Inactive Boot sector virus : mbr:// physicaldrive0

Status
Not open for further replies.
amb913

amb913

Posts: 47   +0
hi all! i have been reading up on this virus, and actually had someone come over who knows alot about computers to try and get rid of it. i have been told i probably need to reformat the hard drive, or reinstall windows xp. i was wondering if there is a way to get rid of this virus without reformatting or reinstalling the os? i have the free version of avast and it catches the virus, but since its in the boot sector, it wont delete it, since it just shows back up when i go to reboot. grrr.

i dont know if this is a bootkit virus or a rootkit and is there a difference?
 
Welcome to TechSpot! Before I attempt to help you, I need some information that will show me what is in the system. You don't mention what your problems are though and knowing that would be very helpful.

Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
=====================================
My Guidelines: please read and follow:
  • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
  • Read my instructions carefully. If you don't understand or have a problem, ask me.
  • Follow the order of the tasks I give you. Order is crucial in cleaning process.
  • File sharing programs should be uninstalled or disabled during the cleaning process..
  • Observe these:
    [o] Don't use any other cleaning programs or scans while I'm helping you.
    [o] Don't use a Registry cleaner or make any changes in the Registry.
    [o] Don't download and install new programs- except those I give you.
  • Reminder to be patient
If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================
 
thanks for the reply. the problem i am having is this: my computer will start up fine, but after being on for about 10 minutes it slows to the point that it freezes up and i have to restart it. i use magic jack for my phone, so i have to restart my computer every half hour or so and it gets really annoying. if i open the task manager when it starts getting slow, i see a svchost.exe process is always taking up at least 80 cpu and at least 300,000k mem usage. if i end the process, it speeds back up but i lose my win xp skins and volume for some programs. i dont know alot about computers, so please be patient with me. also, i HAVE to be able to use my computer in order to recieve and make phone calls so its important that i can still get online during the cleaning process. is that going to be a problem? i am going to install the programs mentioned in your post and paste the results in a reply asap. thanks again.
 
Take you time. Read the instructions carefully. Run the scans as directed. Post when ready.
 
here is the report from malware bytes :

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6858

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

6/14/2011 4:13:25 PM
mbam-log-2011-06-14 (16-13-25).txt

Scan type: Quick scan
Objects scanned: 252920
Time elapsed: 39 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 16
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 12
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{0ED403E8-470A-4A8A-85A4-D7688CFE39A3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{0ED403E8-470A-4A8A-85A4-D7688CFE39A3} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{258C9770-1713-4021-8D7E-1F184A2BD754} (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{F02FABCB-92DD-475A-98AF-14217BD50746} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{F02FABCB-92DD-475A-98AF-14217BD50746} (Adware.Gamevance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{BDEA95CF-F0E6-41E0-BD3D-B00F39A4E939} (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{BEAC7DC8-E106-4C6A-931E-5A42E7362883} (Adware.GameVance) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{DB38E21A-0133-419D-92AD-ECDFD5244D6D} (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{EB620C54-E229-4942-87CE-E717109FC8C6} (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A078F691-9C07-4AF2-BF43-35E79EECF8B7} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\AppDataLow\gvtl (Adware.GameVance) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\sp (TrojanProxy.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SPService (TrojanProxy.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96AFBE69-C3B0-4B00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Value: {96AFBE69-C3B0-4B00-8578-D933D2896EE2} -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{96AFBE69-C3B0-4b00-8578-D933D2896EE2} (TrojanProxy.Agent) -> Value: {96AFBE69-C3B0-4b00-8578-D933D2896EE2} -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\netsvc (TrojanProxy.Agent) -> Value: netsvc -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
c:\documents and settings\new\application data\shoppingreport2 (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\documents and settings\new\application data\shoppingreport2\cs (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\documents and settings\new\application data\shoppingreport2\cs\db (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\documents and settings\new\application data\shoppingreport2\cs\dwld (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\documents and settings\new\application data\shoppingreport2\cs\report (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\documents and settings\new\application data\shoppingreport2\cs\res1 (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com (Adware.GamesVance) -> Quarantined and deleted successfully.
c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\chrome (Adware.GamesVance) -> Quarantined and deleted successfully.
c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components (Adware.GamesVance) -> Quarantined and deleted successfully.
c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com (PUP.PlaySushi) -> Not selected for removal.
c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\chrome (PUP.PlaySushi) -> Not selected for removal.
c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components (PUP.PlaySushi) -> Not selected for removal.

Files Infected:
c:\WINDOWS\system32\winset.ini (Malware.Trace) -> Quarantined and deleted successfully.
c:\documents and settings\new\application data\shoppingreport2\cs\Config.xml (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\documents and settings\new\application data\shoppingreport2\cs\db\Aliases.dbs (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\documents and settings\new\application data\shoppingreport2\cs\db\Sites.dbs (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\documents and settings\new\application data\shoppingreport2\cs\dwld\whitelist.xip (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\documents and settings\new\application data\shoppingreport2\cs\report\aggr_storage.xml (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\documents and settings\new\application data\shoppingreport2\cs\report\send_storage.xml (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\documents and settings\new\application data\shoppingreport2\cs\res1\whitelist.dbs (Adware.ShoppingReport2) -> Quarantined and deleted successfully.
c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\chrome.manifest (Adware.GamesVance) -> Quarantined and deleted successfully.
c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\install.rdf (Adware.GamesVance) -> Quarantined and deleted successfully.
c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\chrome\gvtextlinks.jar (Adware.GamesVance) -> Quarantined and deleted successfully.
c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components\gvtlf.xpt (Adware.GamesVance) -> Quarantined and deleted successfully.
c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\chrome.manifest (PUP.PlaySushi) -> Not selected for removal.
c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\install.rdf (PUP.PlaySushi) -> Not selected for removal.
c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\chrome\pstextlinks.jar (PUP.PlaySushi) -> Not selected for removal.
c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components\playsushiff.dll (PUP.PlaySushi) -> Not selected for removal.
c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components\playsushiff.xpt (PUP.PlaySushi) -> Not selected for removal.
 
gmer log

GMER 1.0.15.15640 - http://www.gmer.net
Rootkit quick scan 2011-06-14 16:37:02
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-7 ST3120026AS rev.3.18
Running: j1477u75.exe; Driver: C:\DOCUME~1\Ann\LOCALS~1\Temp\agxdykoc.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xB4B99BF2]
SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xB4B99A5D]

Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB4BF1902]
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject
Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8A58C53B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8A58C53B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8A58C53B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8A58C53B
Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software)

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software)

---- EOF - GMER 1.0.15 ----
 
dds txt

sorry i submitted these seperately. i was confused following the directions. but hopefully i did it right anyway. here are the 2 logs from the dds scan. i will wait for a reply from you before posting again.

