TechSpot

Help with backdoor trojan TDSS 565 removal

By ldesim
Jul 11, 2011
  1. Malwarebytes' Anti-Malware 1.51.0.1200
    www.malwarebytes.org

    Database version: 7052

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    7/11/2011 6:23:35 PM
    mbam-log-2011-07-11 (18-23-35).txt

    Scan type: Quick scan
    Objects scanned: 172242
    Time elapsed: 11 minute(s), 43 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    GMER 1.0.15.15640 - http://www.gmer.net
    Rootkit quick scan 2011-07-11 18:46:14
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS543216L9SA00 rev.FB2OC40C
    Running: kjyl3vnd.exe; Driver: C:\DOCUME~1\Laurie\LOCALS~1\Temp\kwkiaaog.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
    Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8654131B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8654131B
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8654131B

    AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
    AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----

    .
    DDS (Ver_2011-06-23.01) - NTFSx86
    Internet Explorer: 8.0.6001.18702
    Run by Laurie at 18:31:05 on 2011-07-11
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.447 [GMT -4:00]
    .
    .
    ============== Running Processes ===============
    .
    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\rundll32.exe
    svchost.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
    C:\Program Files\EeePC\ACPI\AsEPCMon.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\igfxext.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Realtek\Wireless LAN Utility\RtWLan.exe
    C:\Program Files\Newsbin\newsbinpro.exe
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    .
    ============== Pseudo HJT Report ===============
    .
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
    mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [SynAsusAcpi] c:\program files\synaptics\syntp\SynAsusAcpi.exe
    mRun: [LiveUpdate] c:\program files\asus\liveupdate\LiveUpdate.exe auto
    mRun: [EasyMode] "%ProgramFiles%\\ASUS\\Easy Mode\\Easy Mode.exe" --limitedUserImportRegister
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\realte~1.lnk - c:\program files\realtek\wireless lan utility\RtWLan.exe
    TCP: Interfaces\{5E3CFA78-4DC7-4EC5-ADC7-918148CA28C1} : DhcpNameServer = 68.87.71.230 68.87.73.246
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\documents and settings\laurie\application data\mozilla\firefox\profiles\sqwakfbo.default\
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 60061
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\documents and settings\laurie\local settings\application data\google\update\1.3.21.57\npGoogleUpdate3.dll
    FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    ============= SERVICES / DRIVERS ===============
    .
    R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-8-17 55152]
    R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [2009-8-17 5097632]
    R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-8-12 38912]
    R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [2011-7-8 332928]
    R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [2009-8-12 39040]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-17 1684736]
    S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-7-8 13192]
    S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-7-8 8456]
    S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
    .
    =============== Created Last 30 ================
    .
    2011-07-11 02:15:06 -------- d-----w- c:\documents and settings\laurie\DoctorWeb
    2011-07-10 19:13:55 -------- d-----w- c:\windows\pss
    2011-07-10 18:58:17 108 ---h--w- c:\documents and settings\laurie\application data\Plug.bat
    2011-07-10 18:47:19 106 ---h--w- c:\documents and settings\laurie\application data\LocalAccountAuthority.bat
    2011-07-10 18:43:06 16384 ---h--w- c:\windows\sysmgm.exe
    2011-07-10 18:40:38 -------- d-----w- c:\documents and settings\laurie\local settings\application data\Identities
    2011-07-10 18:38:59 -------- d-----w- c:\documents and settings\laurie\local settings\application data\{3CBDFF8D-6575-441D-B948-4AFB3A506953}
    2011-07-10 18:37:44 241 ----a-w- c:\documents and settings\laurie\delme.bat
    2011-07-10 18:36:21 -------- d-----w- c:\documents and settings\all users\application data\WSTB
    2011-07-10 18:35:40 180224 ----a-w- c:\documents and settings\laurie\application data\dwm.exe
    2011-07-10 18:35:39 16636 ---h--w- c:\windows\dxxsetup.exe
    2011-07-10 18:35:34 -------- d-----w- c:\documents and settings\laurie\application data\Qeomb
    2011-07-10 18:35:34 -------- d-----w- c:\documents and settings\laurie\application data\Miugy
    2011-07-10 18:35:10 100252 ---h--w- c:\windows\msmgm.exe
    2011-07-10 18:34:58 106496 --sha-r- c:\windows\system32\proctexet.dll
    2011-07-10 18:17:37 -------- d-----w- c:\program files\common files\Sandlot Shared
    2011-07-10 18:17:20 -------- d-----w- c:\documents and settings\all users\application data\Sandlot Games
    2011-07-10 18:17:19 -------- d-----w- c:\documents and settings\all users\application data\Trymedia
    2011-07-10 01:35:49 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-09 21:55:37 -------- d-----w- c:\documents and settings\laurie\application data\PeaceCraft2
    2011-07-09 20:19:12 -------- d-----w- c:\documents and settings\laurie\local settings\application data\QuickPar
    2011-07-09 15:45:06 -------- d-----w- c:\documents and settings\laurie\application data\Meridian93
    2011-07-09 04:59:03 -------- d-----w- c:\windows\system32\XPSViewer
    2011-07-09 04:58:33 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2011-07-09 04:58:22 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2011-07-09 04:58:22 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2011-07-09 04:58:22 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2011-07-09 04:58:22 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2011-07-09 04:58:22 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2011-07-09 04:58:22 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2011-07-09 04:58:22 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2011-07-09 04:58:22 117760 ------w- c:\windows\system32\prntvpt.dll
    2011-07-08 11:56:03 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
    2011-07-08 11:56:03 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
    2011-07-08 11:56:02 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2011-07-08 11:56:01 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2011-07-08 11:56:01 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2011-07-08 11:55:59 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
    2011-07-08 11:49:41 -------- d-----w- c:\documents and settings\laurie\application data\Malwarebytes
    2011-07-08 11:49:22 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-08 11:49:19 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
    2011-07-08 11:49:15 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-08 11:49:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-07-08 11:46:36 -------- d-----w- c:\windows\system32\PreInstall
    2011-07-08 11:45:23 -------- d-----w- c:\program files\uTorrent
    2011-07-08 11:44:46 -------- d-----w- c:\documents and settings\laurie\local settings\application data\uTorrent
    2011-07-08 11:44:46 -------- d-----w- c:\documents and settings\laurie\application data\uTorrent
    2011-07-08 11:38:01 -------- d-----w- c:\program files\QuickPar
    2011-07-08 11:18:44 -------- d-----w- c:\program files\Newsbin
    2011-07-08 11:18:44 -------- d-----w- c:\documents and settings\laurie\local settings\application data\Newsbin
    2011-07-08 10:56:08 86408 ----a-w- c:\windows\system32\setupempdrv03.exe
    2011-07-08 10:56:08 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys
    2011-07-08 10:56:08 1774720 ----a-w- c:\windows\system32\BootMan.exe
    2011-07-08 10:56:08 14848 ----a-w- c:\windows\system32\EuEpmGdi.dll
    2011-07-08 10:56:08 13192 ----a-w- c:\windows\system32\epmntdrv.sys
    2011-07-08 10:55:47 -------- d-----w- c:\program files\EASEUS
    2011-07-08 10:49:38 -------- d-----w- c:\documents and settings\laurie\local settings\application data\Mozilla
    2011-07-08 10:46:42 -------- d-----w- c:\documents and settings\laurie\local settings\application data\Google
    2011-07-08 10:46:25 -------- d-----w- c:\documents and settings\laurie\local settings\application data\Deployment
    2011-07-08 10:45:48 -------- d-----w- c:\windows\system32\SoftwareDistribution
    2011-07-08 10:45:35 -------- d-sh--w- c:\documents and settings\laurie\IECompatCache
    2011-07-08 10:44:02 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
    2011-07-08 10:43:59 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
    2011-07-08 10:43:43 342784 ----a-w- c:\windows\system32\drivers\rtl8187B.sys
    2011-07-08 10:43:43 332928 ----a-w- c:\windows\system32\drivers\rtl8187.sys
    2011-07-08 10:43:43 -------- d-----w- c:\windows\OPTIONS
    2011-07-08 10:43:37 451072 ----a-w- c:\windows\system32\ISSRemoveSP.exe
    2011-07-08 10:43:37 -------- d-----w- c:\windows\system32\RtlGina
    2011-07-06 07:28:33 -------- d-----w- C:\mplayer
    .
    ==================== Find3M ====================
    .
    2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
    2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
    2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
    .
    =================== ROOTKIT ====================
    .
    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: Hitachi_HTS543216L9SA00 rev.FB2OC40C -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
    .
    device: opened successfully
    user: MBR read successfully
    .
    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x865414D0]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x865477d0]; MOV EAX, [0x8654784c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86523AB8]
    3 CLASSPNP[0xF7630FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000063[0x865DFAB0]
    5 ACPI[0xF74C7620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x865D5D98]
    \Driver\atapi[0x865D45A8] -> IRP_MJ_CREATE -> 0x865414D0
    error: Read A device attached to the system is not functioning.
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    detected hooks:
    \Driver\atapi DriverStartIo -> 0x8654131B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !
    .
    ============= FINISH: 18:33:16.71 ===============

