connection
    Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_303A8086&REV_01\4&2E98101C&0&40F0
    Manufacturer: Intel
    Name: Intel(R) PRO/100 VE Network Connection
    PNP Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_303A8086&REV_01\4&2E98101C&0&40F0
    Service: E100B
    .
    ==== System Restore Points ===================
    .
    RP723: 5/11/2011 7:58:38 PM - Software Distribution Service 3.0
    RP724: 5/11/2011 8:11:33 PM - Software Distribution Service 3.0
    RP725: 5/11/2011 8:28:11 PM - Software Distribution Service 3.0
    RP726: 5/12/2011 9:39:54 PM - System Checkpoint
    RP727: 5/13/2011 10:33:01 AM - Software Distribution Service 3.0
    RP728: 5/13/2011 10:35:51 AM - Software Distribution Service 3.0
    RP729: 5/13/2011 8:26:01 PM - Software Distribution Service 3.0
    RP730: 5/14/2011 9:21:06 PM - System Checkpoint
    RP731: 5/15/2011 10:12:38 PM - System Checkpoint
    RP732: 5/17/2011 3:00:32 AM - Software Distribution Service 3.0
    RP733: 5/18/2011 3:00:37 AM - Software Distribution Service 3.0
    RP734: 5/19/2011 8:16:57 AM - Software Distribution Service 3.0
    RP735: 5/20/2011 3:00:43 AM - Software Distribution Service 3.0
    RP736: 5/21/2011 3:00:20 AM - Software Distribution Service 3.0
    RP737: 5/21/2011 3:03:41 PM - Software Distribution Service 3.0
    RP738: 5/22/2011 3:00:20 AM - Software Distribution Service 3.0
    RP739: 5/23/2011 3:00:46 AM - Software Distribution Service 3.0
    RP740: 5/24/2011 3:00:19 AM - Software Distribution Service 3.0
    RP741: 5/24/2011 8:07:11 AM - Software Distribution Service 3.0
    RP742: 5/24/2011 10:17:56 AM - Software Distribution Service 3.0
    RP743: 5/25/2011 3:00:20 AM - Software Distribution Service 3.0
    RP744: 5/25/2011 8:25:56 AM - Software Distribution Service 3.0
    RP745: 5/26/2011 3:00:29 AM - Software Distribution Service 3.0
    RP746: 5/27/2011 10:42:35 AM - Software Distribution Service 3.0
    RP747: 5/28/2011 4:53:44 PM - Software Distribution Service 3.0
    RP748: 5/29/2011 3:00:39 AM - Software Distribution Service 3.0
    RP749: 5/30/2011 3:00:48 AM - Software Distribution Service 3.0
    RP750: 5/31/2011 11:30:27 PM - System Checkpoint
    RP751: 6/1/2011 3:00:45 AM - Software Distribution Service 3.0
    RP752: 6/2/2011 6:56:47 AM - Software Distribution Service 3.0
    RP753: 6/3/2011 3:00:43 AM - Software Distribution Service 3.0
    RP754: 6/4/2011 9:52:00 AM - System Checkpoint
    RP755: 6/5/2011 3:00:41 AM - Software Distribution Service 3.0
    RP756: 6/6/2011 7:40:50 AM - Software Distribution Service 3.0
    RP757: 6/6/2011 8:04:57 AM - Software Distribution Service 3.0
    RP758: 6/7/2011 6:30:07 AM - Software Distribution Service 3.0
    RP759: 6/8/2011 8:11:29 AM - Software Distribution Service 3.0
    RP760: 6/9/2011 3:00:39 AM - Software Distribution Service 3.0
    RP761: 6/9/2011 7:20:34 AM - Software Distribution Service 3.0
    RP762: 6/10/2011 11:01:51 PM - System Checkpoint
    RP763: 6/11/2011 3:00:19 AM - Software Distribution Service 3.0
    RP764: 6/12/2011 3:00:34 AM - Software Distribution Service 3.0
    RP765: 6/13/2011 3:00:44 AM - Software Distribution Service 3.0
    RP766: 6/14/2011 4:38:53 AM - Software Distribution Service 3.0
    RP767: 6/14/2011 4:42:20 AM - Software Distribution Service 3.0
    .
    ==== Installed Programs ======================
    .
    Acrobat.com
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.1.1
    Adobe Reader 9.3
    Adobe Shockwave Player
    AIM 6
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    avast! Free Antivirus
    Bingo Palace 4.4
    BlackBerry Desktop Software 6.0
    Bonjour
    CCleaner
    Conduit Engine
    Creative Jukebox Driver
    Data Doctor Recovery - SIM Card 3.0.1.5
    EliSims 2.12
    FrostWire 4.21.3
    GameTap Web Player
    gamewrangler_v2 Toolbar
    Google Chrome
    Google Update Helper
    HiJackThis
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    HP Photo and Imaging 2.0 - All-in-One
    HP Photo and Imaging 2.0 - All-in-One Drivers
    HP Photo and Imaging 2.0 - hp psc 1200 series
    hp psc 1200 series
    Inbox Toolbar
    Intel(R) PRO Network Connections 11.2.0.69
    IrfanView (remove only)
    iShutdown
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 23
    LG USB Modem driver
    LiveReg (Symantec Corporation)
    LiveUpdate 1.80 (Symantec Corporation)
    magicJack
    Malwarebytes' Anti-Malware version 1.51.0.1200
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2000 SR-1 Professional
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft VC9 runtime libraries
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2005 Redistributable - KB2467175
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox 5.0 (x86 en-US)
    MSN
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MySpaceIM
    Nero 7 Ultra Edition
    neroxml
    Norton Ghost
    OpenOffice.org Installer 1.0
    Password Generator 2.1.1
    PICTUREKA! MUSEUM MAYHEM
    QuickTime
    RealNetworks - Microsoft Visual C++ 2008 Runtime
    RealPlayer
    RealUpgrade 1.1
    Retrogamer
    SanDisk ® Media Manager
    Security Update for CAPICOM (KB931906)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB953838)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB958215)
    Security Update for Windows Internet Explorer 7 (KB960714)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB2497640)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player (KB979402)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503658)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2511455)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    SimEnhancer 3D
    SoundMAX
    Spelling Dictionaries Support For Adobe Reader 9
    Spybot - Search & Destroy
    StartNow Toolbar 2.0
    The Sims Character Makeover Studio
    The Sims Complete Collection
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows Internet Explorer 8 (KB980302)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Viewpoint Media Player
    Vuze
    VZAccess Manager
    WebFldrs XP
    WhiteSmoke Toolbar
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    WinRAR archiver
    Yahoo! Install Manager
    Yahoo! Messenger
    Yahoo! Software Update
    Yahoo! Widgets
    .
    ==== Event Viewer Messages From Past Week ========
    .
    6/8/2011 6:29:07 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
    6/14/2011 4:18:55 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
    6/12/2011 4:31:52 PM, error: Service Control Manager [7022] - The WebClient service hung on starting.
    6/11/2011 3:01:24 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 3.5 SP1 on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 x86 (KB2416473).
    6/11/2011 3:01:10 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Update for Windows Server 2003 and Windows XP x86 (KB982524).
    6/11/2011 3:01:03 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 2.0 SP2 and 3.5 SP1 on Windows Server 2003 and Windows XP x86 (KB2418241).
    6/11/2011 3:00:55 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for .NET Framework 2.0 SP2 and 3.5 SP1 on Windows Server 2003 and Windows XP x86 (KB2446704).
    6/11/2011 3:00:47 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Microsoft .NET Framework 3.5 SP1 Update for Windows Server 2003 and Windows XP x86 (KB982168).
    6/11/2011 3:00:35 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Security Update for Windows 2000, Windows Server 2003, and Windows XP x86 (KB979909).
    6/11/2011 1:39:55 PM, error: Dhcp [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 000CF1B0777D has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    6/11/2011 1:25:22 PM, error: Dhcp [1002] - The IP address lease 97.91.130.166 for the Network Card with network address 000CF1B0777D has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    6/11/2011 1:18:05 PM, error: Dhcp [1002] - The IP address lease 192.168.100.10 for the Network Card with network address 000CF1B0777D has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
    6/10/2011 6:57:04 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Update Service (gupdate) service to connect.
    6/10/2011 6:57:04 AM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    6/10/2011 6:56:58 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
    6/10/2011 11:55:14 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service NMIndexingService with arguments "" in order to run the server: {C6A811AB-F8FF-45A4-93E5-FC5CCB650BE7}
    6/10/2011 11:45:42 PM, error: Service Control Manager [7023] - The SPService service terminated with the following error: The specified module could not be found.
    6/10/2011 11:45:42 PM, error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The system cannot find the file specified.
    6/10/2011 11:45:22 PM, error: Dhcp [1002] - The IP address lease 192.168.2.7 for the Network Card with network address 000CF1B0777D has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    .
    ==== End Of File ===========================
  8. amb913