.
DDS (Ver_2011-06-12.02) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Run by Ann at 17:04:04 on 2011-06-14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1519.965 [GMT -5:00]
.
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe
C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\Program Files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AVAST Software\Avast\avastUI.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Documents and Settings\All Users\SanDiskMediaManager-Launcher.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\rsvp.exe
C:\Program Files\AVAST Software\Avast\setup\avast.setup
C:\WINDOWS\system32\wscntfy.exe
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://login.yahoo.com/config/reset_cookies_token?.token=VJWm1PelzYHMlI5yv1NSPzHQkgOC5HdfspxVvUQ4zdeJJbYP.3Sh0Q8TX4mMsgUnGiAjZ6Errot0R0R95qymTRe5SRC7aWqpLoWGla1XT8DZ1.p3Mlhrztg_GKeGExpdsHGx0lMEBNmaxv9n2hOwcf_Ll5J3Ml96ABq_mRMo_deyHw08CXiT0NYsXnxoboAyHw58Dg3WlFKCj4iNatL8B6ulFqmBd1C4j_X5InPz0wZh2w8mF5ILNoEEzrj3bjOhSnI6b4deybM8yWTYbtBTHdrC8BcpiZJLy5bYquPfT4WohE356mJ9xJS4BgoEFY41tDRWixTXjtwQ0KGm22Och60cIKrWG4CMJ9zpTzDq_Q36X2lJQvSEPCRfZcMWKDAbM1kWyW2KZUxyPea9uE7hzOZ77jO582Z0rdkAXtMZcd2NaRGWc8I-&.done=http%3A%2F%2Fus%2Erd%2Eyahoo%2Ecom%2Fmessenger%2Fclient%2F%3Fhttp%3A%2F%2Fmail%2Eyahoo%2Ecom%2F
mSearchAssistant = hxxp://search.live.com/sphome.aspx
uURLSearchHooks: N/A: {1c583e40-0629-4bb9-ab68-1cf539f2f782} - c:\program files\retrogamer_2z\bar\1.bin\2zSrcAs.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\ie\rpbrowserrecordplugin.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - c:\program files\startnow toolbar\Toolbar32.dll
BHO: {6ffed9d8-942f-4384-aa29-d3bd083a346a} - No File
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: WhiteSmoke Toolbar: {e4709dfb-a47d-451c-957d-e78d25263cb8} - c:\program files\whitesmoketoolbar\vmntemplateX.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\avast software\avast\aswWebRepIE.dll
TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - c:\program files\startnow toolbar\Toolbar32.dll
TB: WhiteSmoke Toolbar: {e4709dfb-a47d-451c-957d-e78d25263cb8} - c:\program files\whitesmoketoolbar\vmntemplateX.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {30AA252E-B1DF-4AA2-9C5E-194C67A7C623} - No File
TB: &Inbox Toolbar: {d7e97865-918f-41e4-9cd0-25ab1c574ce8} - c:\progra~1\inboxt~1\Inbox.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [Aim6]
uRun: [ares] "c:\program files\ares\ares.exe" -h
uRun: [cdloader] "c:\documents and settings\ann\application data\mjusbsp\cdloader2.exe" MAGICJACK
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\smax4.exe" /tray
mRun: [NeroFilterCheck] c:\program files\common files\ahead\lib\NeroCheck.exe
mRun: [GhostStartTrayApp] c:\program files\symantec\norton ghost 2003\GhostStartTrayApp.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
dRun: [MySpaceIM] c:\program files\myspace\im\MySpaceIM.exe
StartupFolder: c:\docume~1\ann\startm~1\programs\startup\yahoo!~1.lnk - c:\program files\yahoo!\widgets\YahooWidgets.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hppsc1~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpohmr08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\SANDIS~1.LNK -
IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {48DD0448-9209-4F81-9F6D-D83562940134} - hxxp://lads.myspace.com/upload/MySpaceUploader1006.cab
DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} - hxxps://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {924B4927-D3BA-41EA-9F7E-8A89194AB3AC} - hxxp://panda-plugin.disney.go.com/plugin/win32/p3dactivex.cab
DPF: {9C23D886-43CB-43DE-B2DB-112A68D7E10A} - hxxp://lads.myspace.com/upload/MySpaceUploader2.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
Hosts: 127.0.0.1 www.spywareinfo.com
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\ann\application data\mozilla\firefox\profiles\6biwtmo5.default\
FF - component: c:\program files\microsoft\search enhancement pack\default manager\dmextension\components\FFGlobalExtension.dll
FF - component: c:\program files\microsoft\search enhancement pack\search helper\firefoxextension\searchhelperextension\components\SEPsearchhelperff.dll
FF - plugin: c:\documents and settings\all users\application data\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\program files\common files\research in motion\bbwebsllauncher\NPWebSLLauncher.dll
FF - plugin: c:\program files\gametap\bin\release\npgametaptool.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60310.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\extensions\gametapplayer@gametap.com\plugins\npGameTapWebPlayer.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\program files\retrogamer_2z\bar\1.bin\NP2zStub.dll
FF - plugin: c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-5-10 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2011-5-10 307928]
R1 GhPciScan;GhostPciScanner;c:\program files\symantec\norton ghost 2003\GhPciScan.sys [2003-12-17 5632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2011-5-10 19544]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2011-5-10 42184]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2011-6-14 366640]
R2 Toolbar Updater Service;Toolbar Updater Service;c:\program files\startnow toolbar\ToolbarUpdaterService.exe [2011-3-24 199904]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2011-6-14 22712]
S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-3-12 135664]
S2 Viewpoint Manager Service;Viewpoint Manager Service;"c:\program files\viewpoint\common\viewpointservice.exe" --> c:\program files\viewpoint\common\ViewpointService.exe [?]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2010-3-12 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2011-6-14 39984]
S3 ntportio;ntportio;\??\c:\docume~1\new\locals~1\temp\u\1285210895\ntportio.sys --> c:\docume~1\new\locals~1\temp\u\1285210895\ntportio.sys [?]
.
=============== Created Last 30 ================
.
2011-06-14 20:31:40 -------- d-----w- c:\documents and settings\ann\application data\Malwarebytes
2011-06-14 20:31:29 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-14 20:31:28 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-06-14 20:31:22 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-14 20:31:22 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-14 06:03:00 -------- d-----w- c:\documents and settings\ann\application data\vmntemplate
2011-06-13 20:19:02 19416 ----a-w- c:\program files\mozilla firefox\AccessibleMarshal.dll
2011-06-13 20:19:01 2106216 ----a-w- c:\program files\mozilla firefox\D3DCompiler_43.dll
2011-06-13 20:19:01 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
2011-06-13 20:19:01 125912 ----a-w- c:\program files\mozilla firefox\crashreporter.exe
2011-06-13 20:19:00 1998168 ----a-w- c:\program files\mozilla firefox\d3dx9_43.dll
2011-06-13 20:18:59 924632 ----a-w- c:\program files\mozilla firefox\firefox.exe
2011-06-13 20:18:58 89048 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-06-13 20:18:58 719832 ----a-w- c:\program files\mozilla firefox\mozcpp19.dll
2011-06-13 20:18:58 465880 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-06-13 20:18:58 269272 ----a-w- c:\program files\mozilla firefox\freebl3.dll
2011-06-13 20:18:58 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-06-13 20:18:57 715736 ----a-w- c:\program files\mozilla firefox\mozcrt19.dll
2011-06-13 20:18:56 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-06-13 20:18:56 203736 ----a-w- c:\program files\mozilla firefox\nspr4.dll
2011-06-13 20:18:56 1850328 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-06-12 22:30:40 -------- d-----w- c:\documents and settings\ann\application data\whitesmoketoolbar
2011-06-08 05:53:27 -------- d-----w- c:\program files\ishutdown
2011-05-30 19:41:23 -------- d-----w- c:\program files\whitesmoketoolbar
2011-05-21 08:18:52 -------- d-----w- c:\program files\StartNow Toolbar
2011-05-21 00:27:31 -------- d-----w- c:\program files\common files\SWF Studio
2011-05-21 00:27:14 -------- d-----w- c:\program files\Bingo Palace
2011-05-17 01:23:56 -------- d-----w- c:\documents and settings\ann\local settings\application data\WMTools Downloaded Files
.
==================== Find3M ====================
.
2011-05-20 03:15:52 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-10 12:10:59 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:03:54 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-01 05:30:32 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-04-05 16:03:24 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-04-05 16:03:24 348160 ----a-w- c:\windows\system32\msvcr71.dll
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: ST3120026AS rev.3.18 -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-7
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8A5C46F0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8a5caa10]; MOV EAX, [0x8a5caa8c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 nt!IofCallDriver[0x804E13B9] -> \Device\Harddisk0\DR0[0x8A670AB8]
3 CLASSPNP[0xF7637FD7] -> nt!IofCallDriver[0x804E13B9] -> \Device\00000069[0x8A66B948]
5 ACPI[0xF75AE620] -> nt!IofCallDriver[0x804E13B9] -> [0x8A66A940]
\Driver\atapi[0x8A64A910] -> IRP_MJ_CREATE -> 0x8A5C46F0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8A5C453B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 17:07:39.95 ===============