    .
    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT
    .
    DDS (Ver_2011-06-23.01)
    .
    Microsoft Windows XP Home Edition
    Boot Device: \Device\HarddiskVolume1
    Install Date: 1/1/2002 5:12:20 AM
    System Uptime: 7/11/2011 6:05:27 PM (0 hours ago)
    .
    Motherboard: ASUSTeK Computer INC. | | 1101HA
    Processor: Intel(R) Atom(TM) CPU Z520 @ 1.33GHz | CPU 1 | 1331/133mhz
    .
    ==== Disk Partitions =========================
    .
    C: is FIXED (NTFS) - 46 GiB total, 36.886 GiB free.
    D: is FIXED (NTFS) - 98 GiB total, 88.593 GiB free.
    E: is Removable
    .
    ==== Disabled Device Manager Items =============
    .
    ==== System Restore Points ===================
    .
    No restore point in system.
    .
    ==== Installed Programs ======================
    .
    ĀµTorrent
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 8.1.1
    Asus ACPI Driver
    ASUS VIBE
    ASUSUpdate for Eee PC
    Atheros Client Installation Program
    Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
    Azurewave Wireless LAN Card
    Choice Guard
    Compatibility Pack for the 2007 Office system
    Data Sync
    EASEUS Partition Master 6.1.1 Professional
    Easy Mode
    EzMessenger
    FontResizer
    GamePark Console
    Google Chrome
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB954708)
    Hotfix for Windows XP (KB961118)
    Intel(R) Graphics Media Accelerator 500
    Junk Mail filter update
    LiveUpdate
    Malwarebytes' Anti-Malware version 1.51.0.1200
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Home and Student 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office PowerPoint Viewer 2007 (English)
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Suite Activation Assistant
    Microsoft Office Word MUI (English) 2007
    Microsoft Search Enhancement Pack
    Microsoft Software Update for Web Folders (English) 12
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Works
    Mozilla Firefox 5.0 (x86 en-US)
    MSVCRT
    Newsbin Pro
    QuickPar 0.9
    Realtek High Definition Audio Driver
    REALTEK Wireless LAN Driver and Utility
    Sandlot Games Client Services 1.2.2
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 8 (KB2510531)
    Security Update for Windows Internet Explorer 8 (KB2530548)
    Security Update for Windows Internet Explorer 8 (KB2544521)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2412687)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476490)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479943)
    Security Update for Windows XP (KB2481109)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485663)
    Security Update for Windows XP (KB2503665)
    Security Update for Windows XP (KB2506212)
    Security Update for Windows XP (KB2506223)
    Security Update for Windows XP (KB2507618)
    Security Update for Windows XP (KB2508272)
    Security Update for Windows XP (KB2508429)
    Security Update for Windows XP (KB2509553)
    Security Update for Windows XP (KB2524375)
    Security Update for Windows XP (KB2535512)
    Security Update for Windows XP (KB2536276)
    Security Update for Windows XP (KB2544893)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953155)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982665)
    Segoe UI
    Super Hybrid Engine
    Synaptics Pointing Device Driver
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Office System 2007 Setup (KB929722)
    Update for Windows Internet Explorer 8 (KB971930)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2541763)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB942763)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951618-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB953356)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971029)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    USB2.0 UVC Camera Device
    WebFldrs XP
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Family Safety
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Upload Tool
    Windows Live Writer
    Windows Media Format 11 runtime
    Windows Media Player 11
    WinRAR 4.01 (32-bit)
    .
    ==== Event Viewer Messages From Past Week ========
    .
    7/9/2011 4:49:57 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.Windows.Common-Controls. Reference error message: The system cannot find the path specified. .
    7/9/2011 4:49:57 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Roads of Rome\RoadsOfRome.exe. Reference error message: The operation completed successfully. .
    7/10/2011 5:31:20 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
    7/10/2011 4:10:17 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
    7/10/2011 4:08:46 PM, error: SRService [104] - The System Restore initialization process failed.
    7/10/2011 4:08:43 PM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 00C0CA47A58E has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
    7/10/2011 4:01:01 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
    7/10/2011 3:14:12 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
    7/10/2011 3:14:12 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
    7/10/2011 3:14:12 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
    7/10/2011 3:14:12 PM, error: Service Control Manager [7001] - The fssfltr service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    7/10/2011 3:14:12 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
    7/10/2011 3:14:12 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
    7/10/2011 3:13:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
    7/10/2011 3:13:22 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
    7/10/2011 3:01:22 PM, error: Service Control Manager [7034] - The HTTP SSL service terminated unexpectedly. It has done this 1 time(s).
    7/10/2011 2:21:11 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
    .
    ==== End Of File ===========================