    amb913 Newcomer, in training Topic Starter Posts: 47

    hey there. i think its been 5 days. lol. ive been hoping to hear from you, and have held off on trying any fixes to my computer as you requested. i know you must be busy, but can you let me know if you can still help me? i really need to get this fixed asap. thanks.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Thank you for the reminder. Occasionally, the feedback email that a reply has been made does not get sent or reach the recipient. This was one of those times.

    I see multiple entries that will cause you grief and we will be removing them from the system. And there is a rootkit on the system.To do that, I need you to run the following scans: Please run these scans in the order I have given. Each will produce a log for you to paste in your next reply:

    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    =====================================
    Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    ==========================================
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

    I''ll be on the lookout for your reply with these logs.
  10. amb913

    amb913 Newcomer, in training Topic Starter Posts: 47

    tds killer log

    2011/06/20 16:51:32.0062 2432 TDSS rootkit removing tool 2.5.5.0 Jun 16 2011 15:25:15
    2011/06/20 16:51:32.0734 2432 ================================================================================
    2011/06/20 16:51:32.0734 2432 SystemInfo:
    2011/06/20 16:51:32.0734 2432
    2011/06/20 16:51:32.0734 2432 OS Version: 5.1.2600 ServicePack: 3.0
    2011/06/20 16:51:32.0734 2432 Product type: Workstation
    2011/06/20 16:51:32.0734 2432 ComputerName: NEW-0F6A332D445
    2011/06/20 16:51:32.0734 2432 UserName: Ann
    2011/06/20 16:51:32.0734 2432 Windows directory: C:\WINDOWS
    2011/06/20 16:51:32.0734 2432 System windows directory: C:\WINDOWS
    2011/06/20 16:51:32.0734 2432 Processor architecture: Intel x86
    2011/06/20 16:51:32.0734 2432 Number of processors: 2
    2011/06/20 16:51:32.0734 2432 Page size: 0x1000
    2011/06/20 16:51:32.0734 2432 Boot type: Normal boot
    2011/06/20 16:51:32.0734 2432 ================================================================================
    2011/06/20 16:51:33.0859 2432 Initialize success
    2011/06/20 16:51:35.0718 2940 ================================================================================
    2011/06/20 16:51:35.0718 2940 Scan started
    2011/06/20 16:51:35.0718 2940 Mode: Manual;
    2011/06/20 16:51:35.0718 2940 ================================================================================
    2011/06/20 16:51:36.0671 2940 Aavmker4 (3f6884eff406238d39aaa892218f1df7) C:\WINDOWS\system32\drivers\Aavmker4.sys
    2011/06/20 16:51:36.0890 2940 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/06/20 16:51:36.0968 2940 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/06/20 16:51:37.0078 2940 aeaudio (cde1f62fe63631b932ace2249fb11da0) C:\WINDOWS\system32\drivers\aeaudio.sys
    2011/06/20 16:51:37.0140 2940 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/06/20 16:51:37.0218 2940 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
    2011/06/20 16:51:37.0859 2940 Aspi32 (ed8cee58c1e4c5893f5b2fd686a272bf) C:\WINDOWS\system32\drivers\Aspi32.sys
    2011/06/20 16:51:37.0953 2940 aswFsBlk (7f08d9c504b015d81a8abd75c80028c5) C:\WINDOWS\system32\drivers\aswFsBlk.sys
    2011/06/20 16:51:38.0000 2940 aswMon2 (c2181ef6b54752273a0759a968c59279) C:\WINDOWS\system32\drivers\aswMon2.sys
    2011/06/20 16:51:38.0062 2940 aswRdr (ac48bdd4cd5d44af33087c06d6e9511c) C:\WINDOWS\system32\drivers\aswRdr.sys
    2011/06/20 16:51:38.0140 2940 aswSnx (b64134316fcd1f20e0f10ef3e65bd522) C:\WINDOWS\system32\drivers\aswSnx.sys
    2011/06/20 16:51:38.0312 2940 aswSP (d6788e3211afa9951ed7a4d617f68a4f) C:\WINDOWS\system32\drivers\aswSP.sys
    2011/06/20 16:51:38.0562 2940 aswTdi (4d100c45517809439c7b6dd98997fa00) C:\WINDOWS\system32\drivers\aswTdi.sys
    2011/06/20 16:51:38.0640 2940 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/06/20 16:51:38.0734 2940 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/06/20 16:51:38.0921 2940 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/06/20 16:51:38.0984 2940 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/06/20 16:51:39.0140 2940 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/06/20 16:51:39.0468 2940 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/06/20 16:51:39.0578 2940 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/06/20 16:51:39.0640 2940 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/06/20 16:51:39.0687 2940 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/06/20 16:51:40.0062 2940 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/06/20 16:51:40.0156 2940 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/06/20 16:51:40.0218 2940 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/06/20 16:51:40.0265 2940 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/06/20 16:51:40.0343 2940 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/06/20 16:51:40.0453 2940 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/06/20 16:51:40.0531 2940 E100B (5c940a174dfb2c42b9f6ba6edc2baa0b) C:\WINDOWS\system32\DRIVERS\e100b325.sys
    2011/06/20 16:51:40.0640 2940 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/06/20 16:51:40.0703 2940 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/06/20 16:51:40.0734 2940 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/06/20 16:51:40.0781 2940 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/06/20 16:51:40.0828 2940 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/06/20 16:51:40.0890 2940 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/06/20 16:51:40.0937 2940 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/06/20 16:51:41.0015 2940 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
    2011/06/20 16:51:41.0156 2940 GhPciScan (3a7c94ed99fe7fe05d88b26f97614626) C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys
    2011/06/20 16:51:41.0265 2940 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/06/20 16:51:41.0406 2940 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/06/20 16:51:41.0515 2940 HPZid412 (863cc3a82c63c9f60acf2e85d5310620) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
    2011/06/20 16:51:41.0546 2940 HPZipr12 (08cb72e95dd75b61f2966b311d0e4366) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
    2011/06/20 16:51:41.0625 2940 HPZius12 (ca990306ed4ef732af9695bff24fc96f) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
    2011/06/20 16:51:41.0718 2940 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/06/20 16:51:41.0890 2940 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/06/20 16:51:41.0953 2940 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/06/20 16:51:42.0078 2940 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2011/06/20 16:51:42.0140 2940 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/06/20 16:51:42.0187 2940 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/06/20 16:51:42.0250 2940 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/06/20 16:51:42.0312 2940 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/06/20 16:51:42.0359 2940 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/06/20 16:51:42.0421 2940 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/06/20 16:51:42.0500 2940 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/06/20 16:51:42.0562 2940 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/06/20 16:51:42.0625 2940 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/06/20 16:51:42.0687 2940 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2011/06/20 16:51:42.0750 2940 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/06/20 16:51:42.0828 2940 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/06/20 16:51:43.0000 2940 MBAMProtector (3d2c13377763eeac0ca6fb46f57217ed) C:\WINDOWS\system32\drivers\mbam.sys
    2011/06/20 16:51:43.0062 2940 MBAMSwissArmy (b309912717c29fc67e1ba4730a82b6dd) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2011/06/20 16:51:43.0140 2940 MidiSyn (63c34814492aa65fc517b002de77b191) C:\WINDOWS\system32\drivers\MidiSyn.sys
    2011/06/20 16:51:43.0203 2940 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/06/20 16:51:43.0296 2940 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/06/20 16:51:43.0359 2940 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys
    2011/06/20 16:51:43.0406 2940 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/06/20 16:51:43.0468 2940 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/06/20 16:51:43.0515 2940 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/06/20 16:51:43.0609 2940 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/06/20 16:51:43.0687 2940 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/06/20 16:51:43.0750 2940 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/06/20 16:51:43.0828 2940 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/06/20 16:51:43.0859 2940 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/06/20 16:51:43.0906 2940 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/06/20 16:51:43.0984 2940 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/06/20 16:51:44.0046 2940 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
    2011/06/20 16:51:44.0156 2940 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/06/20 16:51:44.0187 2940 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/06/20 16:51:44.0234 2940 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/06/20 16:51:44.0281 2940 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/06/20 16:51:44.0359 2940 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/06/20 16:51:44.0437 2940 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/06/20 16:51:44.0484 2940 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/06/20 16:51:44.0625 2940 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/06/20 16:51:44.0671 2940 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/06/20 16:51:44.0796 2940 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/06/20 16:51:44.0843 2940 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/06/20 16:51:44.0890 2940 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/06/20 16:51:44.0953 2940 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/06/20 16:51:45.0000 2940 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/06/20 16:51:45.0062 2940 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/06/20 16:51:45.0093 2940 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/06/20 16:51:45.0203 2940 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
    2011/06/20 16:51:45.0265 2940 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/06/20 16:51:45.0671 2940 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/06/20 16:51:45.0718 2940 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/06/20 16:51:45.0781 2940 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/06/20 16:51:46.0031 2940 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/06/20 16:51:46.0093 2940 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/06/20 16:51:46.0156 2940 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/06/20 16:51:46.0218 2940 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/06/20 16:51:46.0265 2940 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/06/20 16:51:46.0312 2940 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/06/20 16:51:46.0406 2940 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/06/20 16:51:46.0500 2940 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/06/20 16:51:46.0593 2940 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/06/20 16:51:46.0828 2940 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys
    2011/06/20 16:51:47.0046 2940 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
    2011/06/20 16:51:47.0125 2940 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
    2011/06/20 16:51:47.0281 2940 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/06/20 16:51:47.0390 2940 senfilt (9a4c4a4b191200f12085d188be70e4e3) C:\WINDOWS\system32\drivers\senfilt.sys
    2011/06/20 16:51:47.0437 2940 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/06/20 16:51:47.0484 2940 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/06/20 16:51:47.0578 2940 sf (8da9c7feedba52cfd91ee2e2113df6a9) C:\WINDOWS\system32\drivers\sf.sys
    2011/06/20 16:51:47.0625 2940 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/06/20 16:51:47.0812 2940 SMNDIS5 (4ef5ea44583c37383c289d4b8c354698) C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS
    2011/06/20 16:51:47.0890 2940 smwdm (ce52bffebfaf1e59553e2885cab80b52) C:\WINDOWS\system32\drivers\smwdm.sys
    2011/06/20 16:51:48.0015 2940 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/06/20 16:51:48.0062 2940 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/06/20 16:51:48.0171 2940 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/06/20 16:51:48.0281 2940 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/06/20 16:51:48.0328 2940 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/06/20 16:51:48.0562 2940 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/06/20 16:51:48.0687 2940 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/06/20 16:51:48.0734 2940 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/06/20 16:51:48.0781 2940 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/06/20 16:51:48.0828 2940 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/06/20 16:51:48.0984 2940 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/06/20 16:51:49.0109 2940 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/06/20 16:51:49.0218 2940 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2011/06/20 16:51:49.0281 2940 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
    2011/06/20 16:51:49.0359 2940 usbbus (5aadc9297c39aa249cd994acdba19034) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
    2011/06/20 16:51:49.0421 2940 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/06/20 16:51:49.0500 2940 UsbDiag (4650ffe04e5922399b0e932319e6b215) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
    2011/06/20 16:51:49.0562 2940 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/06/20 16:51:49.0625 2940 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/06/20 16:51:49.0671 2940 USBModem (2666fe171e0c2e7085ccd5fe0bac09e3) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
    2011/06/20 16:51:49.0750 2940 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/06/20 16:51:49.0796 2940 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/06/20 16:51:49.0859 2940 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/06/20 16:51:49.0906 2940 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/06/20 16:51:49.0968 2940 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/06/20 16:51:50.0078 2940 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/06/20 16:51:50.0156 2940 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/06/20 16:51:50.0250 2940 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
    2011/06/20 16:51:50.0375 2940 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/06/20 16:51:50.0593 2940 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
    2011/06/20 16:51:50.0703 2940 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/06/20 16:51:50.0750 2940 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/06/20 16:51:50.0906 2940 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
    2011/06/20 16:51:51.0078 2940 ================================================================================
    2011/06/20 16:51:51.0078 2940 Scan finished
    2011/06/20 16:51:51.0078 2940 ================================================================================
    2011/06/20 16:51:51.0109 2916 Detected object count: 0
    2011/06/20 16:51:51.0125 2916 Actual detected object count: 0
  11. amb913