.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-12.02)
.
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/13/2008 1:45:14 PM
System Uptime: 6/14/2011 4:57:29 PM (1 hours ago)
.
Motherboard: Intel Corporation | | D865GLC
Processor: Intel(R) Pentium(R) 4 CPU 2.80GHz | J2E1 | 2793/200mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 112 GiB total, 67.655 GiB free.
F: is CDROM ()
.
==== Disabled Device Manager Items =============
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Video Controller (VGA Compatible)
Device ID: PCI\VEN_8086&DEV_2572&SUBSYS_4C438086&REV_02\3&267A616A&0&10
Manufacturer:
Name: Video Controller (VGA Compatible)
PNP Device ID: PCI\VEN_8086&DEV_2572&SUBSYS_4C438086&REV_02\3&267A616A&0&10
Service:
.
Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Simple Communications Controller
Device ID: PCI\VEN_14F1&DEV_10B4&SUBSYS_9300141D&REV_89\4&2E98101C&0&08F0
Manufacturer:
Name: PCI Simple Communications Controller
PNP Device ID: PCI\VEN_14F1&DEV_10B4&SUBSYS_9300141D&REV_89\4&2E98101C&0&08F0
Service:
.
Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/100 VE Network Connection
Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_303A8086&REV_01\4&2E98101C&0&40F0
Manufacturer: Intel
Name: Intel(R) PRO/100 VE Network Connection
PNP Device ID: PCI\VEN_8086&DEV_1050&SUBSYS_303A8086&REV_01\4&2E98101C&0&40F0
Service: E100B
.
==== System Restore Points ===================
.
RP723: 5/11/2011 7:58:38 PM - Software Distribution Service 3.0
RP724: 5/11/2011 8:11:33 PM - Software Distribution Service 3.0
RP725: 5/11/2011 8:28:11 PM - Software Distribution Service 3.0
RP726: 5/12/2011 9:39:54 PM - System Checkpoint
RP727: 5/13/2011 10:33:01 AM - Software Distribution Service 3.0
RP728: 5/13/2011 10:35:51 AM - Software Distribution Service 3.0
RP729: 5/13/2011 8:26:01 PM - Software Distribution Service 3.0
RP730: 5/14/2011 9:21:06 PM - System Checkpoint
RP731: 5/15/2011 10:12:38 PM - System Checkpoint
RP732: 5/17/2011 3:00:32 AM - Software Distribution Service 3.0
RP733: 5/18/2011 3:00:37 AM - Software Distribution Service 3.0
RP734: 5/19/2011 8:16:57 AM - Software Distribution Service 3.0
RP735: 5/20/2011 3:00:43 AM - Software Distribution Service 3.0
RP736: 5/21/2011 3:00:20 AM - Software Distribution Service 3.0
RP737: 5/21/2011 3:03:41 PM - Software Distribution Service 3.0
RP738: 5/22/2011 3:00:20 AM - Software Distribution Service 3.0
RP739: 5/23/2011 3:00:46 AM - Software Distribution Service 3.0
RP740: 5/24/2011 3:00:19 AM - Software Distribution Service 3.0
RP741: 5/24/2011 8:07:11 AM - Software Distribution Service 3.0
RP742: 5/24/2011 10:17:56 AM - Software Distribution Service 3.0
RP743: 5/25/2011 3:00:20 AM - Software Distribution Service 3.0
RP744: 5/25/2011 8:25:56 AM - Software Distribution Service 3.0
RP745: 5/26/2011 3:00:29 AM - Software Distribution Service 3.0
RP746: 5/27/2011 10:42:35 AM - Software Distribution Service 3.0
RP747: 5/28/2011 4:53:44 PM - Software Distribution Service 3.0
RP748: 5/29/2011 3:00:39 AM - Software Distribution Service 3.0
RP749: 5/30/2011 3:00:48 AM - Software Distribution Service 3.0
RP750: 5/31/2011 11:30:27 PM - System Checkpoint
RP751: 6/1/2011 3:00:45 AM - Software Distribution Service 3.0
RP752: 6/2/2011 6:56:47 AM - Software Distribution Service 3.0
RP753: 6/3/2011 3:00:43 AM - Software Distribution Service 3.0
RP754: 6/4/2011 9:52:00 AM - System Checkpoint
RP755: 6/5/2011 3:00:41 AM - Software Distribution Service 3.0
RP756: 6/6/2011 7:40:50 AM - Software Distribution Service 3.0
RP757: 6/6/2011 8:04:57 AM - Software Distribution Service 3.0
RP758: 6/7/2011 6:30:07 AM - Software Distribution Service 3.0
RP759: 6/8/2011 8:11:29 AM - Software Distribution Service 3.0
RP760: 6/9/2011 3:00:39 AM - Software Distribution Service 3.0
RP761: 6/9/2011 7:20:34 AM - Software Distribution Service 3.0
RP762: 6/10/2011 11:01:51 PM - System Checkpoint
RP763: 6/11/2011 3:00:19 AM - Software Distribution Service 3.0
RP764: 6/12/2011 3:00:34 AM - Software Distribution Service 3.0
RP765: 6/13/2011 3:00:44 AM - Software Distribution Service 3.0
RP766: 6/14/2011 4:38:53 AM - Software Distribution Service 3.0
RP767: 6/14/2011 4:42:20 AM - Software Distribution Service 3.0
.
==== Installed Programs ======================
.
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.1.1
Adobe Reader 9.3
Adobe Shockwave Player
AIM 6
Apple Application Support
Apple Mobile Device Support
Apple Software Update
avast! Free Antivirus
Bingo Palace 4.4
BlackBerry Desktop Software 6.0
Bonjour
CCleaner
Conduit Engine
Creative Jukebox Driver
Data Doctor Recovery - SIM Card 3.0.1.5
EliSims 2.12
FrostWire 4.21.3
GameTap Web Player
gamewrangler_v2 Toolbar
Google Chrome
Google Update Helper
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB979306)
Hotfix for Windows XP (KB981793)
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
hp psc 1200 series
Inbox Toolbar
Intel(R) PRO Network Connections 11.2.0.69
IrfanView (remove only)
iShutdown
iTunes
Java Auto Updater
Java(TM) 6 Update 23
LG USB Modem driver
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
magicJack
Malwarebytes' Anti-Malware version 1.51.0.1200
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Professional
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft VC9 runtime libraries
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2005 Redistributable - KB2467175
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox 5.0 (x86 en-US)
MSN
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MySpaceIM
Nero 7 Ultra Edition
neroxml
Norton Ghost
OpenOffice.org Installer 1.0
Password Generator 2.1.1
PICTUREKA! MUSEUM MAYHEM
QuickTime
RealNetworks - Microsoft Visual C++ 2008 Runtime
RealPlayer
RealUpgrade 1.1
Retrogamer
SanDisk ® Media Manager
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB2183461)
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB2497640)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Internet Explorer 8 (KB982381)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player (KB979402)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2160329)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503658)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2511455)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975561)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165-v2)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979559)
Security Update for Windows XP (KB979683)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980218)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Security Update for Windows XP (KB982802)
SimEnhancer 3D
SoundMAX
Spelling Dictionaries Support For Adobe Reader 9
Spybot - Search & Destroy
StartNow Toolbar 2.0
The Sims Character Makeover Studio
The Sims Complete Collection
Update for Windows Internet Explorer 8 (KB976662)
Update for Windows Internet Explorer 8 (KB980182)
Update for Windows Internet Explorer 8 (KB980302)
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
Viewpoint Media Player
Vuze
VZAccess Manager
WebFldrs XP
WhiteSmoke Toolbar
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 8
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
WinRAR archiver
Yahoo! Install Manager
Yahoo! Messenger
Yahoo! Software Update
Yahoo! Widgets
.
==== Event Viewer Messages From Past Week ========
.
6/8/2011 6:29:07 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the stisvc service.
6/14/2011 4:18:55 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: PCIIde
6/12/2011 4:31:52 PM, error: Service Control Manager [7022] - The WebClient service hung on starting.
6/11/2011 3:01:24 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 3.5 SP1 on Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 x86 (KB2416473).
6/11/2011 3:01:10 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Update for Windows Server 2003 and Windows XP x86 (KB982524).
6/11/2011 3:01:03 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for Microsoft .NET Framework 2.0 SP2 and 3.5 SP1 on Windows Server 2003 and Windows XP x86 (KB2418241).
6/11/2011 3:00:55 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Security Update for .NET Framework 2.0 SP2 and 3.5 SP1 on Windows Server 2003 and Windows XP x86 (KB2446704).
6/11/2011 3:00:47 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Microsoft .NET Framework 3.5 SP1 Update for Windows Server 2003 and Windows XP x86 (KB982168).
6/11/2011 3:00:35 AM, error: Windows Update Agent [20] - Installation Failure: Windows failed to install the following update with error 0x80070643: Microsoft .NET Framework 3.5 SP1 and .NET Framework 2.0 SP2 Security Update for Windows 2000, Windows Server 2003, and Windows XP x86 (KB979909).
6/11/2011 1:39:55 PM, error: Dhcp [1002] - The IP address lease 192.168.2.2 for the Network Card with network address 000CF1B0777D has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
6/11/2011 1:25:22 PM, error: Dhcp [1002] - The IP address lease 97.91.130.166 for the Network Card with network address 000CF1B0777D has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
6/11/2011 1:18:05 PM, error: Dhcp [1002] - The IP address lease 192.168.100.10 for the Network Card with network address 000CF1B0777D has been denied by the DHCP server 192.168.100.1 (The DHCP Server sent a DHCPNACK message).
6/10/2011 6:57:04 AM, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Google Update Service (gupdate) service to connect.
6/10/2011 6:57:04 AM, error: Service Control Manager [7000] - The Google Update Service (gupdate) service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
6/10/2011 6:56:58 AM, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service gupdate with arguments "/comsvc" in order to run the server: {4EB61BAC-A3B6-4760-9581-655041EF4D69}
6/10/2011 11:55:14 PM, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service NMIndexingService with arguments "" in order to run the server: {C6A811AB-F8FF-45A4-93E5-FC5CCB650BE7}
6/10/2011 11:45:42 PM, error: Service Control Manager [7023] - The SPService service terminated with the following error: The specified module could not be found.
6/10/2011 11:45:42 PM, error: Service Control Manager [7000] - The Viewpoint Manager Service service failed to start due to the following error: The system cannot find the file specified.
6/10/2011 11:45:22 PM, error: Dhcp [1002] - The IP address lease 192.168.2.7 for the Network Card with network address 000CF1B0777D has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
.
==== End Of File ===========================
 
hey there. i think its been 5 days. lol. ive been hoping to hear from you, and have held off on trying any fixes to my computer as you requested. i know you must be busy, but can you let me know if you can still help me? i really need to get this fixed asap. thanks.
 
Thank you for the reminder. Occasionally, the feedback email that a reply has been made does not get sent or reach the recipient. This was one of those times.

I see multiple entries that will cause you grief and we will be removing them from the system. And there is a rootkit on the system.To do that, I need you to run the following scans: Please run these scans in the order I have given. Each will produce a log for you to paste in your next reply:

  • Download the file TDSSKiller.zip and save to the desktop.
    (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
  • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
  • Double click on TDSSKiller.exe. to run the scan
  • When the scan is over, the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
  • Select the action Quarantine to quarantine detected objects.
    The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
  • After clicking Next, the utility applies selected actions and outputs the result.
  • A reboot is required after disinfection.
=====================================
Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
  • Click START> then RUN
  • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop
  • Double click combofix.exe & follow the prompts.
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
==========================================
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESETOnlineScan
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    [o] Double click on the
    esetSmartInstallDesktopIcon.png
    on your desktop.
  • Check 'Yes I accept terms of use.'
  • Click Start button
  • Accept any security warnings from your browser.
    esetonlinescannersettings_thumb.jpg
  • Uncheck 'Remove found threats'
  • Check 'Scan archives/
  • Leave remaining settings as is.
  • Press the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
  • When the scan completes, press List of found threats
  • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
  • Push the Back button
  • Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

I''ll be on the lookout for your reply with these logs.
 