    Thank you!
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Can you tell me how you came of with the name "Backdoor Trojan TDSS 565? It surely help when I have some idea of what's going on. I see you ran Dr. Web. Remove it please.
    =================================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.
    If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ====================================================
    Then run Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed
    • Click START> then RUN
    • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    --------------------------------------
    Download Combofix from HERE or HERE and save to the desktop
    • Double click combofix.exe & follow the prompts.
    • ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
      **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..
    Re-enable your Antivirus software.

    Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
    Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
    =====================================
    Both logs in next reply please.
    ======================================
    P2P or 'file sharing' Warning:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall uTorrent for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    Do not use any torrent sites or download manager for the downloads I give you.

    Doesn't make any sense to me why you put uTorrent on the system when you already have a rootkoit- unless you got the infection from uTorrent!
     
  3. ldesim

    ldesim TS Rookie Topic Starter

    Thank you Bobbye,

    I took your advice and removed utorrent and ran the 2 scans.. I think I messed up with TDSSKiller and cured it, when I read it a 2nd time seems like I should have quarantined? Sorry if I misunderstood.. here are logs.

    2011/07/11 21:20:36.0546 2420 TDSS rootkit removing tool 2.5.9.0 Jul 1 2011 18:45:21
    2011/07/11 21:20:37.0484 2420 ================================================================================
    2011/07/11 21:20:37.0484 2420 SystemInfo:
    2011/07/11 21:20:37.0484 2420
    2011/07/11 21:20:37.0484 2420 OS Version: 5.1.2600 ServicePack: 3.0
    2011/07/11 21:20:37.0484 2420 Product type: Workstation
    2011/07/11 21:20:37.0484 2420 ComputerName: YOUR-I9GK72D6EW
    2011/07/11 21:20:37.0531 2420 UserName: Laurie
    2011/07/11 21:20:37.0531 2420 Windows directory: C:\WINDOWS
    2011/07/11 21:20:37.0531 2420 System windows directory: C:\WINDOWS
    2011/07/11 21:20:37.0531 2420 Processor architecture: Intel x86
    2011/07/11 21:20:37.0531 2420 Number of processors: 2
    2011/07/11 21:20:37.0531 2420 Page size: 0x1000
    2011/07/11 21:20:37.0531 2420 Boot type: Normal boot
    2011/07/11 21:20:37.0531 2420 ================================================================================
    2011/07/11 21:20:39.0406 2420 Initialize success
    2011/07/11 21:20:53.0296 3268 ================================================================================
    2011/07/11 21:20:53.0296 3268 Scan started
    2011/07/11 21:20:53.0296 3268 Mode: Manual;
    2011/07/11 21:20:53.0296 3268 ================================================================================
    2011/07/11 21:20:54.0609 3268 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/07/11 21:20:54.0796 3268 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
    2011/07/11 21:20:55.0140 3268 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/07/11 21:20:55.0343 3268 AegisP (023867b6606fbabcdd52e089c4a507da) C:\WINDOWS\system32\DRIVERS\AegisP.sys
    2011/07/11 21:20:55.0531 3268 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
    2011/07/11 21:20:56.0281 3268 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
    2011/07/11 21:20:56.0703 3268 AR5416 (d3e782ad9dca4d6215222a43345f43b0) C:\WINDOWS\system32\DRIVERS\athw.sys
    2011/07/11 21:20:57.0562 3268 AsusACPI (12415a4b61ded200fe9932b47a35fa42) C:\WINDOWS\system32\DRIVERS\ASUSACPI.sys
    2011/07/11 21:20:57.0718 3268 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/07/11 21:20:57.0890 3268 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/07/11 21:20:58.0062 3268 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/07/11 21:20:58.0203 3268 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/07/11 21:20:58.0421 3268 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/07/11 21:20:59.0203 3268 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/07/11 21:20:59.0375 3268 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
    2011/07/11 21:20:59.0500 3268 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/07/11 21:20:59.0578 3268 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/07/11 21:20:59.0703 3268 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/07/11 21:20:59.0937 3268 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
    2011/07/11 21:21:00.0093 3268 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
    2011/07/11 21:21:00.0750 3268 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/07/11 21:21:00.0953 3268 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/07/11 21:21:01.0250 3268 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/07/11 21:21:01.0406 3268 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/07/11 21:21:01.0593 3268 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/07/11 21:21:01.0781 3268 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/07/11 21:21:01.0921 3268 epmntdrv (f07ba56b0235f15eff8f10dc6389c42e) C:\WINDOWS\system32\epmntdrv.sys
    2011/07/11 21:21:02.0109 3268 EuGdiDrv (1f2f4ab15ce03ecc257feb2f6dc5a013) C:\WINDOWS\system32\EuGdiDrv.sys
    2011/07/11 21:21:02.0437 3268 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/07/11 21:21:02.0656 3268 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
    2011/07/11 21:21:02.0781 3268 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/07/11 21:21:02.0859 3268 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
    2011/07/11 21:21:02.0968 3268 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
    2011/07/11 21:21:03.0187 3268 fssfltr (960f5e5e4e1f720465311ac68a99c2df) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
    2011/07/11 21:21:03.0328 3268 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/07/11 21:21:03.0421 3268 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/07/11 21:21:03.0562 3268 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/07/11 21:21:03.0687 3268 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/07/11 21:21:03.0890 3268 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/07/11 21:21:04.0156 3268 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/07/11 21:21:04.0484 3268 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/07/11 21:21:04.0812 3268 igd (4a1e0f6367ff47f87cbe8a7ecf38b01d) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
    2011/07/11 21:21:05.0140 3268 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/07/11 21:21:05.0578 3268 IntcAzAudAddService (afa6853aa949b5e151e4a10f6805b5b2) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2011/07/11 21:21:06.0421 3268 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
    2011/07/11 21:21:06.0609 3268 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
    2011/07/11 21:21:07.0000 3268 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/07/11 21:21:07.0125 3268 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/07/11 21:21:07.0203 3268 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/07/11 21:21:07.0312 3268 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/07/11 21:21:07.0562 3268 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/07/11 21:21:07.0765 3268 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/07/11 21:21:07.0937 3268 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/07/11 21:21:08.0031 3268 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/07/11 21:21:08.0171 3268 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/07/11 21:21:08.0296 3268 L1c (6c8658587e91ea25b0fd2e71781ad228) C:\WINDOWS\system32\DRIVERS\l1c51x86.sys