    amb913 Newcomer, in training Topic Starter Posts: 47

    combofix log

    ComboFix 11-06-19.0r1 - Ann 06/20/2011 16:58:24.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1519.985 [GMT -5:00]
    Running from: c:\documents and settings\Ann\Desktop\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-20 to 2011-06-20 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-20 20:20 . 2011-06-20 20:20 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-06-20 01:10 . 2011-06-20 01:10 -------- d-----w- c:\documents and settings\Ann\Application Data\InstallShield
    2011-06-19 23:40 . 2011-06-19 23:47 -------- d-----w- c:\documents and settings\Ann\Application Data\FixCleaner
    2011-06-18 19:11 . 2011-06-18 19:11 -------- d-----w- C:\found.000
    2011-06-17 08:23 . 2011-06-17 08:23 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
    2011-06-16 19:53 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
    2011-06-14 21:02 . 2011-06-14 21:07 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2011-06-14 20:31 . 2011-06-14 20:31 -------- d-----w- c:\documents and settings\Ann\Application Data\Malwarebytes
    2011-06-14 20:31 . 2011-05-29 14:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-14 20:31 . 2011-06-14 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-06-14 20:31 . 2011-06-14 20:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-14 20:31 . 2011-05-29 14:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-14 06:03 . 2011-06-14 06:03 -------- d-----w- c:\documents and settings\Ann\Application Data\vmntemplate
    2011-06-13 20:19 . 2011-06-13 20:19 19416 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
    2011-06-13 20:19 . 2011-06-13 20:19 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
    2011-06-13 20:19 . 2011-06-13 20:19 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
    2011-06-13 20:19 . 2011-06-13 20:19 125912 ----a-w- c:\program files\Mozilla Firefox\crashreporter.exe
    2011-06-13 20:19 . 2011-06-13 20:19 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
    2011-06-13 20:18 . 2011-06-13 20:18 924632 ----a-w- c:\program files\Mozilla Firefox\firefox.exe
    2011-06-13 20:18 . 2011-06-13 20:18 269272 ----a-w- c:\program files\Mozilla Firefox\freebl3.dll
    2011-06-13 20:18 . 2011-06-13 20:18 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
    2011-06-13 20:18 . 2011-06-13 20:18 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
    2011-06-13 20:18 . 2011-06-13 20:18 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
    2011-06-13 20:18 . 2011-06-13 20:18 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
    2011-06-13 20:18 . 2011-06-13 20:18 715736 ----a-w- c:\program files\Mozilla Firefox\mozcrt19.dll
    2011-06-13 20:18 . 2011-06-13 20:18 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
    2011-06-13 20:18 . 2011-06-13 20:18 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
    2011-06-13 20:18 . 2011-06-13 20:18 203736 ----a-w- c:\program files\Mozilla Firefox\nspr4.dll
    2011-06-12 22:33 . 2011-06-12 22:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
    2011-06-05 20:43 . 2011-06-05 20:44 -------- d-----w- c:\documents and settings\Sally\Local Settings\Application Data\Roblox
    2011-05-30 22:53 . 2011-05-30 22:53 -------- d-----w- c:\documents and settings\Sally\Application Data\vmntemplate
    2011-05-30 22:53 . 2011-06-07 13:14 -------- d-----w- c:\documents and settings\Sally\Application Data\whitesmoketoolbar
    2011-05-30 19:41 . 2011-05-30 19:41 -------- d-----w- c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar
    2011-05-24 02:13 . 2011-05-24 02:13 0 ---ha-w- c:\documents and settings\Sally\Local Settings\Application Data\BIT7.tmp
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-20 03:15 . 2011-05-15 21:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-10 21:51 . 2011-05-10 21:51 388096 ----a-r- c:\documents and settings\Sally\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-05-10 12:10 . 2011-05-11 02:22 40112 ----a-w- c:\windows\avastSS.scr
    2011-05-10 12:10 . 2011-05-11 02:22 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-05-10 12:03 . 2011-05-11 02:22 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-05-10 12:03 . 2011-05-11 02:22 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-05-10 12:02 . 2011-05-11 02:22 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-05-10 12:02 . 2011-05-11 02:22 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-05-10 12:02 . 2011-05-11 02:22 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-05-10 11:59 . 2011-05-11 02:22 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-05-10 11:59 . 2011-05-11 02:22 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-05-10 11:59 . 2011-05-11 02:22 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-05-02 15:31 . 2008-10-13 18:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-05-01 05:30 . 2011-05-01 05:30 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
    2011-04-29 16:19 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-25 16:11 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-04-25 16:11 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-04-25 16:11 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-04-25 12:01 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-04-21 13:37 . 2004-08-04 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
    2011-04-05 16:03 . 2009-01-25 21:02 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2011-04-05 16:03 . 2009-01-25 21:02 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2011-06-13 20:19 . 2011-06-13 20:19 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"="c:\documents and settings\Ann\Application Data\mjusbsp\cdloader2.exe" [2011-05-16 50592]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
    "Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]
    .
    c:\documents and settings\new\Start Menu\Programs\Startup\
    LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [N/A]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
    SanDisk Media Manager.lnk - [N/A]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
    backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
    backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    2007-06-28 00:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2007-03-01 20:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Retrogamer_2zService"=2 (0x2)
    "RDSessMgr"=3 (0x3)
    "RemoteRegistry"=2 (0x2)
    "NBService"=3 (0x3)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Vuze\\Azureus.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
    "c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
    "c:\\Program Files\\FrostWire\\FrostWire.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Documents and Settings\\Sally\\Application Data\\mjusbsp\\magicJack.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\Hpqdirec.exe"=
    "c:\\Documents and Settings\\Ann\\Application Data\\mjusbsp\\magicJack.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009
    "7302:TCP"= 7302:TCP:spport
    "7933:TCP"= 7933:TCP:spport
    "25185:TCP"= 25185:TCP:spport
    "12709:TCP"= 12709:TCP:spport
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/10/2011 9:22 PM 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/10/2011 9:22 PM 307928]
    R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [12/17/2003 3:41 PM 5632]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/10/2011 9:22 PM 19544]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/14/2011 3:31 PM 366640]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/14/2011 3:31 PM 22712]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/12/2010 9:50 PM 135664]
    S2 Viewpoint Manager Service;Viewpoint Manager Service; [x]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/12/2010 9:50 PM 135664]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/14/2011 3:31 PM 39984]
    S3 ntportio;ntportio; [x]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - 14166582
    *Deregistered* - 14166582
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
    .
    2010-04-17 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4238034746.job
    - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]
    .
    2011-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 02:49]
    .
    2011-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 02:49]
    .
    2011-06-19 c:\windows\Tasks\ParetoLogic Registration3.job
    - c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2011-03-29 23:17]
    .
    2011-06-17 c:\windows\Tasks\ParetoLogic Update Version3.job
    - c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2011-03-29 23:17]
    .
    2011-06-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1390067357-602609370-682003330-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    2011-06-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1390067357-602609370-682003330-1004.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    2011-06-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1390067357-602609370-682003330-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    2011-06-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1390067357-602609370-682003330-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    2011-06-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1390067357-602609370-682003330-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    2011-06-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1390067357-602609370-682003330-1004.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    2011-06-20 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1390067357-602609370-682003330-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    2011-06-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1390067357-602609370-682003330-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    2011-06-20 c:\windows\Tasks\User_Feed_Synchronization-{F40D76E2-EDB6-4822-942F-381290BAA316}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    uInternet Connection Wizard,ShellNext = hxxp://login.yahoo.com/config/reset_cookies_token?.token=VJWm1PelzYHMlI5yv1NSPzHQkgOC5HdfspxVvUQ4zdeJJbYP.3Sh0Q8TX4mMsgUnGiAjZ6Errot0R0R95qymTRe5SRC7aWqpLoWGla1XT8DZ1.p3Mlhrztg_GKeGExpdsHGx0lMEBNmaxv9n2hOwcf_Ll5J3Ml96ABq_mRMo_deyHw08CXiT0NYsXnxoboAyHw58Dg3WlFKCj4iNatL8B6ulFqmBd1C4j_X5InPz0wZh2w8mF5ILNoEEzrj3bjOhSnI6b4deybM8yWTYbtBTHdrC8BcpiZJLy5bYquPfT4WohE356mJ9xJS4BgoEFY41tDRWixTXjtwQ0KGm22Och60cIKrWG4CMJ9zpTzDq_Q36X2lJQvSEPCRfZcMWKDAbM1kWyW2KZUxyPea9uE7hzOZ77jO582Z0rdkAXtMZcd2NaRGWc8I-&.done=http%3A%2F%2Fus%2Erd%2Eyahoo%2Ecom%2Fmessenger%2Fclient%2F%3Fhttp%3A%2F%2Fmail%2Eyahoo%2Ecom%2F
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
    TCP: DhcpNameServer = 192.168.2.1 24.217.0.5 24.217.201.67 68.113.206.10
    FF - ProfilePath - c:\documents and settings\Ann\Application Data\Mozilla\Firefox\Profiles\6biwtmo5.default\
    .
    - - - - ORPHANS REMOVED - - - -
    .
    BHO-{e4709dfb-a47d-451c-957d-e78d25263cb8} - c:\program files\whitesmoketoolbar\vmntemplateX.dll
    WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
    WebBrowser-{30AA252E-B1DF-4AA2-9C5E-194C67A7C623} - (no file)
    MSConfigStartUp-ares - c:\program files\Ares\ares.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-20 17:43
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    C:\## aswSnx private storage
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    Completion time: 2011-06-20 18:08:25
    ComboFix-quarantined-files.txt 2011-06-20 23:08
    .
    Pre-Run: 71,553,187,840 bytes free
    Post-Run: 71,617,159,168 bytes free
    .
    - - End Of File - - 5E543125A67266FEE4331D6189C93A11
  12. amb913