tds killer log

2011/06/20 16:51:32.0062 2432 TDSS rootkit removing tool 2.5.5.0 Jun 16 2011 15:25:15
2011/06/20 16:51:32.0734 2432 ================================================================================
2011/06/20 16:51:32.0734 2432 SystemInfo:
2011/06/20 16:51:32.0734 2432
2011/06/20 16:51:32.0734 2432 OS Version: 5.1.2600 ServicePack: 3.0
2011/06/20 16:51:32.0734 2432 Product type: Workstation
2011/06/20 16:51:32.0734 2432 ComputerName: NEW-0F6A332D445
2011/06/20 16:51:32.0734 2432 UserName: Ann
2011/06/20 16:51:32.0734 2432 Windows directory: C:\WINDOWS
2011/06/20 16:51:32.0734 2432 System windows directory: C:\WINDOWS
2011/06/20 16:51:32.0734 2432 Processor architecture: Intel x86
2011/06/20 16:51:32.0734 2432 Number of processors: 2
2011/06/20 16:51:32.0734 2432 Page size: 0x1000
2011/06/20 16:51:32.0734 2432 Boot type: Normal boot
2011/06/20 16:51:32.0734 2432 ================================================================================
2011/06/20 16:51:33.0859 2432 Initialize success
2011/06/20 16:51:35.0718 2940 ================================================================================
2011/06/20 16:51:35.0718 2940 Scan started
2011/06/20 16:51:35.0718 2940 Mode: Manual;
2011/06/20 16:51:35.0718 2940 ================================================================================
2011/06/20 16:51:36.0671 2940 Aavmker4 (3f6884eff406238d39aaa892218f1df7) C:\WINDOWS\system32\drivers\Aavmker4.sys
2011/06/20 16:51:36.0890 2940 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/06/20 16:51:36.0968 2940 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/06/20 16:51:37.0078 2940 aeaudio (cde1f62fe63631b932ace2249fb11da0) C:\WINDOWS\system32\drivers\aeaudio.sys
2011/06/20 16:51:37.0140 2940 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/06/20 16:51:37.0218 2940 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/06/20 16:51:37.0859 2940 Aspi32 (ed8cee58c1e4c5893f5b2fd686a272bf) C:\WINDOWS\system32\drivers\Aspi32.sys
2011/06/20 16:51:37.0953 2940 aswFsBlk (7f08d9c504b015d81a8abd75c80028c5) C:\WINDOWS\system32\drivers\aswFsBlk.sys
2011/06/20 16:51:38.0000 2940 aswMon2 (c2181ef6b54752273a0759a968c59279) C:\WINDOWS\system32\drivers\aswMon2.sys
2011/06/20 16:51:38.0062 2940 aswRdr (ac48bdd4cd5d44af33087c06d6e9511c) C:\WINDOWS\system32\drivers\aswRdr.sys
2011/06/20 16:51:38.0140 2940 aswSnx (b64134316fcd1f20e0f10ef3e65bd522) C:\WINDOWS\system32\drivers\aswSnx.sys
2011/06/20 16:51:38.0312 2940 aswSP (d6788e3211afa9951ed7a4d617f68a4f) C:\WINDOWS\system32\drivers\aswSP.sys
2011/06/20 16:51:38.0562 2940 aswTdi (4d100c45517809439c7b6dd98997fa00) C:\WINDOWS\system32\drivers\aswTdi.sys
2011/06/20 16:51:38.0640 2940 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/06/20 16:51:38.0734 2940 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/06/20 16:51:38.0921 2940 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/06/20 16:51:38.0984 2940 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/06/20 16:51:39.0140 2940 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/06/20 16:51:39.0468 2940 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/06/20 16:51:39.0578 2940 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/06/20 16:51:39.0640 2940 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/06/20 16:51:39.0687 2940 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/06/20 16:51:40.0062 2940 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/06/20 16:51:40.0156 2940 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/06/20 16:51:40.0218 2940 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/06/20 16:51:40.0265 2940 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/06/20 16:51:40.0343 2940 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/06/20 16:51:40.0453 2940 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/06/20 16:51:40.0531 2940 E100B (5c940a174dfb2c42b9f6ba6edc2baa0b) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/06/20 16:51:40.0640 2940 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/06/20 16:51:40.0703 2940 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/06/20 16:51:40.0734 2940 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/06/20 16:51:40.0781 2940 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/06/20 16:51:40.0828 2940 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/06/20 16:51:40.0890 2940 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/06/20 16:51:40.0937 2940 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/06/20 16:51:41.0015 2940 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\DRIVERS\GEARAspiWDM.sys
2011/06/20 16:51:41.0156 2940 GhPciScan (3a7c94ed99fe7fe05d88b26f97614626) C:\Program Files\Symantec\Norton Ghost 2003\ghpciscan.sys
2011/06/20 16:51:41.0265 2940 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/06/20 16:51:41.0406 2940 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/06/20 16:51:41.0515 2940 HPZid412 (863cc3a82c63c9f60acf2e85d5310620) C:\WINDOWS\system32\DRIVERS\HPZid412.sys
2011/06/20 16:51:41.0546 2940 HPZipr12 (08cb72e95dd75b61f2966b311d0e4366) C:\WINDOWS\system32\DRIVERS\HPZipr12.sys
2011/06/20 16:51:41.0625 2940 HPZius12 (ca990306ed4ef732af9695bff24fc96f) C:\WINDOWS\system32\DRIVERS\HPZius12.sys
2011/06/20 16:51:41.0718 2940 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/06/20 16:51:41.0890 2940 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/06/20 16:51:41.0953 2940 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/06/20 16:51:42.0078 2940 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/06/20 16:51:42.0140 2940 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/06/20 16:51:42.0187 2940 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/06/20 16:51:42.0250 2940 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/06/20 16:51:42.0312 2940 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/06/20 16:51:42.0359 2940 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/06/20 16:51:42.0421 2940 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/06/20 16:51:42.0500 2940 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/06/20 16:51:42.0562 2940 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/06/20 16:51:42.0625 2940 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/06/20 16:51:42.0687 2940 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
2011/06/20 16:51:42.0750 2940 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/06/20 16:51:42.0828 2940 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/06/20 16:51:43.0000 2940 MBAMProtector (3d2c13377763eeac0ca6fb46f57217ed) C:\WINDOWS\system32\drivers\mbam.sys
2011/06/20 16:51:43.0062 2940 MBAMSwissArmy (b309912717c29fc67e1ba4730a82b6dd) C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2011/06/20 16:51:43.0140 2940 MidiSyn (63c34814492aa65fc517b002de77b191) C:\WINDOWS\system32\drivers\MidiSyn.sys
2011/06/20 16:51:43.0203 2940 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/06/20 16:51:43.0296 2940 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/06/20 16:51:43.0359 2940 motmodem (fe80c18ba448ddd76b7bead9eb203d37) C:\WINDOWS\system32\DRIVERS\motmodem.sys
2011/06/20 16:51:43.0406 2940 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/06/20 16:51:43.0468 2940 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/06/20 16:51:43.0515 2940 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/06/20 16:51:43.0609 2940 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/06/20 16:51:43.0687 2940 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/06/20 16:51:43.0750 2940 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/06/20 16:51:43.0828 2940 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/06/20 16:51:43.0859 2940 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/06/20 16:51:43.0906 2940 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/06/20 16:51:43.0984 2940 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/06/20 16:51:44.0046 2940 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/06/20 16:51:44.0156 2940 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/06/20 16:51:44.0187 2940 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/06/20 16:51:44.0234 2940 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/06/20 16:51:44.0281 2940 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/06/20 16:51:44.0359 2940 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/06/20 16:51:44.0437 2940 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/06/20 16:51:44.0484 2940 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/06/20 16:51:44.0625 2940 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/06/20 16:51:44.0671 2940 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/06/20 16:51:44.0796 2940 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/06/20 16:51:44.0843 2940 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/06/20 16:51:44.0890 2940 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/06/20 16:51:44.0953 2940 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/06/20 16:51:45.0000 2940 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/06/20 16:51:45.0062 2940 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/06/20 16:51:45.0093 2940 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/06/20 16:51:45.0203 2940 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
2011/06/20 16:51:45.0265 2940 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/06/20 16:51:45.0671 2940 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/06/20 16:51:45.0718 2940 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/06/20 16:51:45.0781 2940 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/06/20 16:51:46.0031 2940 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/06/20 16:51:46.0093 2940 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/06/20 16:51:46.0156 2940 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/06/20 16:51:46.0218 2940 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/06/20 16:51:46.0265 2940 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/06/20 16:51:46.0312 2940 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/06/20 16:51:46.0406 2940 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/06/20 16:51:46.0500 2940 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/06/20 16:51:46.0593 2940 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/06/20 16:51:46.0828 2940 RimUsb (f17713d108aca124a139fde877eef68a) C:\WINDOWS\system32\Drivers\RimUsb.sys
2011/06/20 16:51:47.0046 2940 RimVSerPort (2c4fb2e9f039287767c384e46ee91030) C:\WINDOWS\system32\DRIVERS\RimSerial.sys
2011/06/20 16:51:47.0125 2940 ROOTMODEM (d8b0b4ade32574b2d9c5cc34dc0dbbe7) C:\WINDOWS\system32\Drivers\RootMdm.sys
2011/06/20 16:51:47.0281 2940 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/06/20 16:51:47.0390 2940 senfilt (9a4c4a4b191200f12085d188be70e4e3) C:\WINDOWS\system32\drivers\senfilt.sys
2011/06/20 16:51:47.0437 2940 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/06/20 16:51:47.0484 2940 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/06/20 16:51:47.0578 2940 sf (8da9c7feedba52cfd91ee2e2113df6a9) C:\WINDOWS\system32\drivers\sf.sys
2011/06/20 16:51:47.0625 2940 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/06/20 16:51:47.0812 2940 SMNDIS5 (4ef5ea44583c37383c289d4b8c354698) C:\PROGRA~1\VERIZO~1\VZACCE~1\SMNDIS5.SYS
2011/06/20 16:51:47.0890 2940 smwdm (ce52bffebfaf1e59553e2885cab80b52) C:\WINDOWS\system32\drivers\smwdm.sys
2011/06/20 16:51:48.0015 2940 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/06/20 16:51:48.0062 2940 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/06/20 16:51:48.0171 2940 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/06/20 16:51:48.0281 2940 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/06/20 16:51:48.0328 2940 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/06/20 16:51:48.0562 2940 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/06/20 16:51:48.0687 2940 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/06/20 16:51:48.0734 2940 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/06/20 16:51:48.0781 2940 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/06/20 16:51:48.0828 2940 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/06/20 16:51:48.0984 2940 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/06/20 16:51:49.0109 2940 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/06/20 16:51:49.0218 2940 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
2011/06/20 16:51:49.0281 2940 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/06/20 16:51:49.0359 2940 usbbus (5aadc9297c39aa249cd994acdba19034) C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
2011/06/20 16:51:49.0421 2940 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/06/20 16:51:49.0500 2940 UsbDiag (4650ffe04e5922399b0e932319e6b215) C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
2011/06/20 16:51:49.0562 2940 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/06/20 16:51:49.0625 2940 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/06/20 16:51:49.0671 2940 USBModem (2666fe171e0c2e7085ccd5fe0bac09e3) C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
2011/06/20 16:51:49.0750 2940 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/06/20 16:51:49.0796 2940 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/06/20 16:51:49.0859 2940 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/06/20 16:51:49.0906 2940 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/06/20 16:51:49.0968 2940 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/06/20 16:51:50.0078 2940 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/06/20 16:51:50.0156 2940 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/06/20 16:51:50.0250 2940 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/06/20 16:51:50.0375 2940 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/06/20 16:51:50.0593 2940 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\Drivers\wpdusb.sys
2011/06/20 16:51:50.0703 2940 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/06/20 16:51:50.0750 2940 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/06/20 16:51:50.0906 2940 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
2011/06/20 16:51:51.0078 2940 ================================================================================
2011/06/20 16:51:51.0078 2940 Scan finished
2011/06/20 16:51:51.0078 2940 ================================================================================
2011/06/20 16:51:51.0109 2916 Detected object count: 0
2011/06/20 16:51:51.0125 2916 Actual detected object count: 0
 