    2011/07/11 21:21:08.0593 3268 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/07/11 21:21:08.0765 3268 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/07/11 21:21:08.0906 3268 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
    2011/07/11 21:21:09.0125 3268 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/07/11 21:21:09.0218 3268 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/07/11 21:21:09.0375 3268 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/07/11 21:21:09.0515 3268 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/07/11 21:21:09.0640 3268 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/07/11 21:21:09.0859 3268 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/07/11 21:21:09.0921 3268 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/07/11 21:21:09.0953 3268 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/07/11 21:21:10.0015 3268 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/07/11 21:21:10.0265 3268 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/07/11 21:21:10.0468 3268 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
    2011/07/11 21:21:10.0609 3268 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
    2011/07/11 21:21:10.0734 3268 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
    2011/07/11 21:21:10.0859 3268 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/07/11 21:21:10.0937 3268 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
    2011/07/11 21:21:11.0062 3268 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/07/11 21:21:11.0187 3268 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/07/11 21:21:11.0359 3268 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/07/11 21:21:11.0500 3268 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/07/11 21:21:11.0609 3268 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/07/11 21:21:11.0734 3268 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/07/11 21:21:12.0187 3268 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/07/11 21:21:12.0453 3268 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/07/11 21:21:12.0640 3268 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/07/11 21:21:12.0718 3268 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/07/11 21:21:12.0796 3268 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/07/11 21:21:12.0968 3268 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
    2011/07/11 21:21:13.0046 3268 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/07/11 21:21:13.0156 3268 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/07/11 21:21:13.0296 3268 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/07/11 21:21:13.0468 3268 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/07/11 21:21:13.0578 3268 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/07/11 21:21:14.0187 3268 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/07/11 21:21:14.0281 3268 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/07/11 21:21:14.0328 3268 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/07/11 21:21:14.0687 3268 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/07/11 21:21:14.0781 3268 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/07/11 21:21:14.0937 3268 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/07/11 21:21:15.0046 3268 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/07/11 21:21:15.0281 3268 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/07/11 21:21:15.0453 3268 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/07/11 21:21:16.0031 3268 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/07/11 21:21:16.0406 3268 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/07/11 21:21:16.0875 3268 RTLWUSB (5a850259b849a899990379a75460a4eb) C:\WINDOWS\system32\DRIVERS\RTL8187.sys
    2011/07/11 21:21:17.0281 3268 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/07/11 21:21:17.0515 3268 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
    2011/07/11 21:21:17.0968 3268 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/07/11 21:21:18.0468 3268 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
    2011/07/11 21:21:18.0875 3268 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/07/11 21:21:19.0000 3268 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/07/11 21:21:19.0234 3268 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/07/11 21:21:19.0390 3268 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
    2011/07/11 21:21:19.0468 3268 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/07/11 21:21:19.0625 3268 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/07/11 21:21:20.0078 3268 SynTP (8e25a1dbb8527b2074af9b682f818768) C:\WINDOWS\system32\DRIVERS\SynTP.sys
    2011/07/11 21:21:20.0171 3268 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/07/11 21:21:20.0390 3268 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/07/11 21:21:20.0562 3268 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/07/11 21:21:20.0640 3268 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/07/11 21:21:20.0718 3268 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/07/11 21:21:21.0031 3268 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/07/11 21:21:21.0265 3268 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/07/11 21:21:21.0421 3268 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/07/11 21:21:21.0531 3268 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/07/11 21:21:21.0687 3268 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/07/11 21:21:21.0765 3268 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/07/11 21:21:21.0859 3268 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/07/11 21:21:22.0046 3268 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
    2011/07/11 21:21:22.0125 3268 uvclf (c019889035cdc1a06f2febc93cbb6897) C:\WINDOWS\system32\DRIVERS\uvclf.sys
    2011/07/11 21:21:22.0234 3268 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/07/11 21:21:22.0468 3268 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/07/11 21:21:22.0703 3268 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/07/11 21:21:22.0828 3268 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
    2011/07/11 21:21:23.0093 3268 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/07/11 21:21:23.0406 3268 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
    2011/07/11 21:21:23.0703 3268 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
    2011/07/11 21:21:23.0859 3268 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/07/11 21:21:24.0046 3268 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/07/11 21:21:24.0265 3268 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
    2011/07/11 21:21:24.0312 3268 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2011/07/11 21:21:24.0375 3268 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR7
    2011/07/11 21:21:24.0781 3268 Boot (0x1200) (84926bd769e5148c7b355472a17fa8fe) \Device\Harddisk0\DR0\Partition0
    2011/07/11 21:21:24.0890 3268 Boot (0x1200) (ee7cb087a5c2ebfd2391160967141f20) \Device\Harddisk0\DR0\Partition1
    2011/07/11 21:21:24.0953 3268 Boot (0x1200) (4739a056464bba8adc1bac285194f002) \Device\Harddisk1\DR7\Partition0
    2011/07/11 21:21:25.0000 3268 ================================================================================
    2011/07/11 21:21:25.0000 3268 Scan finished
    2011/07/11 21:21:25.0000 3268 ================================================================================
    2011/07/11 21:21:25.0078 2700 Detected object count: 1
    2011/07/11 21:21:25.0093 2700 Actual detected object count: 1
    2011/07/11 21:21:32.0046 2700 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
    2011/07/11 21:21:32.0046 2700 \Device\Harddisk0\DR0 - ok
    2011/07/11 21:21:32.0046 2700 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
    2011/07/11 21:22:33.0109 2044 Deinitialize success