    amb913 Newcomer, in training Topic Starter Posts: 47

    eset log

    C:\Documents and Settings\Ann\Application Data\Sun\Java\Deployment\cache\6.0\10\7c88068a-4453c5ed Java/Agent.BV trojan
    C:\Documents and Settings\Ann\Application Data\Sun\Java\Deployment\cache\6.0\35\2b29fca3-78a77d4c a variant of Java/Agent.BR trojan
    C:\Documents and Settings\Ann\Application Data\Sun\Java\Deployment\cache\6.0\44\38e63bec-6441ee19 Java/Agent.BV trojan
    C:\Documents and Settings\Ann\Application Data\Sun\Java\Deployment\cache\6.0\44\38e63bec-681e84fb Java/Agent.BV trojan
    C:\Documents and Settings\Ann\Application Data\Sun\Java\Deployment\cache\6.0\51\4c81ed73-42a6d16b probably a variant of Java/Agent.BR trojan
    C:\Documents and Settings\Ann\Application Data\Sun\Java\Deployment\cache\6.0\56\5ad4b738-2d575940 Java/Agent.BV trojan
    C:\Documents and Settings\Ann\Application Data\Sun\Java\Deployment\cache\6.0\56\5ad4b738-5cb406e9 Java/Agent.BV trojan
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\1\18f94b81-16e7e569 Java/TrojanDownloader.OpenStream.NCA trojan
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\12\c255e4c-7d5f514b multiple threats
    C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\30\7b09de1e-3a849c7e Java/TrojanDownloader.OpenStream.NBW trojan
    C:\Documents and Settings\Sally\Application Data\Sun\Java\Deployment\cache\6.0\10\efcba0a-74ae54d2 Java/Exploit.CVE-2009-3867.AJ trojan
    C:\Documents and Settings\Sally\Application Data\Sun\Java\Deployment\cache\6.0\19\1cb06393-38555534 probably a variant of Win32/Agent.EBEARND trojan
    C:\Documents and Settings\Sally\Application Data\Sun\Java\Deployment\cache\6.0\20\3c61e454-54c412f7 probably a variant of Win32/TrojanDownloader.Agent.IGYRDAO trojan
    C:\Documents and Settings\Sally\Application Data\Sun\Java\Deployment\cache\6.0\62\4bd616be-1a785ef6 Java/Agent.BB trojan
    C:\Documents and Settings\Sally\Application Data\Sun\Java\Deployment\cache\6.0\62\777d457e-4c830462 probably a variant of Win32/TrojanDownloader.Agent.IGYRDAO trojan
    C:\Documents and Settings\Sally\Application Data\Sun\Java\Deployment\cache\6.0\7\650a1207-4f9a85f1 a variant of Java/Exploit.Agent.NAC trojan
    C:\System Volume Information\_restore{FDD30534-915E-4E2D-B02D-56DD77B62745}\RP768\A0266938.dll a variant of Win32/Toolbar.MyWebSearch.A application
    C:\System Volume Information\_restore{FDD30534-915E-4E2D-B02D-56DD77B62745}\RP768\A0266943.dll probably a variant of Win32/Toolbar.MyWebSearch.F application
    C:\System Volume Information\_restore{FDD30534-915E-4E2D-B02D-56DD77B62745}\RP768\A0266944.dll probably a variant of Win32/Toolbar.MyWebSearch.B application
    C:\System Volume Information\_restore{FDD30534-915E-4E2D-B02D-56DD77B62745}\RP768\A0266950.dll a variant of Win32/Toolbar.MyWebSearch application
    C:\TDSSKiller_Quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0003.dta a variant of Win32/Olmarik.AVQ trojan
    C:\TDSSKiller_Quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0005.dta Win32/Olmarik.AFK trojan
    C:\TDSSKiller_Quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0006.dta Win64/Olmarik.R trojan
    C:\TDSSKiller_Quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0007.dta Win64/Olmarik.R trojan
    C:\TDSSKiller_Quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0008.dta Win64/Olmarik.A trojan
    C:\TDSSKiller_Quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0009.dta Win32/Olmarik.ACQ trojan
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Everything active in the Eset log is in the Java cache- so you empty it!
    To clear the Java Plug-in cache:

    • [1]. Click Start > Control Panel.
      [2]. Double-click the Java icon in the control panel. [​IMG] The Java Control Panel appears.
      [​IMG]
      [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
      [​IMG]
      [4] Click Delete Files.The Delete Temporary Files dialog box appears.
      [​IMG]
      [5]. Click OK on Delete Temporary Files window.
      Note: This deletes all the Downloaded Applications and Applets from the cache.
      [6]. Click Apply> OK on Temporary Files Settings window.
    Images courtesy java.com
    =============================================
    Go ahead and run the above while I get the script ready for you to run through Combofix.
     