combofix log

ComboFix 11-06-19.0r1 - Ann 06/20/2011 16:58:24.2.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1519.985 [GMT -5:00]
Running from: c:\documents and settings\Ann\Desktop\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((( Files Created from 2011-05-20 to 2011-06-20 )))))))))))))))))))))))))))))))
.
.
2011-06-20 20:20 . 2011-06-20 20:20 -------- d-----w- C:\TDSSKiller_Quarantine
2011-06-20 01:10 . 2011-06-20 01:10 -------- d-----w- c:\documents and settings\Ann\Application Data\InstallShield
2011-06-19 23:40 . 2011-06-19 23:47 -------- d-----w- c:\documents and settings\Ann\Application Data\FixCleaner
2011-06-18 19:11 . 2011-06-18 19:11 -------- d-----w- C:\found.000
2011-06-17 08:23 . 2011-06-17 08:23 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2011-06-16 19:53 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-14 21:02 . 2011-06-14 21:07 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-06-14 20:31 . 2011-06-14 20:31 -------- d-----w- c:\documents and settings\Ann\Application Data\Malwarebytes
2011-06-14 20:31 . 2011-05-29 14:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-14 20:31 . 2011-06-14 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-14 20:31 . 2011-06-14 20:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-14 20:31 . 2011-05-29 14:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-14 06:03 . 2011-06-14 06:03 -------- d-----w- c:\documents and settings\Ann\Application Data\vmntemplate
2011-06-13 20:19 . 2011-06-13 20:19 19416 ----a-w- c:\program files\Mozilla Firefox\AccessibleMarshal.dll
2011-06-13 20:19 . 2011-06-13 20:19 2106216 ----a-w- c:\program files\Mozilla Firefox\D3DCompiler_43.dll
2011-06-13 20:19 . 2011-06-13 20:19 142296 ----a-w- c:\program files\Mozilla Firefox\components\browsercomps.dll
2011-06-13 20:19 . 2011-06-13 20:19 125912 ----a-w- c:\program files\Mozilla Firefox\crashreporter.exe
2011-06-13 20:19 . 2011-06-13 20:19 1998168 ----a-w- c:\program files\Mozilla Firefox\d3dx9_43.dll
2011-06-13 20:18 . 2011-06-13 20:18 924632 ----a-w- c:\program files\Mozilla Firefox\firefox.exe
2011-06-13 20:18 . 2011-06-13 20:18 269272 ----a-w- c:\program files\Mozilla Firefox\freebl3.dll
2011-06-13 20:18 . 2011-06-13 20:18 89048 ----a-w- c:\program files\Mozilla Firefox\libEGL.dll
2011-06-13 20:18 . 2011-06-13 20:18 719832 ----a-w- c:\program files\Mozilla Firefox\mozcpp19.dll
2011-06-13 20:18 . 2011-06-13 20:18 465880 ----a-w- c:\program files\Mozilla Firefox\libGLESv2.dll
2011-06-13 20:18 . 2011-06-13 20:18 15832 ----a-w- c:\program files\Mozilla Firefox\mozalloc.dll
2011-06-13 20:18 . 2011-06-13 20:18 715736 ----a-w- c:\program files\Mozilla Firefox\mozcrt19.dll
2011-06-13 20:18 . 2011-06-13 20:18 1850328 ----a-w- c:\program files\Mozilla Firefox\mozjs.dll
2011-06-13 20:18 . 2011-06-13 20:18 781272 ----a-w- c:\program files\Mozilla Firefox\mozsqlite3.dll
2011-06-13 20:18 . 2011-06-13 20:18 203736 ----a-w- c:\program files\Mozilla Firefox\nspr4.dll
2011-06-12 22:33 . 2011-06-12 22:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2011-06-05 20:43 . 2011-06-05 20:44 -------- d-----w- c:\documents and settings\Sally\Local Settings\Application Data\Roblox
2011-05-30 22:53 . 2011-05-30 22:53 -------- d-----w- c:\documents and settings\Sally\Application Data\vmntemplate
2011-05-30 22:53 . 2011-06-07 13:14 -------- d-----w- c:\documents and settings\Sally\Application Data\whitesmoketoolbar
2011-05-30 19:41 . 2011-05-30 19:41 -------- d-----w- c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar
2011-05-24 02:13 . 2011-05-24 02:13 0 ---ha-w- c:\documents and settings\Sally\Local Settings\Application Data\BIT7.tmp
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-20 03:15 . 2011-05-15 21:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-10 21:51 . 2011-05-10 21:51 388096 ----a-r- c:\documents and settings\Sally\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-10 12:10 . 2011-05-11 02:22 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:10 . 2011-05-11 02:22 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-10 12:03 . 2011-05-11 02:22 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-10 12:03 . 2011-05-11 02:22 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2011-05-11 02:22 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-10 12:02 . 2011-05-11 02:22 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-05-10 12:02 . 2011-05-11 02:22 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-05-10 11:59 . 2011-05-11 02:22 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2011-05-11 02:22 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-05-10 11:59 . 2011-05-11 02:22 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-02 15:31 . 2008-10-13 18:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-05-01 05:30 . 2011-05-01 05:30 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-04-29 16:19 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-04 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-05 16:03 . 2009-01-25 21:02 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-04-05 16:03 . 2009-01-25 21:02 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-06-13 20:19 . 2011-06-13 20:19 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Ann\Application Data\mjusbsp\cdloader2.exe" [2011-05-16 50592]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-05-29 449584]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]
.
c:\documents and settings\new\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
SanDisk Media Manager.lnk - [N/A]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-28 00:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 20:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Retrogamer_2zService"=2 (0x2)
"RDSessMgr"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"NBService"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Documents and Settings\\Sally\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\Hpqdirec.exe"=
"c:\\Documents and Settings\\Ann\\Application Data\\mjusbsp\\magicJack.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009
"7302:TCP"= 7302:TCP:spport
"7933:TCP"= 7933:TCP:spport
"25185:TCP"= 25185:TCP:spport
"12709:TCP"= 12709:TCP:spport
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/10/2011 9:22 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/10/2011 9:22 PM 307928]
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [12/17/2003 3:41 PM 5632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/10/2011 9:22 PM 19544]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/14/2011 3:31 PM 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/14/2011 3:31 PM 22712]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/12/2010 9:50 PM 135664]
S2 Viewpoint Manager Service;Viewpoint Manager Service; [x]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/12/2010 9:50 PM 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/14/2011 3:31 PM 39984]
S3 ntportio;ntportio; [x]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - 14166582
*Deregistered* - 14166582
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
2010-04-17 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4238034746.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]
.
2011-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 02:49]
.
2011-06-20 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 02:49]
.
2011-06-19 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2011-03-29 23:17]
.
2011-06-17 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2011-03-29 23:17]
.
2011-06-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1390067357-602609370-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-06-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1390067357-602609370-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-06-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1390067357-602609370-682003330-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-06-20 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1390067357-602609370-682003330-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-06-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1390067357-602609370-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-06-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1390067357-602609370-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-06-20 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1390067357-602609370-682003330-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-06-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1390067357-602609370-682003330-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-06-20 c:\windows\Tasks\User_Feed_Synchronization-{F40D76E2-EDB6-4822-942F-381290BAA316}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
uInternet Connection Wizard,ShellNext = hxxp://login.yahoo.com/config/reset_cookies_token?.token=VJWm1PelzYHMlI5yv1NSPzHQkgOC5HdfspxVvUQ4zdeJJbYP.3Sh0Q8TX4mMsgUnGiAjZ6Errot0R0R95qymTRe5SRC7aWqpLoWGla1XT8DZ1.p3Mlhrztg_GKeGExpdsHGx0lMEBNmaxv9n2hOwcf_Ll5J3Ml96ABq_mRMo_deyHw08CXiT0NYsXnxoboAyHw58Dg3WlFKCj4iNatL8B6ulFqmBd1C4j_X5InPz0wZh2w8mF5ILNoEEzrj3bjOhSnI6b4deybM8yWTYbtBTHdrC8BcpiZJLy5bYquPfT4WohE356mJ9xJS4BgoEFY41tDRWixTXjtwQ0KGm22Och60cIKrWG4CMJ9zpTzDq_Q36X2lJQvSEPCRfZcMWKDAbM1kWyW2KZUxyPea9uE7hzOZ77jO582Z0rdkAXtMZcd2NaRGWc8I-&.done=http%3A%2F%2Fus%2Erd%2Eyahoo%2Ecom%2Fmessenger%2Fclient%2F%3Fhttp%3A%2F%2Fmail%2Eyahoo%2Ecom%2F
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1 24.217.0.5 24.217.201.67 68.113.206.10
FF - ProfilePath - c:\documents and settings\Ann\Application Data\Mozilla\Firefox\Profiles\6biwtmo5.default\
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{e4709dfb-a47d-451c-957d-e78d25263cb8} - c:\program files\whitesmoketoolbar\vmntemplateX.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
WebBrowser-{30AA252E-B1DF-4AA2-9C5E-194C67A7C623} - (no file)
MSConfigStartUp-ares - c:\program files\Ares\ares.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-20 17:43
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\## aswSnx private storage
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
Completion time: 2011-06-20 18:08:25
ComboFix-quarantined-files.txt 2011-06-20 23:08
.
Pre-Run: 71,553,187,840 bytes free
Post-Run: 71,617,159,168 bytes free
.
- - End Of File - - 5E543125A67266FEE4331D6189C93A11
 