    ComboFix 11-07-11.02 - Laurie 07/11/2011 21:34:12.1.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.283 [GMT -4:00]
    Running from: c:\documents and settings\Laurie\Desktop\ComboFix.exe
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\Laurie\Application Data\chrtmp
    c:\documents and settings\Laurie\Application Data\dwm.exe
    c:\documents and settings\Laurie\Application Data\LocalAccountAuthority.bat
    c:\documents and settings\Laurie\Application Data\Plug.bat
    c:\documents and settings\Laurie\Cookies\15438875na.t
    c:\documents and settings\Laurie\delme.bat
    c:\documents and settings\Laurie\Local Settings\Application Data\{3CBDFF8D-6575-441D-B948-4AFB3A506953}
    c:\documents and settings\Laurie\Local Settings\Application Data\{3CBDFF8D-6575-441D-B948-4AFB3A506953}\chrome.manifest
    c:\documents and settings\Laurie\Local Settings\Application Data\{3CBDFF8D-6575-441D-B948-4AFB3A506953}\chrome\content\_cfg.js
    c:\documents and settings\Laurie\Local Settings\Application Data\{3CBDFF8D-6575-441D-B948-4AFB3A506953}\chrome\content\overlay.xul
    c:\documents and settings\Laurie\Local Settings\Application Data\{3CBDFF8D-6575-441D-B948-4AFB3A506953}\install.rdf
    c:\windows\system32\Thumbs.db
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    -------\Legacy_MOUSEDRIVER
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-12 to 2011-07-12 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-11 02:15 . 2011-07-11 02:15 -------- d-----w- c:\documents and settings\Laurie\DoctorWeb
    2011-07-10 20:19 . 2011-07-10 20:19 -------- d-----w- c:\documents and settings\Administrator
    2011-07-10 18:51 . 2011-07-10 18:51 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-07-10 18:43 . 2011-07-10 18:43 16384 ---h--w- c:\windows\sysmgm.exe
    2011-07-10 18:40 . 2011-07-10 18:48 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Identities
    2011-07-10 18:36 . 2011-07-10 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
    2011-07-10 18:35 . 2011-07-10 18:35 16636 ---h--w- c:\windows\dxxsetup.exe
    2011-07-10 18:35 . 2011-07-10 19:59 -------- d-----w- c:\documents and settings\Laurie\Application Data\Qeomb
    2011-07-10 18:35 . 2011-07-10 19:02 -------- d-----w- c:\documents and settings\Laurie\Application Data\Miugy
    2011-07-10 18:35 . 2011-07-10 18:35 100252 ---h--w- c:\windows\msmgm.exe
    2011-07-10 18:34 . 2011-07-10 18:34 106496 --sha-r- c:\windows\system32\proctexet.dll
    2011-07-10 18:17 . 2011-07-10 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
    2011-07-10 18:17 . 2011-07-10 18:17 -------- d-----w- c:\program files\Common Files\Sandlot Shared
    2011-07-10 18:17 . 2011-07-10 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
    2011-07-10 18:17 . 2011-07-10 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
    2011-07-10 01:35 . 2011-07-10 01:35 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-09 21:55 . 2011-07-09 21:57 -------- d-----w- c:\documents and settings\Laurie\Application Data\PeaceCraft2
    2011-07-09 20:19 . 2011-07-09 20:20 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\QuickPar
    2011-07-09 15:45 . 2011-07-09 15:45 -------- d-----w- c:\documents and settings\Laurie\Application Data\Meridian93
    2011-07-09 04:59 . 2011-07-09 04:59 -------- d-----w- c:\windows\system32\XPSViewer
    2011-07-09 04:58 . 2011-07-09 04:58 -------- d-----w- c:\program files\MSBuild
    2011-07-09 04:58 . 2011-07-09 04:58 -------- d-----w- c:\program files\Reference Assemblies
    2011-07-09 04:58 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2011-07-09 04:58 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2011-07-09 04:58 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2011-07-09 04:58 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2011-07-09 04:58 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2011-07-09 04:58 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2011-07-09 04:58 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
    2011-07-09 04:58 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2011-07-09 04:58 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2011-07-09 04:52 . 2011-07-09 04:52 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2011-07-08 11:56 . 2011-04-25 16:11 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
    2011-07-08 11:56 . 2011-04-25 16:11 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
    2011-07-08 11:56 . 2011-04-25 16:11 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2011-07-08 11:56 . 2011-04-25 16:11 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2011-07-08 11:56 . 2011-04-25 16:11 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2011-07-08 11:55 . 2011-04-25 16:11 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
    2011-07-08 11:49 . 2011-07-08 11:49 -------- d-----w- c:\documents and settings\Laurie\Application Data\Malwarebytes
    2011-07-08 11:49 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-08 11:49 . 2011-07-08 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-07-08 11:49 . 2011-07-08 11:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-07-08 11:49 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-08 11:45 . 2011-07-08 11:45 -------- d-----w- c:\program files\uTorrent
    2011-07-08 11:44 . 2011-07-08 11:46 -------- d-----w- c:\documents and settings\Laurie\Application Data\uTorrent
    2011-07-08 11:44 . 2011-07-08 11:44 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\uTorrent
    2011-07-08 11:38 . 2011-07-08 11:38 -------- d-----w- c:\program files\QuickPar
    2011-07-08 11:18 . 2011-07-12 01:22 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Newsbin
