TechSpot

[Closed] Unable to remove Trojan Horse Agent2.BXCT, wert3.exe, dm6[1].exe on

By skifast137
Dec 10, 2010
Topic Status:
Not open for further replies.
  1. Malwarebytes is not recognizing any threats, however, subject title threats regularly detected by AVG but are unable to be healed by AVG. Most commonly found in these two areas:
    c:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\[this folder name is arbitrary and changes with every detected threat]\dm6[1].exe
    c:\Documents and Settings\NetworkService\Application Data\wert3.exe

    Any help in figuring out how to clean this would be greatly appreciated!

    Following are the requested log files:

    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5283

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    12/10/2010 2:00:44 PM
    mbam-log-2010-12-10 (14-00-44).txt

    Scan type: Quick scan
    Objects scanned: 143959
    Time elapsed: 14 minute(s), 33 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
  2. skifast137

    skifast137 Newcomer, in training Topic Starter

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit scan 2010-12-09 18:04:34
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST3160815A rev.3.AAD
    Running: ywlkpejc.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwdcruob.sys


    ---- System - GMER 1.0.15 ----

    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xAF5096C0]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xAF509770]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xAF509810]
    SSDT \SystemRoot\system32\DRIVERS\AVGIDSShim.Sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xAF5098B0]

    ---- Kernel code sections - GMER 1.0.15 ----

    init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF7D88F80]

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\Explorer.EXE[292] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BE000A
    .text C:\WINDOWS\Explorer.EXE[292] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BF000A
    .text C:\WINDOWS\Explorer.EXE[292] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B8000C
    .text C:\WINDOWS\System32\svchost.exe[1284] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 006E000A
    .text C:\WINDOWS\System32\svchost.exe[1284] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 006F000A
    .text C:\WINDOWS\System32\svchost.exe[1284] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 006D000C
    .text C:\WINDOWS\System32\svchost.exe[1284] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 025A000A
    .text C:\WINDOWS\System32\svchost.exe[1284] ole32.dll!CoCreateInstance 774FF1AC 5 Bytes JMP 00EB000A

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T1L0-17 83356292
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 83356292
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 83356292
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-f 83356292

    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3160815A______________________________3.AAD___#5&38fba5ac&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
    Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior; TDL4 <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sectors 312581552 (+255): rootkit-like behavior;

    ---- EOF - GMER 1.0.15 ----
  3. skifast137

    skifast137 Newcomer, in training Topic Starter

    DDS (Ver_10-12-05.01) - NTFSx86
    Run by Owner at 18:08:16.00 on Thu 12/09/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.234 [GMT -6:00]

    AV: AVG Anti-Virus Free Edition 2011 *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\Explorer.EXE
    svchost.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Analog Devices\Core\smax4pnp.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Program Files\AVG\AVG10\avgemcx.exe
    C:\PROGRA~1\AVG\AVG10\avgrsx.exe
    C:\Program Files\AVG\AVG10\avgcsrvx.exe
    C:\Documents and Settings\Owner\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.yahoo.com/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uDefault_Search_URL = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = localhost
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar2.dll
    BHO: MSN Toolbar Helper: {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: {fdd3b846-8d59-4ffb-8758-209b6ad74acc} - c:\program files\microsoft money\system\mnyviewer.dll
    TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar2.dll
    TB: MSN Toolbar: {1e61ed7c-7cb8-49d6-b9e9-ab4c880c8414} - c:\program files\msn\toolbar\3.0.1125.0\msneshellx.dll
    TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
    TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
    TB: {F5735C15-1FB2-41FE-BA12-242757E69DDE} - No File
    TB: {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No File
    TB: {604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - No File
    EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    EB: MoneySide: {9404901d-06da-4b23-a0ee-3ea4f64ec9b3} - c:\program files\microsoft money\system\mnyviewer.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\device~1.lnk - c:\program files\olympus\devicedetector\DevDtct2.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\direct~1.lnk - c:\program files\olympus\dssplayer\DirectrecConfig.exe
    mPolicies-explorer: <NO NAME> =
    IE: &Google Search - c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
    IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    IE: Cached Snapshot of Page - c:\program files\google\GoogleToolbar2.dll/cmcache.html
    IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {301DA1EE-F65C-4188-A417-9E915CC8FBFA} - c:\program files\microsoft money\system\mnyviewer.dll
    DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://www.apple.com/qtactivex/qtplugin.cab
    DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} - hxxp://files.member.yahoo.com/dl/installs/sbc/yinsthdlk.cab
    DPF: {55027008-315F-4F45-BBC3-8BE119764741} - hxxp://www.slide.com/uploader/SlideImageUploader.cab
    DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174493839296
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} - hxxp://offers.e-centives.com/cif/download/bin/actxcab.cab
    DPF: {CAFEEFAC-0014-0000-0001-ABCDEFFEDCBA}
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} - hxxp://www29.compaq.com/falco/SysQuery.cab
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Notify: avgrsstarter - avgrsstx.dll
    Notify: igfxcui - igfxsrvc.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    Hosts: 127.0.0.1 www.spywareinfo.com

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-11-9 299984]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
    S2 mrtRate;mrtRate; [x]
    S3 msCMTSrvc;Content Monitoring Tool;c:\windows\system32\mscmtsrvc.exe --> c:\windows\system32\msCMTSrvc.exe [?]

    =============== Created Last 30 ================

    2010-12-09 17:36:04 -------- d-----w- c:\docume~1\owner\applic~1\AVG10
    2010-12-09 17:29:14 -------- d--h--w- c:\docume~1\alluse~1\applic~1\Common Files
    2010-12-09 17:24:13 -------- d-----w- c:\windows\system32\drivers\AVG
    2010-12-09 17:24:13 -------- d-----w- c:\docume~1\alluse~1\applic~1\AVG10
    2010-12-09 17:23:40 -------- d-----w- c:\program files\AVG
    2010-12-09 16:23:32 -------- d--h--w- C:\$AVG
    2010-12-09 04:56:37 -------- d-----w- c:\docume~1\alluse~1\applic~1\MFAData
    2010-11-18 15:12:09 -------- d-----w- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com
    2010-11-18 15:11:59 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-11-11 14:27:53 -------- d-----w- c:\program files\WebEx
    2010-11-10 04:20:58 299984 ----a-w- c:\windows\system32\drivers\avgtdix.sys

    ==================== Find3M ====================

    2010-09-18 17:23:26 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53:25 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53:25 954368 ----a-w- c:\windows\system32\mfc40.dll
    2010-09-18 06:53:25 953856 ----a-w- c:\windows\system32\mfc40u.dll

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST3160815A rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x83356446]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x8335c504]; MOV EAX, [0x8335c580]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x833769C0]
    3 CLASSPNP[0xF8842FD7] -> nt!IofCallDriver[0x804E37D5] -> [0x83385030]
    \Driver\atapi[0x833E6190] -> IRP_MJ_CREATE -> 0x83356446
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x137; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3160815A______________________________3.AAD___#5&38fba5ac&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x83356292
    user != kernel MBR !!!
    sectors 312581806 (+255): user != kernel
    Warning: possible TDL4 rootkit infection !
    TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