  14. amb913

    amb913 Newcomer, in training Topic Starter Posts: 47

    when i go to control panel there is no java icon to click on, only the usual stuff : appearance and themes, network, add remove programs, sounds, performance, printers, users, date & time, accessability, and security.
  15. amb913

    amb913 Newcomer, in training Topic Starter Posts: 47

    ok, sorry, i switched to classic view and found java control panel. getting ready to clear it out now. thanks.
  16. amb913

    amb913 Newcomer, in training Topic Starter Posts: 47

    i deleted the files, but it didnt give me an option to apply, so all i could do was click ok. will it still apply what i just did?
  17. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    The Settings screen comes up on top of the main Java screen once you click on 'Settings.' So when finished, you click OK on the Setting screen. It will then close. You are left with the main Java screen which is where you will see Apply> OK. Do it again to make sure. Your system is very heavily infected.
    ==========================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\program files\viewpoint\common\viewpointservice.exe
    c:\docume~1\new\locals~1\temp\u\1285210895\ntportio.sys
    c:\documents and settings\Sally\Local Settings\Application Data\BIT7.tmp
    c:\program files\LimeWire\LimeWire.exe
    Folder::
    c:\documents and settings\ann\application data\whitesmoketoolbar
    c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar
    c:\program files\whitesmoketoolbar
    c:\program files\StartNow Toolbar
    C:\TDSSKiller_Quarantine
    C:\found.000
    DDS::
    uInternet Connection Wizard,ShellNext = hxxp://login.yahoo.com/config/reset_cookies_token?.token=VJWm1PelzYHMlI5yv1NSPzHQkgOC5HdfspxVvUQ4zdeJJbYP .3Sh0Q8TX4mMsgUnGiAjZ6Errot0R0R95qymTRe5SRC7aWqpLoWGla1XT8DZ1.p3Mlhrztg_GKe GExpdsHGx0lMEBNmaxv9n2hOwcf_Ll5J3Ml96ABq_mRMo_deyHw08CXiT0NYsXnxoboAyHw58Dg 3WlFKCj4iNatL8B6ulFqmBd1C4j_X5InPz0wZh2w8mF5ILNoEEzrj3bjOhSnI6b4deybM8yWTYb tBTHdrC8BcpiZJLy5bYquPfT4WohE356mJ9xJS4BgoEFY41tDRWixTXjtwQ0KGm22Och60cIKrW G4CMJ9zpTzDq_Q36X2lJQvSEPCRfZcMWKDAbM1kWyW2KZUxyPea9uE7hzOZ77jO582Z0rdkAXtM Zcd2NaRGWc8I-&.done=http%3A%2F%2Fus%2Erd%2Eyahoo%2Ecom%2Fmessenger%2Fclient%2F%3Fhttp%3A %2F%2Fmail%2Eyahoo%2Ecom%2F
    uURLSearchHooks: N/A: {1c583e40-0629-4bb9-ab68-1cf539f2f782} - c:\program files\retrogamer_2z\bar\1.bin\2zSrcAs.dll
    BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - c:\program files\startnow toolbar\Toolbar32.dll
    BHO: {6ffed9d8-942f-4384-aa29-d3bd083a346a} - No File
    BHO: WhiteSmoke Toolbar: {e4709dfb-a47d-451c-957d-e78d25263cb8} - c:\program files\whitesmoketoolbar\vmntemplateX.dll
    TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - c:\program files\startnow toolbar\Toolbar32.dll
    TB: WhiteSmoke Toolbar: {e4709dfb-a47d-451c-957d-e78d25263cb8} - c:\program files\whitesmoketoolbar\vmntemplateX.dll
    TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
    TB: {30AA252E-B1DF-4AA2-9C5E-194C67A7C623} - No File
    uRun: [ares] "c:\program files\ares\ares.exe" -h
    Extra::
    File::
    c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    Firefox::
    Firefox-: - Profile - c:\documents and settings\ann\application data\mozilla\firefox\profiles\6biwtmo5.default\
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "Retrogamer_2zService"=-
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\FrostWire\\FrostWire.exe"=-
    Driver::
    Viewpoint Manager Service
    ntportio
    FCopy::
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Unless you are an advanced user, I recommend that you uninstall FixCleaner. Hopefully you are still in the Trial Period.

    Please go to Add/Remove Programs and uninstall the following:
    • WhiteSmoke Toolbar
    • Viewpoint Media Player
    • Adobe Reader 9.1.1
    • Adobe Reader 9.3
    • Conduit Engine
    • Java(TM) 6 Update 23
    =========================================
    Update Java: Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
    Update the Adobe Reader: Adobe Reader site . Uninstall any earlier updates as they are vulnerabilities.
    ===========================================
    P2P - 'file sharing' Warning:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall :
    • Vuze (Ares)
    • FrostWire 4.21.3
    • LimeWire
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.
    Please read the information on P2P Warning to help you better understand these dangers.
    I strongly recommend that you also uninstall the file sharing programs. As long as they are on the system, you will continue to get malware:
    ===============================================
    Note: You have numerous toolbars and browser helper objects that are either foistware or malware. Some of them come from pre-checked boxes on download screens. You should carefully examine all download screens for this and uncheck any pre-checked boxes. And if you want to make an attempt to get to keep the system clean, you have to stop picking up these processes which you know nothing about.
    ===============================================
    Be Advised: You have Services running that allow remote access to your computer. This will allow someone else to make changes to the system, including the Registry. If you are in a work situation where your production is monitored, or if there is an Administrator who makes these changes as part of your job, I need to know. If this is not the case, I will have you disable both of the Services.
    ==============================================
    For the programs you have uninstalled (not updated like Java and the Adobe Reader)>>
    Right click on the Taskbar> Explore> My Computer> Double click on Local Drove (C)> Programs> for each of the programs you uninstalled, find the program folder and do a right click> Delete.
    ===========================================
    Empty the Recycle Bin
    ============================================
    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files  
      c:\documents and settings\ann\application data\whitesmoketoolbar
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  19. amb913

    amb913 Newcomer, in training Topic Starter Posts: 47

    i tried again to "apply" my actions to java, but the apply box is greyed out. it wont let me apply. i did exactly what you told me to do....
  20. amb913

    amb913 Newcomer, in training Topic Starter Posts: 47

    i did exactly what you told me to do with the java, only when i get to the apply part, the box is grayed out, so i cant apply it.
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    Don't worry about it. We'll run another scan later. Please continue with my directions.
  22. amb913

    amb913 Newcomer, in training Topic Starter Posts: 47

    i made the txt file and dragged it into combo fix, then ran the combo fix and it restarted my computer. it was making a log but my avast anti virus restarted when combofix restarted my comp. avast wanted to open combo fix in a sandbox. i clicked ok, but then the computer froze while combofix was preparing the log so i had to restart it. ugh. so, should i copy the script into a txt file again and run it again? im not doing anything else until i hear from you, i dont want to mess things up if they arent already messed up. also, should i disable my avast anti virus from start up so that this doesnt happen again when i run combofix next time since im not supposed to run any programs or anti virus while combofix is running?
  23. amb913