    2011-07-08 11:18 . 2011-07-08 11:19 -------- d-----w- c:\program files\Newsbin
    2011-07-08 10:56 . 2010-07-27 22:42 1774720 ----a-w- c:\windows\system32\BootMan.exe
    2011-07-08 10:56 . 2010-07-15 12:44 86408 ----a-w- c:\windows\system32\setupempdrv03.exe
    2011-07-08 10:56 . 2010-07-15 12:44 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys
    2011-07-08 10:56 . 2010-07-15 12:44 13192 ----a-w- c:\windows\system32\epmntdrv.sys
    2011-07-08 10:56 . 2010-07-15 12:44 14848 ----a-w- c:\windows\system32\EuEpmGdi.dll
    2011-07-08 10:55 . 2011-07-08 10:55 -------- d-----w- c:\program files\EASEUS
    2011-07-08 10:49 . 2011-07-08 10:49 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Mozilla
    2011-07-08 10:46 . 2011-07-08 10:48 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Google
    2011-07-08 10:46 . 2011-07-08 10:46 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Deployment
    2011-07-08 10:45 . 2011-07-08 10:45 -------- d-sh--w- c:\documents and settings\Laurie\IECompatCache
    2011-07-08 10:44 . 2011-07-08 10:44 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
    2011-07-08 10:43 . 2011-07-08 10:44 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
    2011-07-08 10:43 . 2011-07-08 10:43 -------- d-----w- c:\windows\OPTIONS
    2011-07-08 10:43 . 2010-03-31 18:58 342784 ----a-w- c:\windows\system32\drivers\rtl8187B.sys
    2011-07-08 10:43 . 2008-06-27 13:39 332928 ----a-w- c:\windows\system32\drivers\rtl8187.sys
    2011-07-08 10:43 . 2011-07-11 22:09 -------- d-----w- c:\windows\system32\RtlGina
    2011-07-08 10:43 . 2010-12-01 13:31 451072 ----a-w- c:\windows\system32\ISSRemoveSP.exe
    2011-07-06 07:28 . 2011-07-08 11:17 -------- d-----w- C:\mplayer
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-02 15:31 . 2009-08-17 18:07 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-29 17:25 . 2009-08-17 17:51 151552 ----a-w- c:\windows\system32\schannel.dll
    2011-04-29 16:19 . 2009-08-17 17:51 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-04-25 16:11 . 2009-08-17 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
    2011-04-25 16:11 . 2009-08-17 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2011-04-25 16:11 . 2009-08-17 17:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2011-04-25 12:01 . 2009-08-17 17:51 385024 ----a-w- c:\windows\system32\html.iec
    2011-04-21 13:37 . 2009-08-17 17:51 105472 ----a-w- c:\windows\system32\drivers\mup.sys
    2011-06-16 04:17 . 2011-07-10 22:29 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-07-10 700416]
    "AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-05-08 98304]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-04-09 1512744]
    "SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-04-09 79144]
    "LiveUpdate"="c:\program files\Asus\LiveUpdate\LiveUpdate.exe" [2009-06-25 712704]
    "EasyMode"="c:\program files\\ASUS\\Easy Mode\\Easy Mode.exe" [2009-03-18 1249280]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    REALTEK Wireless LAN Utility.lnk - c:\program files\Realtek\Wireless LAN Utility\RtWLan.exe [2011-7-8 1015808]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2007-10-10 23:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    2009-02-06 22:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Realtek\\Wireless LAN Utility\\RtWLan.exe"=
    "c:\\Program Files\\Newsbin\\newsbinpro.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
    "1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
    "53:UDP"= 53:UDP:Realtek AP UDP Prot
    .
    R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [8/17/2009 2:24 PM 5097632]
    R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [8/12/2009 5:35 AM 38912]
    R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [7/8/2011 6:43 AM 332928]
    R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [8/12/2009 5:35 AM 39040]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/17/2009 2:25 PM 1684736]
    S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/8/2011 6:56 AM 13192]
    S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/8/2011 6:56 AM 8456]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-54177274-1042514724-1164472201-1005Core.job
    - c:\documents and settings\Laurie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-08 10:46]
    .
    2011-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-54177274-1042514724-1164472201-1005UA.job
    - c:\documents and settings\Laurie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-08 10:46]
    .
    .
    ------- Supplementary Scan -------
    .
    TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
    FF - ProfilePath - c:\documents and settings\Laurie\Application Data\Mozilla\Firefox\Profiles\sqwakfbo.default\
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 60061
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-07-11 21:46
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3988)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\rundll32.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\windows\system32\igfxext.exe
    c:\windows\system32\igfxsrvc.exe
    .
    **************************************************************************
    .
    Completion time: 2011-07-11 21:49:52 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-07-12 01:49
    .
    Pre-Run: 39,488,720,896 bytes free
    Post-Run: 40,160,452,608 bytes free
    .
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
    .
    - - End Of File - - 4DCD8891A90B4DC34C072F60EAD88E51
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    It looks good. Did you notice the name> Rootkit.Win32.TDSS.tdl4