    ============= FINISH: 18:11:36.73 ===============
  4. skifast137

    skifast137 Newcomer, in training Topic Starter

    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-05.01)

    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 5/19/2009 6:01:20 PM
    System Uptime: 12/9/2010 5:29:52 PM (1 hours ago)

    Motherboard: Dell Computer Corp. | | 0G1548
    Processor: Intel(R) Celeron(R) CPU 2.40GHz | Microprocessor | 2392/400mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 149 GiB total, 138.047 GiB free.
    D: is CDROM ()
    E: is CDROM ()
    F: is Removable

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
    Description: Broadcom 440x 10/100 Integrated Controller
    Device ID: PCI\VEN_14E4&DEV_4401&SUBSYS_81271028&REV_01\4&3B1CAF2B&0&48F0
    Manufacturer: Broadcom
    Name: Broadcom 440x 10/100 Integrated Controller
    PNP Device ID: PCI\VEN_14E4&DEV_4401&SUBSYS_81271028&REV_01\4&3B1CAF2B&0&48F0
    Service: bcm4sbxp

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================


    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.3
    Adobe Shockwave Player 11.5
    Apple Software Update
    AVG 2011
    CCleaner
    ClearType Tuning Control Panel Applet
    Conexant D850 56K V.9x DFVc Modem
    CXP Plug-In
    Google Toolbar for Internet Explorer
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB981793)
    Inactive HP Printer Drivers (Remove only)
    Indeo® Software
    InstallMgr
    Intel(R) Extreme Graphics Driver
    InterActual Player
    InterVideo WinDVD 4
    J2SE Runtime Environment 5.0 Update 6
    Java(TM) 6 Update 17
    K-Lite Codec Pack 4.8.0 (Full)
    Malwarebytes' Anti-Malware
    MedAssist 5.0
    MedAssist 5.0_2 (C:\Program Files\MMSApp\MMS)
    MedAssist Version 4
    Microsoft .NET Framework (English)
    Microsoft .NET Framework (English) v1.0.3705
    Microsoft .NET Framework 1.0 Hotfix (KB928367)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Data Access Components KB870669
    Microsoft Default Manager
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Money 2002
    Microsoft Money 2002 System Pack
    Microsoft National Language Support Downlevel APIs
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Microsoft Works 7.0
    MSN Toolbar
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB954459)
    Netscape (7.0)
    NVIDIA Windows 2000/XP Display Drivers
    Olympus DSS Player
    Picasa 3
    PS2
    Python 2.2 combined Win32 extensions
    Quicken 2003 New User Edition
    Quicksys RegDefrag 2.1
    QuickTime
    S3Display
    S3Gamma2
    S3Info2
    S3Overlay
    Security Update for CAPICOM (KB931906)
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Sentinel System Driver
    Simple Installer - Multilanguage Version
    SoundMAX
    Spybot - Search & Destroy
    Spybot - Search & Destroy 1.3
    SpywareBlaster 4.2
    StenRemote
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB971180)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    WebEx
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Presentation Foundation
    WinWay Resume Deluxe
    XML Paper Specification Shared Components Pack 1.0
    Yahoo! BrowserPlus

    ==== Event Viewer Messages From Past Week ========

    12/9/2010 9:40:25 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: viaagp1
    12/9/2010 9:40:18 AM, error: Service Control Manager [7001] - The Fax service depends on the Print Spooler service which failed to start because of the following error: The system cannot find the file specified.
    12/9/2010 9:40:18 AM, error: Service Control Manager [7000] - The Print Spooler service failed to start due to the following error: The system cannot find the file specified.
    12/9/2010 9:40:18 AM, error: Service Control Manager [7000] - The mrtRate service failed to start due to the following error: The system cannot find the file specified.
    12/9/2010 5:46:41 PM, error: atapi [9] - The device, \Device\Ide\IdePort0, did not respond within the timeout period.
    12/9/2010 5:08:57 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    12/9/2010 5:08:52 PM, error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).
    12/9/2010 5:08:51 PM, error: Service Control Manager [7034] - The DM1Service service terminated unexpectedly. It has done this 1 time(s).
    12/9/2010 4:29:33 PM, error: Service Control Manager [7011] - Timeout (30000 milliseconds) waiting for a transaction response from the avgwd service.
    12/9/2010 11:48:12 AM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
    12/9/2010 11:05:33 AM, error: Service Control Manager [7034] - The Windows Installer service terminated unexpectedly. It has done this 1 time(s).
    12/9/2010 10:38:27 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AvgLdx86 AvgMfx86 Fips intelppm SASKUTIL viaagp1
    12/9/2010 10:37:08 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    12/9/2010 10:17:56 AM, error: Service Control Manager [7000] - The SASDIFSV service failed to start due to the following error: Cannot create a file when that file already exists.
    12/9/2010 10:16:07 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: agp440 PCIIde SISAGP viaagp1

    ==== End Of File ===========================
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot. The system has a rootkit malware infection, so we will start working on it first:

    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    Please leave the log in your next reply.
    ===========================================

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Important!
    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

    And a special note: If you are using any file sharing programs, please uninstall them or disable them. They must not be running while I am helping you clean. I'm going to finish reviewing these logs while you're running the 2 scans.
    =======================================
  6. skifast137