eset log

C:\Documents and Settings\Ann\Application Data\Sun\Java\Deployment\cache\6.0\10\7c88068a-4453c5ed Java/Agent.BV trojan
C:\Documents and Settings\Ann\Application Data\Sun\Java\Deployment\cache\6.0\35\2b29fca3-78a77d4c a variant of Java/Agent.BR trojan
C:\Documents and Settings\Ann\Application Data\Sun\Java\Deployment\cache\6.0\44\38e63bec-6441ee19 Java/Agent.BV trojan
C:\Documents and Settings\Ann\Application Data\Sun\Java\Deployment\cache\6.0\44\38e63bec-681e84fb Java/Agent.BV trojan
C:\Documents and Settings\Ann\Application Data\Sun\Java\Deployment\cache\6.0\51\4c81ed73-42a6d16b probably a variant of Java/Agent.BR trojan
C:\Documents and Settings\Ann\Application Data\Sun\Java\Deployment\cache\6.0\56\5ad4b738-2d575940 Java/Agent.BV trojan
C:\Documents and Settings\Ann\Application Data\Sun\Java\Deployment\cache\6.0\56\5ad4b738-5cb406e9 Java/Agent.BV trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\1\18f94b81-16e7e569 Java/TrojanDownloader.OpenStream.NCA trojan
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\12\c255e4c-7d5f514b multiple threats
C:\Documents and Settings\NetworkService\Application Data\Sun\Java\Deployment\cache\6.0\30\7b09de1e-3a849c7e Java/TrojanDownloader.OpenStream.NBW trojan
C:\Documents and Settings\Sally\Application Data\Sun\Java\Deployment\cache\6.0\10\efcba0a-74ae54d2 Java/Exploit.CVE-2009-3867.AJ trojan
C:\Documents and Settings\Sally\Application Data\Sun\Java\Deployment\cache\6.0\19\1cb06393-38555534 probably a variant of Win32/Agent.EBEARND trojan
C:\Documents and Settings\Sally\Application Data\Sun\Java\Deployment\cache\6.0\20\3c61e454-54c412f7 probably a variant of Win32/TrojanDownloader.Agent.IGYRDAO trojan
C:\Documents and Settings\Sally\Application Data\Sun\Java\Deployment\cache\6.0\62\4bd616be-1a785ef6 Java/Agent.BB trojan
C:\Documents and Settings\Sally\Application Data\Sun\Java\Deployment\cache\6.0\62\777d457e-4c830462 probably a variant of Win32/TrojanDownloader.Agent.IGYRDAO trojan
C:\Documents and Settings\Sally\Application Data\Sun\Java\Deployment\cache\6.0\7\650a1207-4f9a85f1 a variant of Java/Exploit.Agent.NAC trojan
C:\System Volume Information\_restore{FDD30534-915E-4E2D-B02D-56DD77B62745}\RP768\A0266938.dll a variant of Win32/Toolbar.MyWebSearch.A application
C:\System Volume Information\_restore{FDD30534-915E-4E2D-B02D-56DD77B62745}\RP768\A0266943.dll probably a variant of Win32/Toolbar.MyWebSearch.F application
C:\System Volume Information\_restore{FDD30534-915E-4E2D-B02D-56DD77B62745}\RP768\A0266944.dll probably a variant of Win32/Toolbar.MyWebSearch.B application
C:\System Volume Information\_restore{FDD30534-915E-4E2D-B02D-56DD77B62745}\RP768\A0266950.dll a variant of Win32/Toolbar.MyWebSearch application
C:\TDSSKiller_Quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0003.dta a variant of Win32/Olmarik.AVQ trojan
C:\TDSSKiller_Quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0005.dta Win32/Olmarik.AFK trojan
C:\TDSSKiller_Quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0006.dta Win64/Olmarik.R trojan
C:\TDSSKiller_Quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0007.dta Win64/Olmarik.R trojan
C:\TDSSKiller_Quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0008.dta Win64/Olmarik.A trojan
C:\TDSSKiller_Quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0009.dta Win32/Olmarik.ACQ trojan
 
Everything active in the Eset log is in the Java cache- so you empty it!
To clear the Java Plug-in cache:

  • [1]. Click Start > Control Panel.
    [2]. Double-click the Java icon in the control panel.
    java.png
    The Java Control Panel appears.
    plugin_cache1.jpg

    [3].Click Settings under Temporary Internet Files.The Temporary Files Settings dialog box appears.
    plugin_cache2.jpg

    [4] Click Delete Files.The Delete Temporary Files dialog box appears.
    plugin_cache3.jpg

    [5]. Click OK on Delete Temporary Files window.
    Note: This deletes all the Downloaded Applications and Applets from the cache.
    [6]. Click Apply> OK on Temporary Files Settings window.
Images courtesy java.com
=============================================
Go ahead and run the above while I get the script ready for you to run through Combofix.
 
when i go to control panel there is no java icon to click on, only the usual stuff : appearance and themes, network, add remove programs, sounds, performance, printers, users, date & time, accessability, and security.
 
ok, sorry, i switched to classic view and found java control panel. getting ready to clear it out now. thanks.
 
i deleted the files, but it didnt give me an option to apply, so all i could do was click ok. will it still apply what i just did?
 
The Settings screen comes up on top of the main Java screen once you click on 'Settings.' So when finished, you click OK on the Setting screen. It will then close. You are left with the main Java screen which is where you will see Apply> OK. Do it again to make sure. Your system is very heavily infected.
==========================================
Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code: 
File::
c:\program files\viewpoint\common\viewpointservice.exe
c:\docume~1\new\locals~1\temp\u\1285210895\ntportio.sys
c:\documents and settings\Sally\Local Settings\Application Data\BIT7.tmp
c:\program files\LimeWire\LimeWire.exe
Folder::
c:\documents and settings\ann\application data\whitesmoketoolbar
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar
c:\program files\whitesmoketoolbar
c:\program files\StartNow Toolbar
C:\TDSSKiller_Quarantine
C:\found.000
DDS::
uInternet Connection Wizard,ShellNext = hxxp://login.yahoo.com/config/reset_cookies_token?.token=VJWm1PelzYHMlI5yv1NSPzHQkgOC5HdfspxVvUQ4zdeJJbYP .3Sh0Q8TX4mMsgUnGiAjZ6Errot0R0R95qymTRe5SRC7aWqpLoWGla1XT8DZ1.p3Mlhrztg_GKe GExpdsHGx0lMEBNmaxv9n2hOwcf_Ll5J3Ml96ABq_mRMo_deyHw08CXiT0NYsXnxoboAyHw58Dg 3WlFKCj4iNatL8B6ulFqmBd1C4j_X5InPz0wZh2w8mF5ILNoEEzrj3bjOhSnI6b4deybM8yWTYb tBTHdrC8BcpiZJLy5bYquPfT4WohE356mJ9xJS4BgoEFY41tDRWixTXjtwQ0KGm22Och60cIKrW G4CMJ9zpTzDq_Q36X2lJQvSEPCRfZcMWKDAbM1kWyW2KZUxyPea9uE7hzOZ77jO582Z0rdkAXtM Zcd2NaRGWc8I-&.done=http%3A%2F%2Fus%2Erd%2Eyahoo%2Ecom%2Fmessenger%2Fclient%2F%3Fhttp%3A %2F%2Fmail%2Eyahoo%2Ecom%2F
uURLSearchHooks: N/A: {1c583e40-0629-4bb9-ab68-1cf539f2f782} - c:\program files\retrogamer_2z\bar\1.bin\2zSrcAs.dll
BHO: StartNow Toolbar Helper: {6e13d095-45c3-4271-9475-f3b48227dd9f} - c:\program files\startnow toolbar\Toolbar32.dll
BHO: {6ffed9d8-942f-4384-aa29-d3bd083a346a} - No File
BHO: WhiteSmoke Toolbar: {e4709dfb-a47d-451c-957d-e78d25263cb8} - c:\program files\whitesmoketoolbar\vmntemplateX.dll
TB: StartNow Toolbar: {5911488e-9d1e-40ec-8cbb-06b231cc153f} - c:\program files\startnow toolbar\Toolbar32.dll
TB: WhiteSmoke Toolbar: {e4709dfb-a47d-451c-957d-e78d25263cb8} - c:\program files\whitesmoketoolbar\vmntemplateX.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
TB: {30AA252E-B1DF-4AA2-9C5E-194C67A7C623} - No File
uRun: [ares] "c:\program files\ares\ares.exe" -h
Extra::
File::
c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
Firefox::
Firefox-: - Profile - c:\documents and settings\ann\application data\mozilla\firefox\profiles\6biwtmo5.default\

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Retrogamer_2zService"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=-
Driver::
Viewpoint Manager Service
ntportio
FCopy::
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
 
Unless you are an advanced user, I recommend that you uninstall FixCleaner. Hopefully you are still in the Trial Period.