    amb913 Newcomer, in training Topic Starter Posts: 47

    new combofix log

    ComboFix 11-06-22.02 - Ann 06/22/2011 22:04:34.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1519.1125 [GMT -5:00]
    Running from: c:\documents and settings\Ann\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Ann\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    FILE ::
    "c:\docume~1\new\locals~1\temp\u\1285210895\ntportio.sys"
    "c:\documents and settings\Sally\Local Settings\Application Data\BIT7.tmp"
    "c:\program files\LimeWire\LimeWire.exe"
    "c:\program files\viewpoint\common\viewpointservice.exe"
    "c:\program files\viewpoint\viewpoint media player\npViewpoint.dll"
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\dtx.ini
    c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\guid.dat
    c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\setupCfg.xml
    c:\documents and settings\new\Application Data\alot\BrowserSearch\BrowserSearch.xml
    c:\documents and settings\new\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup
    c:\documents and settings\new\Application Data\alot\Button_0\Button_0.xml
    c:\documents and settings\new\Application Data\alot\Button_0\Button_0.xml.backup
    c:\documents and settings\new\Application Data\alot\Button_1\Button_1.xml
    c:\documents and settings\new\Application Data\alot\Button_1\Button_1.xml.backup
    c:\documents and settings\new\Application Data\alot\Button_2\Button_2.xml
    c:\documents and settings\new\Application Data\alot\Button_2\Button_2.xml.backup
    c:\documents and settings\new\Application Data\alot\Button_3\Button_3.xml
    c:\documents and settings\new\Application Data\alot\Button_3\Button_3.xml.backup
    c:\documents and settings\new\Application Data\alot\Button_4\Button_4.xml
    c:\documents and settings\new\Application Data\alot\Button_4\Button_4.xml.backup
    c:\documents and settings\new\Application Data\alot\Button_5\Button_5.xml
    c:\documents and settings\new\Application Data\alot\Button_5\Button_5.xml.backup
    c:\documents and settings\new\Application Data\alot\Button_6\Button_6.xml
    c:\documents and settings\new\Application Data\alot\Button_6\Button_6.xml.backup
    c:\documents and settings\new\Application Data\alot\Button_7\Button_7.xml
    c:\documents and settings\new\Application Data\alot\Button_7\Button_7.xml.backup
    c:\documents and settings\new\Application Data\alot\Button_8\Button_8.xml
    c:\documents and settings\new\Application Data\alot\Button_8\Button_8.xml.backup
    c:\documents and settings\new\Application Data\alot\configurator\configurator.xml
    c:\documents and settings\new\Application Data\alot\configurator\configurator.xml.backup
    c:\documents and settings\new\Application Data\alot\contextMenu\contextMenu.xml
    c:\documents and settings\new\Application Data\alot\contextMenu\contextMenu.xml.backup
    c:\documents and settings\new\Application Data\alot\ErrorSearch\ErrorSearch.xml
    c:\documents and settings\new\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup
    c:\documents and settings\new\Application Data\alot\postInstallLayout\postInstallLayout.xml
    c:\documents and settings\new\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
    c:\documents and settings\new\Application Data\alot\products\products.xml
    c:\documents and settings\new\Application Data\alot\products\products.xml.backup
    c:\documents and settings\new\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html
    c:\documents and settings\new\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp
    c:\documents and settings\new\Application Data\alot\Resources\Button_0\images\alot_logo_button.png
    c:\documents and settings\new\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp
    c:\documents and settings\new\Application Data\alot\Resources\Button_1\images\alot_search_button.png
    c:\documents and settings\new\Application Data\alot\Resources\Button_2\images\default_1108_alot_games_search.bmp
    c:\documents and settings\new\Application Data\alot\Resources\Button_2\images\default_1108_alot_games_search.png
    c:\documents and settings\new\Application Data\alot\Resources\Button_3\images\default_1377_default_1174_alot_gam_gamenews.bmp
    c:\documents and settings\new\Application Data\alot\Resources\Button_3\images\default_1377_default_1174_alot_gam_gamenews.png
    c:\documents and settings\new\Application Data\alot\Resources\Button_4\images\default_1200_alot_gam_vidgamenews.bmp
    c:\documents and settings\new\Application Data\alot\Resources\Button_4\images\default_1200_alot_gam_vidgamenews.png
    c:\documents and settings\new\Application Data\alot\Resources\Button_5\images\default_1580_www.gamespot.com_button.bmp
    c:\documents and settings\new\Application Data\alot\Resources\Button_5\images\default_1580_www.gamespot.com_button.png
    c:\documents and settings\new\Application Data\alot\Resources\Button_6\images\default_1581_alot_mrkt_amazon.bmp
    c:\documents and settings\new\Application Data\alot\Resources\Button_6\images\default_1581_alot_mrkt_amazon.png
    c:\documents and settings\new\Application Data\alot\Resources\Button_7\images\default_1602_alot_mrkt_livinghealthy.bmp
    c:\documents and settings\new\Application Data\alot\Resources\Button_7\images\default_1602_alot_mrkt_livinghealthy.png
    c:\documents and settings\new\Application Data\alot\Resources\Button_8\images\default_1041_default_1045_alot_mrkt_readersdigest.bmp
    c:\documents and settings\new\Application Data\alot\Resources\Button_8\images\default_1041_default_1045_alot_mrkt_readersdigest.png
    c:\documents and settings\new\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp
    c:\documents and settings\new\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png
    c:\documents and settings\new\Application Data\alot\Resources\Shared\images\alot_brand.png
    c:\documents and settings\new\Application Data\alot\Resources\Shared\images\alot_splitter.png
    c:\documents and settings\new\Application Data\alot\TimerManager\TimerManager.xml
    c:\documents and settings\new\Application Data\alot\TimerManager\TimerManager.xml.backup
    c:\documents and settings\new\Application Data\alot\toolbar.xml
    c:\documents and settings\new\Application Data\alot\toolbar.xml.backup
    c:\documents and settings\new\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
    c:\documents and settings\new\Application Data\alot\Updater\Updater.xml
    c:\documents and settings\new\Application Data\alot\Updater\Updater.xml.backup
    c:\documents and settings\Sally\Local Settings\Application Data\BIT7.tmp
    c:\found.000\file0000.chk
    c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\mbr0000\object.ini
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\mbr0000\tsk0000.dta
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\mbr0000\tsk0000.ini
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\object.ini
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\object.ini
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0000.dta
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0000.ini
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0001.dta
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0001.ini
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0002.dta
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0002.ini
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0003.dta
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0003.ini
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0004.dta
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0004.ini
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0005.dta
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0005.ini
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0006.dta
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0006.ini
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0007.dta
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0007.ini
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0008.dta
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0008.ini
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0009.dta
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0009.ini
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0010.dta
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0010.ini
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0011.dta
    c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0011.ini
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_VIEWPOINT_MANAGER_SERVICE
    -------\Service_ntportio
    -------\Service_Viewpoint Manager Service
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-05-23 to 2011-06-23 )))))))))))))))))))))))))))))))
    .
    .