    skifast137 Newcomer, in training Topic Starter

    2010/12/10 17:12:33.0843 TDSS rootkit removing tool 2.4.11.0 Dec 8 2010 14:46:40
    2010/12/10 17:12:33.0843 ================================================================================
    2010/12/10 17:12:33.0843 SystemInfo:
    2010/12/10 17:12:33.0843
    2010/12/10 17:12:33.0843 OS Version: 5.1.2600 ServicePack: 3.0
    2010/12/10 17:12:33.0843 Product type: Workstation
    2010/12/10 17:12:33.0843 ComputerName: SERVER-NEW
    2010/12/10 17:12:33.0843 UserName: Owner
    2010/12/10 17:12:33.0843 Windows directory: C:\WINDOWS
    2010/12/10 17:12:33.0859 System windows directory: C:\WINDOWS
    2010/12/10 17:12:33.0859 Processor architecture: Intel x86
    2010/12/10 17:12:33.0859 Number of processors: 1
    2010/12/10 17:12:33.0859 Page size: 0x1000
    2010/12/10 17:12:33.0859 Boot type: Normal boot
    2010/12/10 17:12:33.0859 ================================================================================
    2010/12/10 17:12:34.0375 Initialize success
    2010/12/10 17:14:05.0062 ================================================================================
    2010/12/10 17:14:05.0062 Scan started
    2010/12/10 17:14:05.0062 Mode: Manual;
    2010/12/10 17:14:05.0062 ================================================================================
    2010/12/10 17:14:05.0781 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2010/12/10 17:14:05.0921 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2010/12/10 17:14:06.0156 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2010/12/10 17:14:06.0312 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2010/12/10 17:14:06.0484 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
    2010/12/10 17:14:07.0000 ALCXWDM (8d6c30e515717248e0e52b85fd7ac466) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
    2010/12/10 17:14:07.0359 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
    2010/12/10 17:14:07.0625 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
    2010/12/10 17:14:08.0156 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2010/12/10 17:14:08.0359 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2010/12/10 17:14:08.0593 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2010/12/10 17:14:08.0750 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2010/12/10 17:14:08.0984 AVGIDSDriver (0c61f066f4d94bd67063dc6691935143) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
    2010/12/10 17:14:09.0156 AVGIDSEH (84853f800cd69252c3c764fe50d0346f) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
    2010/12/10 17:14:09.0296 AVGIDSFilter (28d6adcd03e10f3838488b9b5d407dd4) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
    2010/12/10 17:14:09.0421 AVGIDSShim (0eb16f4dbbb946360af30d2b13a52d1d) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
    2010/12/10 17:14:09.0609 Avgldx86 (1119e5bec6e749e0d292f0f84d48edba) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
    2010/12/10 17:14:09.0796 Avgmfx86 (54f1a9b4c9b540c2d8ac4baa171696b1) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
    2010/12/10 17:14:09.0984 Avgrkx86 (8da3b77993c5f354cc2977b7ea06d03a) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
    2010/12/10 17:14:10.0171 Avgtdix (354e0fec3bfdfa9c369e0f67ac362f9f) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
    2010/12/10 17:14:10.0406 bcm4sbxp (cd4646067cc7dcba1907fa0acf7e3966) C:\WINDOWS\system32\DRIVERS\bcm4sbxp.sys
    2010/12/10 17:14:10.0531 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2010/12/10 17:14:10.0687 Bridge (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
    2010/12/10 17:14:10.0750 BridgeMP (f934d1b230f84e1d19dd00ac5a7a83ed) C:\WINDOWS\system32\DRIVERS\bridge.sys
    2010/12/10 17:14:10.0921 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2010/12/10 17:14:11.0171 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2010/12/10 17:14:11.0328 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2010/12/10 17:14:11.0468 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2010/12/10 17:14:12.0359 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2010/12/10 17:14:12.0546 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2010/12/10 17:14:12.0750 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2010/12/10 17:14:12.0937 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2010/12/10 17:14:13.0062 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2010/12/10 17:14:13.0296 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2010/12/10 17:14:13.0453 DSXUSB (abc654a2e8afcf06c299bd990afa13aa) C:\WINDOWS\system32\DRIVERS\DSXUSB.sys
    2010/12/10 17:14:13.0671 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2010/12/10 17:14:13.0859 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2010/12/10 17:14:13.0984 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2010/12/10 17:14:14.0171 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2010/12/10 17:14:14.0281 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2010/12/10 17:14:14.0500 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2010/12/10 17:14:14.0640 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2010/12/10 17:14:14.0796 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2010/12/10 17:14:15.0140 HSFHWBS2 (77e4ff0b73bc0aeaaf39bf0c8104231f) C:\WINDOWS\system32\DRIVERS\HSFHWBS2.sys
    2010/12/10 17:14:15.0250 HSF_DP (60e1604729a15ef4a3b05f298427b3b1) C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
    2010/12/10 17:14:15.0500 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2010/12/10 17:14:15.0812 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2010/12/10 17:14:15.0953 ialm (44b7d5a4f2bd9fe21aea0bb0bace38c4) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
    2010/12/10 17:14:16.0156 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2010/12/10 17:14:16.0437 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
    2010/12/10 17:14:16.0593 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2010/12/10 17:14:16.0687 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2010/12/10 17:14:16.0796 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2010/12/10 17:14:16.0953 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2010/12/10 17:14:17.0093 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2010/12/10 17:14:17.0250 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2010/12/10 17:14:17.0375 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2010/12/10 17:14:17.0531 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2010/12/10 17:14:17.0765 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2010/12/10 17:14:17.0968 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2010/12/10 17:14:18.0078 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2010/12/10 17:14:18.0406 ltmodem5 (3070246fba35aa2e0c2251d55f5848f8) C:\WINDOWS\system32\DRIVERS\ltmdmnt.sys
    2010/12/10 17:14:18.0609 mdmxsdk (eeaea6514ba7c9d273b5e87c4e1aab30) C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
    2010/12/10 17:14:18.0796 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2010/12/10 17:14:18.0937 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2010/12/10 17:14:19.0015 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
    2010/12/10 17:14:19.0156 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2010/12/10 17:14:19.0343 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2010/12/10 17:14:19.0531 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2010/12/10 17:14:19.0671 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2010/12/10 17:14:19.0984 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2010/12/10 17:14:20.0140 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2010/12/10 17:14:20.0312 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2010/12/10 17:14:20.0468 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2010/12/10 17:14:20.0640 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2010/12/10 17:14:20.0843 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2010/12/10 17:14:21.0093 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2010/12/10 17:14:21.0203 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2010/12/10 17:14:21.0312 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2010/12/10 17:14:21.0390 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2010/12/10 17:14:21.0468 NDProxy (6215023940cfd3702b46abc304e1d45a) C:\WINDOWS\system32\drivers\NDProxy.sys
    2010/12/10 17:14:21.0609 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2010/12/10 17:14:21.0812 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2010/12/10 17:14:22.0093 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
    2010/12/10 17:14:22.0187 nm (1e421a6bcf2203cc61b821ada9de878b) C:\WINDOWS\system32\DRIVERS\NMnt.sys
    2010/12/10 17:14:22.0312 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2010/12/10 17:14:22.0515 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2010/12/10 17:14:22.0671 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2010/12/10 17:14:22.0859 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2010/12/10 17:14:23.0125 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2010/12/10 17:14:23.0250 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2010/12/10 17:14:23.0453 NwlnkIpx (8b8b1be2dba4025da6786c645f77f123) C:\WINDOWS\system32\DRIVERS\nwlnkipx.sys
    2010/12/10 17:14:23.0625 NwlnkNb (56d34a67c05e94e16377c60609741ff8) C:\WINDOWS\system32\DRIVERS\nwlnknb.sys
    2010/12/10 17:14:23.0750 NwlnkSpx (c0bb7d1615e1acbdc99757f6ceaf8cf0) C:\WINDOWS\system32\DRIVERS\nwlnkspx.sys
    2010/12/10 17:14:23.0937 ohci1394 (ca33832df41afb202ee7aeb05145922f) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
    2010/12/10 17:14:24.0062 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2010/12/10 17:14:24.0187 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2010/12/10 17:14:24.0328 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2010/12/10 17:14:24.0421 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2010/12/10 17:14:24.0625 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\drivers\PCIIde.sys
    2010/12/10 17:14:24.0765 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2010/12/10 17:14:25.0531 pfc (da86016f0672ada925f589ede715f185) C:\WINDOWS\system32\drivers\pfc.sys
    2010/12/10 17:14:25.0734 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2010/12/10 17:14:25.0875 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    2010/12/10 17:14:26.0031 Ps2 (9b793a1ffd480155fe9ee5261153f21b) C:\WINDOWS\system32\DRIVERS\PS2.sys
    2010/12/10 17:14:26.0203 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2010/12/10 17:14:26.0328 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2010/12/10 17:14:26.0484 PxHelp20 (49452bfcec22f36a7a9b9c2181bc3042) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2010/12/10 17:14:26.0687 pxrts (04d1c97a0818f9378eeaa793a09f8202) C:\WINDOWS\system32\drivers\pxrts.sys
    2010/12/10 17:14:27.0390 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2010/12/10 17:14:27.0531 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2010/12/10 17:14:27.0734 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2010/12/10 17:14:27.0828 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2010/12/10 17:14:27.0984 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2010/12/10 17:14:28.0156 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2010/12/10 17:14:28.0281 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2010/12/10 17:14:28.0484 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2010/12/10 17:14:28.0750 S3Psddr (0dbcc071a268e0340a2ba6bdd98bace4) C:\WINDOWS\system32\DRIVERS\s3gnbm.sys
    2010/12/10 17:14:29.0015 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2010/12/10 17:14:29.0218 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
    2010/12/10 17:14:29.0437 Sentinel (99c81af18c0bf4d3b2ce0b36941e150f) C:\WINDOWS\System32\Drivers\SENTINEL.SYS
    2010/12/10 17:14:29.0671 Serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2010/12/10 17:14:29.0875 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2010/12/10 17:14:30.0109 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2010/12/10 17:14:30.0312 SISAGP (99d5140d748ba27576a4c883e536e6d6) C:\WINDOWS\system32\DRIVERS\SISAGP.sys
    2010/12/10 17:14:30.0531 smwdm (c6d9959e493682f872a639b6ec1b4a08) C:\WINDOWS\system32\drivers\smwdm.sys
    2010/12/10 17:14:30.0812 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2010/12/10 17:14:31.0046 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\System32\DRIVERS\sr.sys
    2010/12/10 17:14:31.0203 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2010/12/10 17:14:31.0343 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2010/12/10 17:14:31.0546 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2010/12/10 17:14:32.0046 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2010/12/10 17:14:32.0250 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2010/12/10 17:14:32.0406 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2010/12/10 17:14:32.0531 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2010/12/10 17:14:32.0656 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2010/12/10 17:14:32.0984 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2010/12/10 17:14:33.0218 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2010/12/10 17:14:33.0421 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
    2010/12/10 17:14:33.0531 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2010/12/10 17:14:33.0687 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2010/12/10 17:14:33.0859 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2010/12/10 17:14:33.0968 usbohci (0daecce65366ea32b162f85f07c6753b) C:\WINDOWS\system32\DRIVERS\usbohci.sys
    2010/12/10 17:14:34.0156 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2010/12/10 17:14:34.0296 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2010/12/10 17:14:34.0421 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2010/12/10 17:14:34.0765 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\System32\DRIVERS\viaide.sys
    2010/12/10 17:14:34.0937 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2010/12/10 17:14:35.0062 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2010/12/10 17:14:35.0343 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2010/12/10 17:14:35.0609 winachsf (f59ed5a43b988a18ef582bb07b2327a7) C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
    2010/12/10 17:14:35.0984 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2010/12/10 17:14:36.0125 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2010/12/10 17:14:36.0312 {6080A529-897E-4629-A488-ABA0C29B635E} (f0890825e7a9f4a808190a781c480568) C:\WINDOWS\system32\drivers\ialmsbw.sys
    2010/12/10 17:14:36.0515 {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (8854f5453cce4c5831538e935f92f73b) C:\WINDOWS\system32\drivers\ialmkchw.sys
    2010/12/10 17:14:36.0609 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2010/12/10 17:14:36.0625 ================================================================================
    2010/12/10 17:14:36.0625 Scan finished
    2010/12/10 17:14:36.0625 ================================================================================
    2010/12/10 17:14:36.0671 Detected object count: 1
    2010/12/10 17:14:41.0625 \HardDisk0 - will be cured after reboot
    2010/12/10 17:14:41.0625 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
    2010/12/10 17:14:56.0671 Deinitialize success
  7. skifast137