Please go to Add/Remove Programs and uninstall the following:
  • WhiteSmoke Toolbar
  • Viewpoint Media Player
  • Adobe Reader 9.1.1
  • Adobe Reader 9.3
  • Conduit Engine
  • Java(TM) 6 Update 23
=========================================
Update Java: Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
Update the Adobe Reader: Adobe Reader site . Uninstall any earlier updates as they are vulnerabilities.
===========================================
P2P - 'file sharing' Warning:
Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall :
  • Vuze (Ares)
  • FrostWire 4.21.3
  • LimeWire
  • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
  • Malware writers use these program to include malicious content.
  • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
  • The 'sharing' also includes malware that the shared system has on it.
  • Files that are illegal can be spread through file sharing.
Please read the information on P2P Warning to help you better understand these dangers.
I strongly recommend that you also uninstall the file sharing programs. As long as they are on the system, you will continue to get malware:
===============================================
Note: You have numerous toolbars and browser helper objects that are either foistware or malware. Some of them come from pre-checked boxes on download screens. You should carefully examine all download screens for this and uncheck any pre-checked boxes. And if you want to make an attempt to get to keep the system clean, you have to stop picking up these processes which you know nothing about.
===============================================
Be Advised: You have Services running that allow remote access to your computer. This will allow someone else to make changes to the system, including the Registry. If you are in a work situation where your production is monitored, or if there is an Administrator who makes these changes as part of your job, I need to know. If this is not the case, I will have you disable both of the Services.
==============================================
For the programs you have uninstalled (not updated like Java and the Adobe Reader)>>
Right click on the Taskbar> Explore> My Computer> Double click on Local Drove (C)> Programs> for each of the programs you uninstalled, find the program folder and do a right click> Delete.
===========================================
Empty the Recycle Bin
============================================
Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    Code: 
    :Files  
c:\documents and settings\ann\application data\whitesmoketoolbar
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]
  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
 
i tried again to "apply" my actions to java, but the apply box is greyed out. it wont let me apply. i did exactly what you told me to do....
 
i did exactly what you told me to do with the java, only when i get to the apply part, the box is grayed out, so i cant apply it.
 
Don't worry about it. We'll run another scan later. Please continue with my directions.
 
i made the txt file and dragged it into combo fix, then ran the combo fix and it restarted my computer. it was making a log but my avast anti virus restarted when combofix restarted my comp. avast wanted to open combo fix in a sandbox. i clicked ok, but then the computer froze while combofix was preparing the log so i had to restart it. ugh. so, should i copy the script into a txt file again and run it again? im not doing anything else until i hear from you, i dont want to mess things up if they arent already messed up. also, should i disable my avast anti virus from start up so that this doesnt happen again when i run combofix next time since im not supposed to run any programs or anti virus while combofix is running?
 
new combofix log

ComboFix 11-06-22.02 - Ann 06/22/2011 22:04:34.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1519.1125 [GMT -5:00]
Running from: c:\documents and settings\Ann\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ann\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\docume~1\new\locals~1\temp\u\1285210895\ntportio.sys"
"c:\documents and settings\Sally\Local Settings\Application Data\BIT7.tmp"
"c:\program files\LimeWire\LimeWire.exe"
"c:\program files\viewpoint\common\viewpointservice.exe"
"c:\program files\viewpoint\viewpoint media player\npViewpoint.dll"
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\dtx.ini
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\guid.dat
c:\documents and settings\NetworkService\Application Data\whitesmoketoolbar\setupCfg.xml
c:\documents and settings\new\Application Data\alot\BrowserSearch\BrowserSearch.xml
c:\documents and settings\new\Application Data\alot\BrowserSearch\BrowserSearch.xml.backup
c:\documents and settings\new\Application Data\alot\Button_0\Button_0.xml
c:\documents and settings\new\Application Data\alot\Button_0\Button_0.xml.backup
c:\documents and settings\new\Application Data\alot\Button_1\Button_1.xml
c:\documents and settings\new\Application Data\alot\Button_1\Button_1.xml.backup
c:\documents and settings\new\Application Data\alot\Button_2\Button_2.xml
c:\documents and settings\new\Application Data\alot\Button_2\Button_2.xml.backup
c:\documents and settings\new\Application Data\alot\Button_3\Button_3.xml
c:\documents and settings\new\Application Data\alot\Button_3\Button_3.xml.backup
c:\documents and settings\new\Application Data\alot\Button_4\Button_4.xml
c:\documents and settings\new\Application Data\alot\Button_4\Button_4.xml.backup
c:\documents and settings\new\Application Data\alot\Button_5\Button_5.xml
c:\documents and settings\new\Application Data\alot\Button_5\Button_5.xml.backup
c:\documents and settings\new\Application Data\alot\Button_6\Button_6.xml
c:\documents and settings\new\Application Data\alot\Button_6\Button_6.xml.backup
c:\documents and settings\new\Application Data\alot\Button_7\Button_7.xml
c:\documents and settings\new\Application Data\alot\Button_7\Button_7.xml.backup
c:\documents and settings\new\Application Data\alot\Button_8\Button_8.xml
c:\documents and settings\new\Application Data\alot\Button_8\Button_8.xml.backup
c:\documents and settings\new\Application Data\alot\configurator\configurator.xml
c:\documents and settings\new\Application Data\alot\configurator\configurator.xml.backup
c:\documents and settings\new\Application Data\alot\contextMenu\contextMenu.xml
c:\documents and settings\new\Application Data\alot\contextMenu\contextMenu.xml.backup
c:\documents and settings\new\Application Data\alot\ErrorSearch\ErrorSearch.xml
c:\documents and settings\new\Application Data\alot\ErrorSearch\ErrorSearch.xml.backup
c:\documents and settings\new\Application Data\alot\postInstallLayout\postInstallLayout.xml
c:\documents and settings\new\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
c:\documents and settings\new\Application Data\alot\products\products.xml
c:\documents and settings\new\Application Data\alot\products\products.xml.backup
c:\documents and settings\new\Application Data\alot\Resources\BrowserSearch\alot_search_defend.html
c:\documents and settings\new\Application Data\alot\Resources\Button_0\images\alot_logo_button.bmp
c:\documents and settings\new\Application Data\alot\Resources\Button_0\images\alot_logo_button.png
c:\documents and settings\new\Application Data\alot\Resources\Button_1\images\alot_search_button.bmp
c:\documents and settings\new\Application Data\alot\Resources\Button_1\images\alot_search_button.png
c:\documents and settings\new\Application Data\alot\Resources\Button_2\images\default_1108_alot_games_search.bmp
c:\documents and settings\new\Application Data\alot\Resources\Button_2\images\default_1108_alot_games_search.png
c:\documents and settings\new\Application Data\alot\Resources\Button_3\images\default_1377_default_1174_alot_gam_gamenews.bmp
c:\documents and settings\new\Application Data\alot\Resources\Button_3\images\default_1377_default_1174_alot_gam_gamenews.png
c:\documents and settings\new\Application Data\alot\Resources\Button_4\images\default_1200_alot_gam_vidgamenews.bmp
c:\documents and settings\new\Application Data\alot\Resources\Button_4\images\default_1200_alot_gam_vidgamenews.png
c:\documents and settings\new\Application Data\alot\Resources\Button_5\images\default_1580_www.gamespot.com_button.bmp
c:\documents and settings\new\Application Data\alot\Resources\Button_5\images\default_1580_www.gamespot.com_button.png
c:\documents and settings\new\Application Data\alot\Resources\Button_6\images\default_1581_alot_mrkt_amazon.bmp
c:\documents and settings\new\Application Data\alot\Resources\Button_6\images\default_1581_alot_mrkt_amazon.png
c:\documents and settings\new\Application Data\alot\Resources\Button_7\images\default_1602_alot_mrkt_livinghealthy.bmp
c:\documents and settings\new\Application Data\alot\Resources\Button_7\images\default_1602_alot_mrkt_livinghealthy.png
c:\documents and settings\new\Application Data\alot\Resources\Button_8\images\default_1041_default_1045_alot_mrkt_readersdigest.bmp
c:\documents and settings\new\Application Data\alot\Resources\Button_8\images\default_1041_default_1045_alot_mrkt_readersdigest.png
c:\documents and settings\new\Application Data\alot\Resources\contextMenu\images\alot_logo_button.bmp
c:\documents and settings\new\Application Data\alot\Resources\contextMenu\images\alot_logo_button.png
c:\documents and settings\new\Application Data\alot\Resources\Shared\images\alot_brand.png
c:\documents and settings\new\Application Data\alot\Resources\Shared\images\alot_splitter.png
c:\documents and settings\new\Application Data\alot\TimerManager\TimerManager.xml
c:\documents and settings\new\Application Data\alot\TimerManager\TimerManager.xml.backup
c:\documents and settings\new\Application Data\alot\toolbar.xml
c:\documents and settings\new\Application Data\alot\toolbar.xml.backup
c:\documents and settings\new\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
c:\documents and settings\new\Application Data\alot\Updater\Updater.xml
c:\documents and settings\new\Application Data\alot\Updater\Updater.xml.backup
c:\documents and settings\Sally\Local Settings\Application Data\BIT7.tmp
c:\found.000\file0000.chk
c:\program files\viewpoint\viewpoint media player\npViewpoint.dll
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\mbr0000\object.ini
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\mbr0000\tsk0000.dta
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\mbr0000\tsk0000.ini
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\object.ini
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\object.ini
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0000.dta
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0000.ini
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0001.dta
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0001.ini
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0002.dta
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0002.ini
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0003.dta
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0003.ini
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0004.dta
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0004.ini
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0005.dta
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0005.ini
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0006.dta
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0006.ini
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0007.dta
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0007.ini
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0008.dta
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0008.ini
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0009.dta
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0009.ini
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0010.dta
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0010.ini
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0011.dta
c:\tdsskiller_quarantine\20.06.2011_15.17.47\boot0000\tdlfs0000\tsk0011.ini
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_VIEWPOINT_MANAGER_SERVICE
-------\Service_ntportio
-------\Service_Viewpoint Manager Service
.
.
((((((((((((((((((((((((( Files Created from 2011-05-23 to 2011-06-23 )))))))))))))))))))))))))))))))
.
.
2011-06-21 15:14 . 2011-06-21 15:16 -------- d-----w- c:\documents and settings\Ann\Local Settings\Application Data\Roblox
2011-06-20 23:19 . 2011-06-20 23:19 -------- d-----w- c:\program files\ESET
2011-06-20 01:10 . 2011-06-20 01:10 -------- d-----w- c:\documents and settings\Ann\Application Data\InstallShield
2011-06-19 23:40 . 2011-06-19 23:47 -------- d-----w- c:\documents and settings\Ann\Application Data\FixCleaner
2011-06-17 08:23 . 2011-06-17 08:23 -------- d-sh--w- c:\documents and settings\Default User\IETldCache
2011-06-16 19:53 . 2011-04-21 13:37 105472 -c----w- c:\windows\system32\dllcache\mup.sys
2011-06-14 21:02 . 2011-06-14 21:07 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
2011-06-14 20:31 . 2011-06-14 20:31 -------- d-----w- c:\documents and settings\Ann\Application Data\Malwarebytes
2011-06-14 20:31 . 2011-05-29 14:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-06-14 20:31 . 2011-06-14 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-06-14 20:31 . 2011-06-14 20:31 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-06-14 20:31 . 2011-05-29 14:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-06-14 06:03 . 2011-06-14 06:03 -------- d-----w- c:\documents and settings\Ann\Application Data\vmntemplate
2011-06-12 22:33 . 2011-06-12 22:33 -------- d-----w- c:\documents and settings\LocalService\Application Data\Apple Computer
2011-06-05 20:43 . 2011-06-05 20:44 -------- d-----w- c:\documents and settings\Sally\Local Settings\Application Data\Roblox
2011-05-30 22:53 . 2011-05-30 22:53 -------- d-----w- c:\documents and settings\Sally\Application Data\vmntemplate
2011-05-30 22:53 . 2011-06-07 13:14 -------- d-----w- c:\documents and settings\Sally\Application Data\whitesmoketoolbar
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-20 03:15 . 2011-05-15 21:04 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-10 21:51 . 2011-05-10 21:51 388096 ----a-r- c:\documents and settings\Sally\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2011-05-10 12:10 . 2011-05-11 02:22 40112 ----a-w- c:\windows\avastSS.scr
2011-05-10 12:10 . 2011-05-11 02:22 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-05-10 12:03 . 2011-05-11 02:22 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-05-10 12:03 . 2011-05-11 02:22 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-05-10 12:02 . 2011-05-11 02:22 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-05-10 12:02 . 2011-05-11 02:22 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-05-10 12:02 . 2011-05-11 02:22 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-05-10 11:59 . 2011-05-11 02:22 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-05-10 11:59 . 2011-05-11 02:22 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-05-10 11:59 . 2011-05-11 02:22 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-05-02 15:31 . 2008-10-13 18:40 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-05-01 05:30 . 2011-05-01 05:30 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-04-29 16:19 . 2004-08-04 12:00 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2004-08-04 12:00 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2004-08-04 12:00 1469440 ------w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2004-08-04 12:00 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-04-05 16:03 . 2009-01-25 21:02 499712 ----a-w- c:\windows\system32\msvcp71.dll
2011-04-05 16:03 . 2009-01-25 21:02 348160 ----a-w- c:\windows\system32\msvcr71.dll
2011-06-21 05:45 . 2011-06-21 05:45 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cdloader"="c:\documents and settings\Ann\Application Data\mjusbsp\cdloader2.exe" [2011-05-16 50592]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-07-27 1388544]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="c:\program files\MySpace\IM\MySpaceIM.exe" [2008-12-12 9555968]
.
c:\documents and settings\new\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - c:\program files\LimeWire\LimeWire.exe [N/A]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
SanDisk Media Manager.lnk - [N/A]
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=c:\windows\pss\hp psc 1000 series.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hpoddt01.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
backup=c:\windows\pss\hpoddt01.exe.lnkCommon Startup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-06-28 00:03 152872 ----a-w- c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes' Anti-Malware]
2011-05-29 14:11 449584 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-01 20:57 153136 ----a-w- c:\program files\Common Files\Ahead\Lib\NeroCheck.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RDSessMgr"=3 (0x3)
"RemoteRegistry"=2 (0x2)
"NBService"=3 (0x3)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Vuze\\Azureus.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"c:\\Program Files\\AIM6\\aim6.exe"=
"c:\\Program Files\\Research In Motion\\BlackBerry Desktop\\Rim.Desktop.exe"=
"c:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"=
"c:\\Program Files\\FrostWire\\FrostWire.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\Hpqdirec.exe"=
"c:\\Documents and Settings\\Sally\\Application Data\\mjusbsp\\magicJack.exe"=
"c:\\Documents and Settings\\Ann\\Application Data\\mjusbsp\\magicJack.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009
"7302:TCP"= 7302:TCP:spport
"7933:TCP"= 7933:TCP:spport
"25185:TCP"= 25185:TCP:spport
"12709:TCP"= 12709:TCP:spport
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [5/10/2011 9:22 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [5/10/2011 9:22 PM 307928]
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [12/17/2003 3:41 PM 5632]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [5/10/2011 9:22 PM 19544]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [6/14/2011 3:31 PM 366640]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [6/14/2011 3:31 PM 22712]
S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [3/12/2010 9:50 PM 135664]
S3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [3/12/2010 9:50 PM 135664]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [6/14/2011 3:31 PM 39984]
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 18:34]
.
2010-04-17 c:\windows\Tasks\FRU Task 2003-04-10 00:56ewlett-Packard2003-04-10 00:56p psc 1200 series272A572217594EBCF1CEE215E352B92AD073FDE4238034746.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-09 22:56]
.
2011-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 02:49]
.
2011-06-23 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-03-13 02:49]
.
2011-06-22 c:\windows\Tasks\ParetoLogic Registration3.job
- c:\program files\Common Files\ParetoLogic\UUS3\UUS3.dll [2011-03-29 23:17]
.
2011-06-17 c:\windows\Tasks\ParetoLogic Update Version3.job
- c:\program files\Common Files\ParetoLogic\UUS3\Pareto_Update3.exe [2011-03-29 23:17]
.
2011-06-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1390067357-602609370-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-06-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1390067357-602609370-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-06-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1390067357-602609370-682003330-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-06-23 c:\windows\Tasks\RealUpgradeLogonTaskS-1-5-21-1390067357-602609370-682003330-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-06-19 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1390067357-602609370-682003330-1003.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-06-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1390067357-602609370-682003330-1004.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-06-23 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1390067357-602609370-682003330-1006.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-06-18 c:\windows\Tasks\RealUpgradeScheduledTaskS-1-5-21-1390067357-602609370-682003330-1007.job
- c:\program files\Real\RealUpgrade\realupgrade.exe [2011-01-24 19:25]
.
2011-06-23 c:\windows\Tasks\User_Feed_Synchronization-{F40D76E2-EDB6-4822-942F-381290BAA316}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_D1E1F7ED622A0E5D.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.2.1 24.217.0.5 24.217.201.67 68.113.206.10
FF - ProfilePath - c:\documents and settings\Ann\Application Data\Mozilla\Firefox\Profiles\6biwtmo5.default\
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-06-22 22:28
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
.
C:\## aswSnx private storage
.
scan completed successfully
hidden files: 1
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3284)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-06-22 22:42:01
ComboFix-quarantined-files.txt 2011-06-23 03:41
ComboFix2.txt 2011-06-20 23:08
.
Pre-Run: 73,764,737,024 bytes free
Post-Run: 73,802,522,624 bytes free
.
- - End Of File - - CEF555C07022D181831867323D8E61FF
 