    Question: Does Comcast require you to use a proxy in Firefox> > FF - prefs.js: network.proxy.http_port - 60061
    If not, please do this: Reset your browser proxies


    o For Firefox:
    o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
    o Click on the "Network" tab, and then on the "Settings" button.
    o Please make sure that the "No Proxy" option is selected.

    o For Internet Explorer:
    o Open Internet Explorer.
    o Click on "Tools" and then select "Internet Options".
    o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
    o Uncheck "Use a Proxy server for your LAN".
    o Click Ok to close the Local Area Network (LAN) Settings window.
    o Click Ok to close the Internet Options window.
    =======================================
    Please go ahead and do this scan- I'll check the Combofix log in the morning: I have to write some script for entries to be removed.
    • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
      ESETOnlineScan
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
      [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
      [o] Double click on the [​IMG]on your desktop.
    • Check 'Yes I accept terms of use.'
    • Click Start button
    • Accept any security warnings from your browser.
      [​IMG]
    • Uncheck 'Remove found threats'
    • Check 'Scan archives/
    • Leave remaining settings as is.
    • Press the Start button.
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
    • When the scan completes, press List of found threats
    • Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
    • Push the Back button
    • Push Finish

    NOTE: If no malware is found then no log will be produced. Let me know if this is the case.
     
  5. ldesim

    ldesim TS Rookie Topic Starter

    I went to reset the proxy's but no proxy was checked in both Firefox & IE.. weird.

    Unfortunately, the scan did pick up more viruses I'm afraid.. scan below.. a continued thank you:

    C:\Documents and Settings\Laurie\DoctorWeb\Quarantine\7F.exe a variant of Win32/Kryptik.QEE trojan
    C:\Documents and Settings\Laurie\DoctorWeb\Quarantine\8E.exe a variant of Win32/Kryptik.QEE trojan
    C:\Documents and Settings\Laurie\DoctorWeb\Quarantine\A4.exe a variant of Win32/Kryptik.QEE trojan
    C:\Documents and Settings\Laurie\DoctorWeb\Quarantine\gfnl5vop1rvo.exe a variant of Win32/Agent.SDL trojan
    C:\Documents and Settings\Laurie\DoctorWeb\Quarantine\out5sd.exe multiple threats
    C:\Qoobox\Quarantine\C\Documents and Settings\Laurie\Application Data\dwm.exe.vir a variant of Win32/Kryptik.QEE trojan
    C:\WINDOWS\dxxsetup.exe a variant of Win32/Agent.SDL trojan
    C:\WINDOWS\msmgm.exe a variant of Win32/Agent.SDL trojan
    C:\WINDOWS\sysmgm.exe a variant of Win32/Agent.SDL trojan
    D:\Software\Wintools.neT.Ult.v10.7.1.rar probably a variant of Win32/SdBot.IBJMWKD trojan
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Apparently you en Dr. Web before you came here. Several of the Eset entries are those quarantined in Dr. Web.

    The Qoobox entries are for entries quarantined in Combofix,

    The following are the active entries:

    Please download OTMovit by Old Timer and save to your desktop.
    • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
      Code:
      :Files  
      C:\WINDOWS\dxxsetup.exe 
      C:\WINDOWS\msmgm.exe 
      C:\WINDOWS\sysmgm.exe
      D:\Software\Wintools.neT.Ult.v10.7.1.rar 
      :Commands
      [purity]
      [emptytemp]
      [start explorer]
      [Reboot]
    • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
    • Click the red Moveit! button.
    • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
    • Close OTMoveIt3
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
    =====================================
    This program was pirated, which is why it got malware:
    Wintools.neT.Ult.v10.7.1.rar >> The legitimate version cost $40.00

    And the D Drive is infected.
    ===================================
    Download CKScanner and save to your desktop.
    • Doubleclick CKScanner.exe and click Search For Files.
    • When the cursor hourglass disappears, click Save List To File.
    • A message box will verify that the file is saved.
    • Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
      in your next reply.
     