    skifast137 Newcomer, in training Topic Starter

    ESETSmartInstaller@High as CAB hook log:
    OnlineScanner.ocx - registred OK
    esets_scanner_update returned -1 esets_gle=53251
    # version=7
    # iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)
    # OnlineScanner.ocx=1.0.0.6415
    # api_version=3.0.2
    # EOSSerial=cbb22a27b5df5746a5fc515cee469dbf
    # end=finished
    # remove_checked=false
    # archives_checked=false
    # unwanted_checked=true
    # unsafe_checked=false
    # antistealth_checked=true
    # utc_time=2010-12-11 04:07:16
    # local_time=2010-12-10 10:07:16 (-0600, Central Standard Time)
    # country="United States"
    # lang=9
    # osver=5.1.2600 NT Service Pack 3
    # compatibility_mode=1032 16777173 100 96 0 48769441 0 0
    # compatibility_mode=8192 67108863 100 0 0 0 0 0
    # scanned=79804
    # found=6
    # cleaned=0
    # scan_time=2285
    C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe probably a variant of Win32/Agent.HZHBURL trojan (unable to clean) 00000000000000000000000000000000 I
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LZZ0319I\sgapgh[2].htm JS/TrojanDownloader.Agent.NWG trojan (unable to clean) 00000000000000000000000000000000 I
    C:\Documents and Settings\NetworkService\Application Data\wert3.exe a variant of Win32/Olmarik.AJE trojan (unable to clean) 00000000000000000000000000000000 I
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\1MVD79PN\asda[1].htm JS/TrojanDownloader.Agent.NWG trojan (unable to clean) 00000000000000000000000000000000 I
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\1MVD79PN\sgapgh[1].htm JS/TrojanDownloader.Agent.NWG trojan (unable to clean) 00000000000000000000000000000000 I
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\X23WNS1J\dm6[1].exe a variant of Win32/Olmarik.AJE trojan (unable to clean) 00000000000000000000000000000000 I
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    All requested logs are here. Please run the following 2 programs.

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Processes	
      
      :Files  
      C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe 
      C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LZZ0319I\sgapgh[2].htm 
      C:\Documents and Settings\NetworkService\Application Data\wert3.exe 
      C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\1MVD79PN\asda[1].htm 
      C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\1MVD79PN\sgapgh[1].htm 
      C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\X23WNS1J\dm6[1].exe 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    ====================================-
    Download Combofix and save to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    =======================================
    Per PM and not being able to post here, possibly there was a momentary site problem. IF you still can't post here, I need to know exactly what happens when you try.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Have you changed your user name? When? Why?
  10. skifast137

    skifast137 Newcomer, in training Topic Starter

    All processes killed
    ========== PROCESSES ==========
    ========== FILES ==========
    C:\Documents and Settings\All Users\Application Data\AOL Downloads\triton_suite_install\6.1.41.2\setup.exe moved successfully.
    File/Folder C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\LZZ0319I\sgapgh[2].htm not found.
    C:\Documents and Settings\NetworkService\Application Data\wert3.exe moved successfully.
    File/Folder C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\1MVD79PN\asda[1].htm not found.
    File/Folder C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\1MVD79PN\sgapgh[1].htm not found.
    File/Folder C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\X23WNS1J\dm6[1].exe not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 506265524 bytes
    ->Flash cache emptied: 25323 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 41174500 bytes
    ->Flash cache emptied: 56961 bytes

    User: Owner
    ->Temp folder emptied: 80007644 bytes
    ->Temporary Internet Files folder emptied: 8229691 bytes
    ->Java cache emptied: 0 bytes
    ->Flash cache emptied: 584 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 8234338 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 827434 bytes

    Total Files Cleaned = 615.00 mb


    OTM by OldTimer - Version 3.1.17.2 log created on 12112010_113902

    Files moved on Reboot...
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\4RTQC48I\3-1x1[1].gif moved successfully.