    2011-06-21 15:14 . 2011-06-21 15:16 -------- d-----w- c:\documents and settings\Ann\Local Settings\Application Data\Roblox
    2011-06-20 23:19 . 2011-06-20 23:19 -------- d-----w- c:\program files\ESET
    2011-06-20 01:10 . 2011-06-20 01:10 -------- d-----w- c:\documents and settings\Ann\Application Data\InstallShield
    2011-06-19 23:40 . 2011-06-19 23:47 -------- d-----w- c:\documents and settings\Ann\Application Data\FixCleaner
    2011-06-17 08:23 . 2011-06-17 08:23 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
    2011-06-16 19:53 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
    2011-06-14 21:02 . 2011-06-14 21:07 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2011-06-14 20:31 . 2011-06-14 20:31 -------- d-----w- c:\documents and settings\Ann\Application Data\Malwarebytes
    2011-06-14 20:31 . 2011-05-29 14:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-06-14 20:31 . 2011-06-14 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-06-14 20:31 . 2011-06-14 20:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-06-14 20:31 . 2011-05-29 14:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-06-14 06:03 . 2011-06-14 06:03 -------- d-----w- c:\documents and settings\Ann\Application Data\vmntemplate
    2011-06-12 22:33 . 2011-06-12 22:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
    2011-06-05 20:43 . 2011-06-05 20:44 -------- d-----w- c:\documents and settings\Sally\Local Settings\Application Data\Roblox
    2011-05-30 22:53 . 2011-05-30 22:53 -------- d-----w- c:\documents and settings\Sally\Application Data\vmntemplate
    2011-05-30 22:53 . 2011-06-07 13:14 -------- d-----w- c:\documents and settings\Sally\Application Data\whitesmoketoolbar
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-20 03:15 . 2011-05-15 21:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-05-10 21:51 . 2011-05-10 21:51 388096 ----a-r- c:\documents and settings\Sally\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
    2011-05-10 12:10 . 2011-05-11 02:22 40112 ----a-w- c:\windows\avastSS.scr
    2011-05-10 12:10 . 2011-05-11 02:22 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-05-10 12:03 . 2011-05-11 02:22 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-05-10 12:03 . 2011-05-11 02:22 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-05-10 12:02 . 2011-05-11 02:22 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-05-10 12:02 . 2011-05-11 02:22 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-05-10 12:02 . 2011-05-11 02:22 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-05-10 11:59 . 2011-05-11 02:22 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-05-10 11:59 . 2011-05-11 02:22 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-05-10 11:59 . 2011-05-11 02:22 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-05-02 15:31 . 2008-10-13 18:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-05-01 05:30 . 2011-05-01 05:30 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
    2011-04-29 16:19 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-25 16:11 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-04-25 16:11 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-04-25 16:11 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2011-04-25 12:01 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
    2011-04-21 13:37 . 2004-08-04 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
    2011-04-05 16:03 . 2009-01-25 21:02 499712 ----a-w- c:\windows\system32\msvcp71.dll
    2011-04-05 16:03 . 2009-01-25 21:02 348160 ----a-w- c:\windows\system32\msvcr71.dll
    2011-06-21 05:45 . 2011-06-21 05:45 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "cdloader"="c:\documents and settings\Ann\Application Data\mjusbsp\cdloader2.exe" [2011-05-16 50592]
    "ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]
    .
    c:\documents and settings\new\Start Menu\Programs\Startup\
    LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [N/A]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
    SanDisk Media Manager.lnk - [N/A]
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
    backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup
    .
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
    backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
    2007-06-28 00:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
    2011-05-29 14:11 449584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    2007-03-01 20:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
    "RDSessMgr"=3 (0x3)
    "RemoteRegistry"=2 (0x2)
    "NBService"=3 (0x3)
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Vuze\\Azureus.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\AIM6\\aim6.exe"=
    "c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
    "c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
    "c:\\Program Files\\FrostWire\\FrostWire.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\Hpqdirec.exe"=
    "c:\\Documents and Settings\\Sally\\Application Data\\mjusbsp\\magicJack.exe"=
    "c:\\Documents and Settings\\Ann\\Application Data\\mjusbsp\\magicJack.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009
    "7302:TCP"= 7302:TCP:spport
    "7933:TCP"= 7933:TCP:spport
    "25185:TCP"= 25185:TCP:spport
    "12709:TCP"= 12709:TCP:spport
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/10/2011 9:22 PM 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/10/2011 9:22 PM 307928]
    R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [12/17/2003 3:41 PM 5632]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/10/2011 9:22 PM 19544]
    R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/14/2011 3:31 PM 366640]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/14/2011 3:31 PM 22712]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/12/2010 9:50 PM 135664]
    S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/12/2010 9:50 PM 135664]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/14/2011 3:31 PM 39984]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
    .
    2010-04-17 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4238034746.job
    - c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]
    .
    2011-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 02:49]
    .
    2011-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 02:49]
    .
    2011-06-22 c:\windows\Tasks\ParetoLogic Registration3.job
    - c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2011-03-29 23:17]
    .
    2011-06-17 c:\windows\Tasks\ParetoLogic Update Version3.job
    - c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2011-03-29 23:17]
    .
    2011-06-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1390067357-602609370-682003330-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    2011-06-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1390067357-602609370-682003330-1004.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    2011-06-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1390067357-602609370-682003330-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    2011-06-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1390067357-602609370-682003330-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    2011-06-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1390067357-602609370-682003330-1003.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    2011-06-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1390067357-602609370-682003330-1004.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    2011-06-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1390067357-602609370-682003330-1006.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    2011-06-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1390067357-602609370-682003330-1007.job
    - c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
    .
    2011-06-23 c:\windows\Tasks\User_Feed_Synchronization-{F40D76E2-EDB6-4822-942F-381290BAA316}.job
    - c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
    TCP: DhcpNameServer = 192.168.2.1 24.217.0.5 24.217.201.67 68.113.206.10
    FF - ProfilePath - c:\documents and settings\Ann\Application Data\Mozilla\Firefox\Profiles\6biwtmo5.default\
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-06-22 22:28
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    .
    C:\## aswSnx private storage
    .
    scan completed successfully
    hidden files: 1
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3284)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-06-22 22:42:01
    ComboFix-quarantined-files.txt 2011-06-23 03:41
    ComboFix2.txt 2011-06-20 23:08
    .
    Pre-Run: 73,764,737,024 bytes free
    Post-Run: 73,802,522,624 bytes free
    .
    - - End Of File - - CEF555C07022D181831867323D8E61FF
  24. amb913