otm log

All processes killed
========== FILES ==========
File/Folder c:\documents and settings\ann\application data\whitesmoketoolbar not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 42276 bytes

User: All Users

User: Ann
->Temp folder emptied: 10434215 bytes
->Temporary Internet Files folder emptied: 12627995 bytes
->Java cache emptied: 15088 bytes
->FireFox cache emptied: 94403238 bytes
->Google Chrome cache emptied: 7814998 bytes
->Flash cache emptied: 139448 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 41620 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes

User: jackie
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 78991 bytes
->Java cache emptied: 10926993 bytes
->Flash cache emptied: 7330 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 8454278 bytes
->Flash cache emptied: 43607 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Java cache emptied: 84618 bytes
->Flash cache emptied: 106158 bytes

User: new
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 5243058 bytes
->Java cache emptied: 43629546 bytes
->FireFox cache emptied: 49783626 bytes
->Flash cache emptied: 149155 bytes

User: Sally
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 294871 bytes
->Java cache emptied: 248356617 bytes
->FireFox cache emptied: 81315229 bytes
->Google Chrome cache emptied: 17632275 bytes
->Flash cache emptied: 46622 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 2162283 bytes
%systemroot%\System32 .tmp files removed: 2675729 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 52419 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 569.00 mb


OTM by OldTimer - Version 3.1.18.0 log created on 06222011_235049
 
I need to clarify this. You are collecting malware between play sushi and gamvance.com Mbam found the following entries:
c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com (PUP.PlaySushi) -> Not selected for removal.
c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\chrome (PUP.PlaySushi) -> Not selected for removal.
c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@playsushi.com\components (PUP.PlaySushi) -> Not selected for removal.
Click to expand...
But it appears that you unchecked them so as not to remove the entries.

But on the other hand, Mbam did remove all entries for the following:
c:\documents and settings\new\application data\Mozilla\extensions\{ec8030f7-c20a-464f-9b0e-13a3a9e97384}\textlinks@gamevance.com\components (Adware.GamesVance) -> Quarantined and deleted successfully.
Click to expand...

Now it seems to me that it's useless to keep removing adware/spyware from gamevance if you go there to play sushi!
 
Status
Not open for further replies.

Similar threads

M
Virus warning popup
Replies
1
Views
543
Mark Fuller
M
midian182
US risks losing space and military tech dominance without commercial sector support, Space Force commander warns
Replies
13
Views
165
AdamNovagen
AdamNovagen
I
  • Locked
Inactive Virus or rootkit on Windows and Linux
Replies
9
Views
2K
Broni
Broni

Latest posts

Back