    Registry entries deleted on Reboot...
  11. skifast137

    skifast137 Newcomer, in training Topic Starter

    ComboFix 10-12-11.01 - Owner 12/11/2010 12:21:29.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.298 [GMT -6:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Owner\Application Data\completescan
    c:\documents and settings\Owner\Application Data\install
    c:\documents and settings\Owner\GoToAssistDownloadHelper.exe
    c:\program files\AV7
    c:\windows\system32\BSTIEPrintCtl1.dll
    c:\windows\system32\fonts
    c:\windows\system32\fonts\ACADEMY_.PFB
    c:\windows\system32\fonts\ACADEMY_.PFM
    c:\windows\system32\fonts\ACADEMY_.TTF
    c:\windows\system32\ps2.bat
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At10.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At12.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At14.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At16.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At18.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At20.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At22.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At24.job
    c:\windows\Tasks\At25.job
    c:\windows\Tasks\At26.job
    c:\windows\Tasks\At27.job
    c:\windows\Tasks\At28.job
    c:\windows\Tasks\At29.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At30.job
    c:\windows\Tasks\At31.job
    c:\windows\Tasks\At32.job
    c:\windows\Tasks\At33.job
    c:\windows\Tasks\At34.job
    c:\windows\Tasks\At35.job
    c:\windows\Tasks\At36.job
    c:\windows\Tasks\At37.job
    c:\windows\Tasks\At38.job
    c:\windows\Tasks\At39.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At40.job
    c:\windows\Tasks\At41.job
    c:\windows\Tasks\At42.job
    c:\windows\Tasks\At43.job
    c:\windows\Tasks\At44.job
    c:\windows\Tasks\At45.job
    c:\windows\Tasks\At46.job
    c:\windows\Tasks\At47.job
    c:\windows\Tasks\At48.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At6.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At8.job
    c:\windows\Tasks\At9.job

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_DOMAINSERVICE


    ((((((((((((((((((((((((( Files Created from 2010-11-11 to 2010-12-11 )))))))))))))))))))))))))))))))
    .

    2010-12-11 17:39 . 2010-12-11 17:39 -------- d-----w- C:\_OTM
    2010-12-11 04:25 . 2010-12-11 09:27 150016 ----a-w- c:\documents and settings\LocalService\Application Data\wert3.exe
    2010-12-11 03:15 . 2010-12-11 03:15 -------- d-----w- c:\program files\ESET
    2010-12-10 16:42 . 2010-12-10 16:42 76696 ----a-w- c:\windows\system32\drivers\pxrts.sys
    2010-12-10 16:42 . 2010-12-10 16:42 -------- d-----w- c:\program files\Prevx
    2010-12-10 16:41 . 2010-12-10 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
    2010-12-09 17:36 . 2010-12-09 17:36 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG10
    2010-12-09 17:29 . 2010-12-09 17:29 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2010-12-09 17:24 . 2010-12-11 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
    2010-12-09 04:56 . 2010-12-09 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2010-11-18 15:12 . 2010-11-18 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-11-18 15:11 . 2010-12-09 23:30 -------- d-----w- c:\program files\SUPERAntiSpyware

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-29 23:42 . 2009-05-19 23:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-29 23:42 . 2009-05-19 23:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-18 17:23 . 2007-04-03 06:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2008-04-14 03:41 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2008-04-14 03:41 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    .

    ------- Sigcheck -------

    [7] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
    [7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe
    [7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB2347290$\spoolsv.exe
    [7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
    [-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe

    c:\windows\System32\spoolsv.exe ... is missing !!
    .
    ((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2002-10-29 21:34 . 2001-07-07 05:56 61440 c:\hp\KBD\bak\KBD.EXE

    2002-10-29 21:41 . 2005-05-05 20:02 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

    2003-11-10 13:30 . 2004-12-22 22:45 71280 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

    2002-10-29 21:55 . 2002-02-21 03:40 143360 c:\program files\COMPAQ\Coloreal\bak\coloreal.exe

    2004-08-16 19:01 . 2003-11-24 22:46 74696 c:\program files\Norton AntiVirus\AdvTools\bak\ADVCHK.EXE

    2006-10-19 19:19 . 2006-10-19 19:19 282624 c:\program files\QuickTime\bak\qttask.exe
    2009-01-05 21:18 . 2009-01-05 21:18 413696 c:\program files\QuickTime\QTTask.exe

    2004-10-05 23:02 . 2004-10-05 23:02 1051648 c:\program files\Spyware Killer Pro\SpyWare Monitor\bak\SKMonitor.exe

    2002-10-29 21:16 . 1998-05-08 00:04 52736 c:\windows\system\bak\hpsysdrv.exe

    2002-10-29 21:20 . 2002-09-09 15:05 114688 c:\windows\system32\bak\hkcmd.exe
    2002-10-29 21:20 . 2005-10-19 13:59 126976 c:\windows\system32\hkcmd.exe

    2002-10-29 21:20 . 2002-09-09 15:18 155648 c:\windows\system32\bak\igfxtray.exe
    2002-10-29 21:20 . 2005-10-19 13:59 155648 c:\windows\system32\igfxtray.exe

    2002-10-29 21:34 . 2002-08-01 04:28 81920 c:\windows\system32\bak\ps2.exe
    2009-05-19 22:39 . 2002-08-01 04:28 81920 c:\windows\system32\ps2.EXE

    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http:" [X]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2008-5-13 114688]
    Directrec Configuration Tool.lnk - c:\program files\Olympus\DSSPlayer\DirectrecConfig.exe [2008-5-13 122880]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 03:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
    2004-08-04 05:31 208952 -c--a-w- c:\windows\ime\imjp8_1\imjpmig.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
    2002-08-01 04:28 81920 ----a-w- c:\windows\system32\ps2.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\MMS\\farah\\mms.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    S3 msCMTSrvc;Content Monitoring Tool;c:\windows\system32\msCMTSrvc.exe --> c:\windows\system32\msCMTSrvc.exe [?]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = localhost
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)
    WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
    Notify-avgrsstarter - avgrsstx.dll



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-11 12:34
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST3160815A rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x83352555]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x833587b0]; MOV EAX, [0x8335882c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x833E6030]
    3 CLASSPNP[0xF884CFD7] -> nt!IofCallDriver[0x804E37D5] -> [0x833D7C60]
    \Driver\atapi[0x833CDF38] -> IRP_MJ_CREATE -> 0x83352555
    kernel: MBR read successfully
    _asm { XOR SI, SI; MOV DI, SI; MOV SS, SI; MOV SP, 0x7a00; MOV AX, 0x7c0; MOV BX, 0x7a0; MOV CX, 0x200; MOV DS, AX; MOV ES, BX; CLD ; REP MOVSB ; MOV DS, BX; JMP FAR 0x7a0:0x5d; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3160815A______________________________3.AAD___#5&38fba5ac&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8335239B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-390556010-2503923306-3750189400-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(668)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'lsass.exe'(728)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(3124)
    c:\windows\system32\WININET.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\IEFRAME.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Olympus\DeviceDetector\DM1Service.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2010-12-11 12:40:48 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-12-11 18:40

    Pre-Run: 148,914,925,568 bytes free
    Post-Run: 148,834,017,280 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin

    - - End Of File - - 15F8ADA60F161D285E0B5938EE5E23CC
     
  12. skifast137

    skifast137 Newcomer, in training Topic Starter

    I have not changed my user name and I'm still trying to post my ComboFix log. For some reason the site is telling me that I am trying to duplicate a post, so I'm going to wait 5 minutes and try to repost the CF log.