    amb913 Newcomer, in training Topic Starter Posts: 47

    otm log

    All processes killed
    ========== FILES ==========
    File/Folder c:\documents and settings\ann\application data\whitesmoketoolbar not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 42276 bytes

    User: All Users

    User: Ann
    ->Temp folder emptied: 10434215 bytes
    ->Temporary Internet Files folder emptied: 12627995 bytes
    ->Java cache emptied: 15088 bytes
    ->FireFox cache emptied: 94403238 bytes
    ->Google Chrome cache emptied: 7814998 bytes
    ->Flash cache emptied: 139448 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 41620 bytes

    User: Guest
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 78991 bytes

    User: jackie
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 78991 bytes
    ->Java cache emptied: 10926993 bytes
    ->Flash cache emptied: 7330 bytes

    User: LocalService
    ->Temp folder emptied: 65748 bytes
    ->Temporary Internet Files folder emptied: 8454278 bytes
    ->Flash cache emptied: 43607 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Java cache emptied: 84618 bytes
    ->Flash cache emptied: 106158 bytes

    User: new
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 5243058 bytes
    ->Java cache emptied: 43629546 bytes
    ->FireFox cache emptied: 49783626 bytes
    ->Flash cache emptied: 149155 bytes

    User: Sally
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 294871 bytes
    ->Java cache emptied: 248356617 bytes
    ->FireFox cache emptied: 81315229 bytes
    ->Google Chrome cache emptied: 17632275 bytes
    ->Flash cache emptied: 46622 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 2162283 bytes
    %systemroot%\System32 .tmp files removed: 2675729 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 52419 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 569.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 06222011_235049
  25. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +32

    I need to clarify this. You are collecting malware between play sushi and gamvance.com Mbam found the following entries:
    But it appears that you unchecked them so as not to remove the entries.

    But on the other hand, Mbam did remove all entries for the following:
    Now it seems to me that it's useless to keep removing adware/spyware from gamevance if you go there to play sushi!
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.