    ComboFix 10-12-11.01 - Owner 12/11/2010 12:21:29.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.503.298 [GMT -6:00]
    Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Owner\Application Data\completescan
    c:\documents and settings\Owner\Application Data\install
    c:\documents and settings\Owner\GoToAssistDownloadHelper.exe
    c:\program files\AV7
    c:\windows\system32\BSTIEPrintCtl1.dll
    c:\windows\system32\fonts
    c:\windows\system32\fonts\ACADEMY_.PFB
    c:\windows\system32\fonts\ACADEMY_.PFM
    c:\windows\system32\fonts\ACADEMY_.TTF
    c:\windows\system32\ps2.bat
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At10.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At12.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At14.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At16.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At18.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At20.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At22.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At24.job
    c:\windows\Tasks\At25.job
    c:\windows\Tasks\At26.job
    c:\windows\Tasks\At27.job
    c:\windows\Tasks\At28.job
    c:\windows\Tasks\At29.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At30.job
    c:\windows\Tasks\At31.job
    c:\windows\Tasks\At32.job
    c:\windows\Tasks\At33.job
    c:\windows\Tasks\At34.job
    c:\windows\Tasks\At35.job
    c:\windows\Tasks\At36.job
    c:\windows\Tasks\At37.job
    c:\windows\Tasks\At38.job
    c:\windows\Tasks\At39.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At40.job
    c:\windows\Tasks\At41.job
    c:\windows\Tasks\At42.job
    c:\windows\Tasks\At43.job
    c:\windows\Tasks\At44.job
    c:\windows\Tasks\At45.job
    c:\windows\Tasks\At46.job
    c:\windows\Tasks\At47.job
    c:\windows\Tasks\At48.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At6.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At8.job
    c:\windows\Tasks\At9.job

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_DOMAINSERVICE


    ((((((((((((((((((((((((( Files Created from 2010-11-11 to 2010-12-11 )))))))))))))))))))))))))))))))
    .

    2010-12-11 17:39 . 2010-12-11 17:39 -------- d-----w- C:\_OTM
    2010-12-11 04:25 . 2010-12-11 09:27 150016 ----a-w- c:\documents and settings\LocalService\Application Data\wert3.exe
    2010-12-11 03:15 . 2010-12-11 03:15 -------- d-----w- c:\program files\ESET
    2010-12-10 16:42 . 2010-12-10 16:42 76696 ----a-w- c:\windows\system32\drivers\pxrts.sys
    2010-12-10 16:42 . 2010-12-10 16:42 -------- d-----w- c:\program files\Prevx
    2010-12-10 16:41 . 2010-12-10 16:42 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
    2010-12-09 17:36 . 2010-12-09 17:36 -------- d-----w- c:\documents and settings\Owner\Application Data\AVG10
    2010-12-09 17:29 . 2010-12-09 17:29 -------- d--h--w- c:\documents and settings\All Users\Application Data\Common Files
    2010-12-09 17:24 . 2010-12-11 18:03 -------- d-----w- c:\documents and settings\All Users\Application Data\AVG10
    2010-12-09 04:56 . 2010-12-09 17:21 -------- d-----w- c:\documents and settings\All Users\Application Data\MFAData
    2010-11-18 15:12 . 2010-11-18 15:12 -------- d-----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
    2010-11-18 15:11 . 2010-12-09 23:30 -------- d-----w- c:\program files\SUPERAntiSpyware

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-11-29 23:42 . 2009-05-19 23:15 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-11-29 23:42 . 2009-05-19 23:15 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-09-18 17:23 . 2007-04-03 06:44 974848 ----a-w- c:\windows\system32\mfc42u.dll
    2010-09-18 06:53 . 2008-04-14 03:41 974848 ----a-w- c:\windows\system32\mfc42.dll
    2010-09-18 06:53 . 2008-04-14 03:41 953856 ----a-w- c:\windows\system32\mfc40u.dll
    2010-09-18 06:53 . 2004-08-04 12:00 954368 ----a-w- c:\windows\system32\mfc40.dll
    .

    ------- Sigcheck -------

    [7] 2010-08-17 . 258DD5D4283FD9F9A7166BE9AE45CE73 . 58880 . . [5.1.2600.6024] . . c:\windows\$hf_mig$\KB2347290\SP3QFE\spoolsv.exe
    [7] 2010-08-17 . 60784F891563FB1B767F70117FC2428F . 58880 . . [5.1.2600.6024] . . c:\windows\system32\dllcache\spoolsv.exe
    [7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\$NtUninstallKB2347290$\spoolsv.exe
    [7] 2008-04-14 . D8E14A61ACC1D4A6CD0D38AEBAC7FA3B . 57856 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\spoolsv.exe
    [-] 2005-06-11 . AD3D9D191AEA7B5445FE1D82FFBB4788 . 57856 . . [5.1.2600.2696] . . c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe

    c:\windows\System32\spoolsv.exe ... is missing !!
    .
    ((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2002-10-29 21:34 . 2001-07-07 05:56 61440 c:\hp\KBD\bak\KBD.EXE

    2002-10-29 21:41 . 2005-05-05 20:02 180269 c:\program files\Common Files\Real\Update_OB\bak\realsched.exe

    2003-11-10 13:30 . 2004-12-22 22:45 71280 c:\program files\Common Files\Symantec Shared\bak\ccApp.exe

    2002-10-29 21:55 . 2002-02-21 03:40 143360 c:\program files\COMPAQ\Coloreal\bak\coloreal.exe

    2004-08-16 19:01 . 2003-11-24 22:46 74696 c:\program files\Norton AntiVirus\AdvTools\bak\ADVCHK.EXE

    2006-10-19 19:19 . 2006-10-19 19:19 282624 c:\program files\QuickTime\bak\qttask.exe
    2009-01-05 21:18 . 2009-01-05 21:18 413696 c:\program files\QuickTime\QTTask.exe

    2004-10-05 23:02 . 2004-10-05 23:02 1051648 c:\program files\Spyware Killer Pro\SpyWare Monitor\bak\SKMonitor.exe

    2002-10-29 21:16 . 1998-05-08 00:04 52736 c:\windows\system\bak\hpsysdrv.exe

    2002-10-29 21:20 . 2002-09-09 15:05 114688 c:\windows\system32\bak\hkcmd.exe
    2002-10-29 21:20 . 2005-10-19 13:59 126976 c:\windows\system32\hkcmd.exe

    2002-10-29 21:20 . 2002-09-09 15:18 155648 c:\windows\system32\bak\igfxtray.exe
    2002-10-29 21:20 . 2005-10-19 13:59 155648 c:\windows\system32\igfxtray.exe

    2002-10-29 21:34 . 2002-08-01 04:28 81920 c:\windows\system32\bak\ps2.exe
    2009-05-19 22:39 . 2002-08-01 04:28 81920 c:\windows\system32\ps2.EXE

    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-10-19 126976]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-10-19 155648]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "AvgUninstallURL"="start http:" [X]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Device Detector 3.lnk - c:\program files\Olympus\DeviceDetector\DevDtct2.exe [2008-5-13 114688]
    Directrec Configuration Tool.lnk - c:\program files\Olympus\DSSPlayer\DirectrecConfig.exe [2008-5-13 122880]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 03:42 15360 ----a-w- c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
    2004-08-04 05:31 208952 -c--a-w- c:\windows\ime\imjp8_1\imjpmig.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
    2002-08-01 04:28 81920 ----a-w- c:\windows\system32\ps2.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\MMS\\farah\\mms.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=

    S3 msCMTSrvc;Content Monitoring Tool;c:\windows\system32\msCMTSrvc.exe --> c:\windows\system32\msCMTSrvc.exe [?]
    .
    .
    ------- Supplementary Scan -------
    .
    uInternet Settings,ProxyOverride = localhost
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)
    WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
    Notify-avgrsstarter - avgrsstx.dll



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-12-11 12:34
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: ST3160815A rev.3.AAD -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x83352555]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x833587b0]; MOV EAX, [0x8335882c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x833E6030]
    3 CLASSPNP[0xF884CFD7] -> nt!IofCallDriver[0x804E37D5] -> [0x833D7C60]
    \Driver\atapi[0x833CDF38] -> IRP_MJ_CREATE -> 0x83352555
    kernel: MBR read successfully
    _asm { XOR SI, SI; MOV DI, SI; MOV SS, SI; MOV SP, 0x7a00; MOV AX, 0x7c0; MOV BX, 0x7a0; MOV CX, 0x200; MOV DS, AX; MOV ES, BX; CLD ; REP MOVSB ; MOV DS, BX; JMP FAR 0x7a0:0x5d; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskST3160815A______________________________3.AAD___#5&38fba5ac&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8335239B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-390556010-2503923306-3750189400-1003\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(668)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'lsass.exe'(728)
    c:\windows\system32\WININET.dll

    - - - - - - - > 'explorer.exe'(3124)
    c:\windows\system32\WININET.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\IEFRAME.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Olympus\DeviceDetector\DM1Service.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2010-12-11 12:40:48 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-12-11 18:40

    Pre-Run: 148,914,925,568 bytes free
    Post-Run: 148,834,017,280 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /noexecute=optin

    - - End Of File - - 15F8ADA60F161D285E0B5938EE5E23CC
  13. skifast137

    skifast137 Newcomer, in training Topic Starter

    FYI - while running ComboFix, the program told me that I needed to uninstall AVG. I tried suspending AVG, however, ComboFix still wouldn't run. Therefore, I uninstalled AVG, ran ComboFix (attached the log for you) then I went out and installed Avast! which I should have gotten in the first place. Just thought that you should know. I have not run any scans with Avast! at this point.
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Download FindAWF.exe and save it to your desktop.
    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to Press any key to continue.
    • Press 1 and then Enter, and the FindAWF tool will begin scanning your computer for the infected AWF files and the backups the trojan created.
    • It may take a few minutes to complete so be patient.
    • When it is complete, it will open a text file in notepad called AWF.txt which will automatically be saved to your desktop or to the same location as FindAWF.exe.
    • Copy and paste the contents of the AWF.txt file in your next reply.
    ====================================
    Uninstall Java v5u6 and v6u17 in Add/Remove Programs.
    Make sure you have the current v6u22> Check this site .Java Updates
  15. skifast137

    skifast137 Newcomer, in training Topic Starter

    Find AWF report by noahdfear ©2006
    Version 1.40

    The current date is: Sun 12/12/2010
    The current time is: 21:21:18.67


    bak folders found
    ~~~~~~~~~~~


    Directory of C:\HP\KBD\BAK

    07/06/2001 11:56 PM 61,440 KBD.EXE
    1 File(s) 61,440 bytes

    Directory of C:\PROGRA~1\QUICKT~1\BAK

    10/19/2006 01:19 PM 282,624 qttask.exe
    1 File(s) 282,624 bytes

    Directory of C:\WINDOWS\SYSTEM\BAK

    05/07/1998 06:04 PM 52,736 hpsysdrv.exe
    1 File(s) 52,736 bytes

    Directory of C:\WINDOWS\SYSTEM32\BAK

    09/09/2002 09:05 AM 114,688 hkcmd.exe
    09/09/2002 09:18 AM 155,648 igfxtray.exe
    07/31/2002 10:28 PM 81,920 ps2.exe
    3 File(s) 352,256 bytes

    Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

    12/22/2004 04:45 PM 71,280 ccApp.exe
    1 File(s) 71,280 bytes

    Directory of C:\PROGRA~1\COMPAQ\COLOREAL\BAK

    02/20/2002 09:40 PM 143,360 coloreal.exe
    1 File(s) 143,360 bytes

    Directory of C:\PROGRA~1\MICROS~3\SYSTEM\BAK

    0 File(s) 0 bytes

    Directory of C:\PROGRA~1\NORTON~1\ADVTOOLS\BAK

    11/24/2003 04:46 PM 74,696 ADVCHK.EXE
    1 File(s) 74,696 bytes

    Directory of C:\PROGRA~1\SPYWAR~1\SPYWAR~2\BAK

    10/05/2004 05:02 PM 1,051,648 SKMonitor.exe
    1 File(s) 1,051,648 bytes

    Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

    05/05/2005 02:02 PM 180,269 realsched.exe
    1 File(s) 180,269 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~

    61440 Jul 6 2001 "C:\hp\KBD\bak\KBD.EXE"
    413696 Jan 5 2009 "C:\Program Files\QuickTime\QTTask.exe"
    282624 Oct 19 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
    52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
    126976 Oct 19 2005 "C:\WINDOWS\system32\hkcmd.exe"
    114688 Sep 9 2002 "C:\WINDOWS\system32\bak\hkcmd.exe"
    114688 Sep 9 2002 "C:\hp\drivers\video\845\hkcmd.exe"
    126976 Nov 2 2004 "C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\hkcmd.exe"
    155648 Oct 19 2005 "C:\WINDOWS\system32\igfxtray.exe"
    155648 Sep 9 2002 "C:\WINDOWS\system32\bak\igfxtray.exe"
    155648 Sep 9 2002 "C:\hp\drivers\video\845\igfxtray.exe"
    155648 Nov 2 2004 "C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\igfxtray.exe"
    81920 Jul 31 2002 "C:\WINDOWS\system32\ps2.EXE"
    81920 Jul 31 2002 "C:\hp\drivers\keyboard\PS2.EXE"
    81920 Jul 31 2002 "C:\WINDOWS\system32\bak\ps2.exe"
    71280 Dec 22 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
    143360 Feb 20 2002 "C:\Program Files\COMPAQ\Coloreal\bak\coloreal.exe"
    74696 Nov 24 2003 "C:\Program Files\Norton AntiVirus\AdvTools\bak\ADVCHK.EXE"
    1051648 Oct 5 2004 "C:\Program Files\Spyware Killer Pro\SpyWare Monitor\bak\SKMonitor.exe"
    180269 May 5 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"


    end of report
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    There was no need for you to send me a PM about this scan. It found what it was suppose to. Please keep support in this thread:

    Fix AWF Infection Step 2
    Copy the file paths in the code box below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    Code:
    "C:\hp\KBD\bak\KBD.EXE"
    "C:\Program Files\QuickTime\bak\qttask.exe"
    "C:\WINDOWS\system\bak\hpsysdrv.exe"
    "C:\WINDOWS\system32\bak\hkcmd.exe"
    "C:\WINDOWS\system32\bak\igfxtray.exe"
    "C:\WINDOWS\system32\bak\ps2.exe"
    "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
    "C:\Program Files\COMPAQ\Coloreal\bak\coloreal.exe"
    "C:\Program Files\Norton AntiVirus\AdvTools\bak\ADVCHK.EXE"
    "C:\Program Files\Spyware Killer Pro\SpyWare Monitor\bak\SKMonitor.exe"
    "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
    
    • Double-click on the FindAWF.exe file to run it.
    • It will open a command prompt and ask you to "Press any key to continue".
    • Press 2 then Enter
    • Notepad will open a file named FindAWF.txt. It will appear with instructions to click below the line and paste the list of files to be restored.
    • Right click below this line and select Edit, Paste, to paste the list of files copied to the clipboard earlier. Save and close the document.
    • The program will proceed to move the legit files and will perform another scan for bak folders.
    • It may take a few minutes to complete, so please be patient.
    • When it is complete, it will open a text file in Notepad called AWF.txt.
    • Please copy and paste the contents of the AWF.txt file in your next reply.
  17. skifast137

    skifast137 Newcomer, in training Topic Starter

    Find AWF report by noahdfear ©2006
    Version 1.40
    Option 2 run successfully

    The current date is: Mon 12/13/2010
    The current time is: 15:49:48.50


    bak folders found
    ~~~~~~~~~~~


    Directory of C:\HP\KBD\BAK

    07/06/2001 11:56 PM 61,440 KBD.EXE
    1 File(s) 61,440 bytes

    Directory of C:\PROGRA~1\QUICKT~1\BAK

    10/19/2006 01:19 PM 282,624 qttask.exe
    1 File(s) 282,624 bytes

    Directory of C:\WINDOWS\SYSTEM\BAK

    05/07/1998 06:04 PM 52,736 hpsysdrv.exe
    1 File(s) 52,736 bytes

    Directory of C:\WINDOWS\SYSTEM32\BAK

    09/09/2002 09:05 AM 114,688 hkcmd.exe
    09/09/2002 09:18 AM 155,648 igfxtray.exe
    07/31/2002 10:28 PM 81,920 ps2.exe
    3 File(s) 352,256 bytes

    Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

    12/22/2004 04:45 PM 71,280 ccApp.exe
    1 File(s) 71,280 bytes

    Directory of C:\PROGRA~1\COMPAQ\COLOREAL\BAK

    02/20/2002 09:40 PM 143,360 coloreal.exe
    1 File(s) 143,360 bytes

    Directory of C:\PROGRA~1\MICROS~3\SYSTEM\BAK

    0 File(s) 0 bytes

    Directory of C:\PROGRA~1\NORTON~1\ADVTOOLS\BAK

    11/24/2003 04:46 PM 74,696 ADVCHK.EXE
    1 File(s) 74,696 bytes

    Directory of C:\PROGRA~1\SPYWAR~1\SPYWAR~2\BAK

    10/05/2004 05:02 PM 1,051,648 SKMonitor.exe
    1 File(s) 1,051,648 bytes

    Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

    05/05/2005 02:02 PM 180,269 realsched.exe
    1 File(s) 180,269 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~

    61440 Jul 6 2001 "C:\hp\KBD\KBD.EXE"
    61440 Jul 6 2001 "C:\hp\KBD\bak\KBD.EXE"
    282624 Oct 19 2006 "C:\Program Files\QuickTime\qttask.exe"
    282624 Oct 19 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
    52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe"
    52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
    114688 Sep 9 2002 "C:\WINDOWS\system32\hkcmd.exe"
    114688 Sep 9 2002 "C:\WINDOWS\system32\bak\hkcmd.exe"
    114688 Sep 9 2002 "C:\hp\drivers\video\845\hkcmd.exe"
    126976 Nov 2 2004 "C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\hkcmd.exe"
    155648 Sep 9 2002 "C:\WINDOWS\system32\igfxtray.exe"
    155648 Sep 9 2002 "C:\WINDOWS\system32\bak\igfxtray.exe"
    155648 Sep 9 2002 "C:\hp\drivers\video\845\igfxtray.exe"
    155648 Nov 2 2004 "C:\WINDOWS\system32\ReinstallBackups\0013\DriverFiles\igfxtray.exe"
    81920 Jul 31 2002 "C:\WINDOWS\system32\ps2.exe"
    81920 Jul 31 2002 "C:\hp\drivers\keyboard\PS2.EXE"
    81920 Jul 31 2002 "C:\WINDOWS\system32\bak\ps2.exe"
    71280 Dec 22 2004 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    71280 Dec 22 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
    143360 Feb 20 2002 "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
    143360 Feb 20 2002 "C:\Program Files\COMPAQ\Coloreal\bak\coloreal.exe"
    74696 Nov 24 2003 "C:\Program Files\Norton AntiVirus\AdvTools\ADVCHK.EXE"
    74696 Nov 24 2003 "C:\Program Files\Norton AntiVirus\AdvTools\bak\ADVCHK.EXE"
    1051648 Oct 5 2004 "C:\Program Files\Spyware Killer Pro\SpyWare Monitor\SKMonitor.exe"
    1051648 Oct 5 2004 "C:\Program Files\Spyware Killer Pro\SpyWare Monitor\bak\SKMonitor.exe"
    180269 May 5 2005 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
    180269 May 5 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"


    end of report
  18. skifast137

    skifast137 Newcomer, in training Topic Starter

    Thanks for all your assistance, Bobbye. It seems as though many are having issues with similar rootkit viruses based on the sheer volume of views on this thread. I'm going to take this PC out of service as it does not appear as though this virus will be able to be removed. Sorry to have frustrated you with the PM, happy holidays.
  19. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    With any backdoor malware, it is always safer to reformat/reinstall instead of clean. While we can remove the files that are now on the system, we do not know what other files may have been compromised:

    FYI:
    Agent. AWF replaces legitimate files that are common on most computers with an infected file. Then, it moves the legitimate files to a bak or backup folder. It is known to attempt to terminate security software, and the Trojan downloads a Backdoor onto the computer, allowing the attacker to further compromise the computer. It is also known to modify the Windows registry.

    I'm going to close this thread but please let me know if you have problems in the future.
    Have a Happy and Peaceful Holiday![​IMG]
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.