  7. ldesim

    ldesim TS Rookie Topic Starter

    I thought I had responded to this.. no wonder no reply.. geez... sorry :( I have no idea what the wintoolsnet thing is.. I just got this netbook and it was refurbished...


    Here's the logs...

    All processes killed
    Error: Unable to interpret <[CODE> in the current context!
    ========== FILES ==========
    C:\WINDOWS\dxxsetup.exe moved successfully.
    C:\WINDOWS\msmgm.exe moved successfully.
    C:\WINDOWS\sysmgm.exe moved successfully.
    D:\Software\Wintools.neT.Ult.v10.7.1.rar moved successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 67 bytes
    ->Flash cache emptied: 405 bytes

    User: All Users

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 82054 bytes
    ->Flash cache emptied: 405 bytes

    User: Laurie
    ->Temp folder emptied: 40382 bytes
    ->Temporary Internet Files folder emptied: 1220617 bytes
    ->FireFox cache emptied: 152441831 bytes
    ->Google Chrome cache emptied: 58931021 bytes
    ->Flash cache emptied: 5433 bytes

    User: LocalService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 4505734 bytes
    ->Flash cache emptied: 6632 bytes

    User: NetworkService
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 3195014 bytes
    ->Flash cache emptied: 5506 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 2577 bytes
    %systemroot%\System32\dllcache .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
    RecycleBin emptied: 0 bytes

    Total Files Cleaned = 210.00 mb


    OTM by OldTimer - Version 3.1.18.0 log created on 07152011_192950

    Files moved on Reboot...

    Registry entries deleted on Reboot...



    CKScanner - Additional Security Risks - These are not necessarily bad
    scanner sequence 3.RP.11.IICFXA
    ----- EOF -----
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I haven't seen any antivirus program or other security programs in any of the logs. Do you have any at all? Where did you find the Backdoor Trojan TDSS "565". information?

    What is the D Drive? I asked earlier and said it was infected. My thought of 'refurbished' for a computer is cleaning- the physical parts and if it going to be resold, system wiped clean and OS reinstalled. If that is accurate then any pirated software would have be done by the current users. The OS shows installed 2002, but there are no restore points.

    Can you give me any information about the following 2 entries:
    2011-07-10 19:59 >> c:\documents and settings\Laurie\Application Data\Qeomb
    2011-07-10 18:35 >> c:\documents and settings\Laurie\Application Data\Miugy

    Please give me an update on the system.
     
  9. ldesim

    ldesim TS Rookie Topic Starter

    I had installed freeware version of Malware Bytes.. which initially picked up the viruses, which I'm not sure where they came from... I then ran Dr. Web Cure-it.. which picked up and named the virus as "Backdoor Trojan TDSS 565". I didn't try to cure or delete or anything since it was a boot record as I was afraid I wouldn't be able to reboot.

    The D drive is a partition I created. For some reason, System restore was inactive.. maybe as a result of the trojan/viruses?? I didn't realize this until I had the problems and tried to restore as a first course of action.

    I have no idea what those files are, but I changed settings to show hidden folders & system folders and the MIUGY folder just has a file named evzox.tmp and the QEOMB folder is empty.
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Malwarebytes is an antimalware program. Even if you bought the Pro version, it does not have an antivirus program. Using the freeware scan may pick up malware, but it is not the same as having an antivirus program installed on the system, updating and running all the time.

    Before I take you any further, please install one of the free and good AV programs below:
    Avira-AntiVir-Personal-Free-Antivirus
    Avast-Free Antivirus

    Immediately update the program after the install, then run a scan to make sure it's running okay. I don't need that log.
    Reboot the computer when through.

    The most basic security is one antivirus program, one firewall and at least two antimalware programs.
    ===========================================
    Update and run a new Eset online virus scan.> directions given previously
    Then update and run as new Combofix scan> directions given previously

    Both logs in next reply please. I will not continue support without an AV program on the system. Even if you have to disable it to run scans, it's need to be on the system to protect it.
     
  11. ldesim

    ldesim TS Rookie Topic Starter

    I went with the first one Avira.. nothing turned up in a scan..l here is logs from Eset & Combofix:

    C:\_OTM\MovedFiles\07152011_192950\D_Software\Wintools.neT.Ult.v10.7.1.rar probably a variant of Win32/SdBot.IBJMWKD trojan

    ComboFix 11-07-24.03 - Laurie 07/24/2011 21:19:05.2.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.167 [GMT -4:00]
    Running from: c:\documents and settings\Laurie\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-25 to 2011-07-25 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-24 21:33 . 2011-06-17 16:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2011-07-24 21:33 . 2011-06-17 16:37 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2011-07-24 21:33 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2011-07-24 21:33 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2011-07-24 21:33 . 2011-07-24 21:33 -------- d-----w- c:\program files\Avira
    2011-07-24 21:33 . 2011-07-24 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2011-07-17 18:34 . 2011-07-17 18:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SulusGames
    2011-07-17 18:28 . 2011-07-17 18:30 -------- d-----w- c:\documents and settings\Laurie\Application Data\Peace Craft
    2011-07-15 23:29 . 2011-07-15 23:29 -------- d-----w- C:\_OTM
    2011-07-13 02:42 . 2011-07-13 02:42 -------- d-----w- c:\program files\ESET
    2011-07-11 02:15 . 2011-07-11 02:15 -------- d-----w- c:\documents and settings\Laurie\DoctorWeb
    2011-07-10 20:19 . 2011-07-10 20:19 -------- d-----w- c:\documents and settings\Administrator
    2011-07-10 18:51 . 2011-07-10 18:51 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-07-10 18:40 . 2011-07-10 18:48 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Identities
    2011-07-10 18:36 . 2011-07-10 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
    2011-07-10 18:35 . 2011-07-10 19:59 -------- d-----w- c:\documents and settings\Laurie\Application Data\Qeomb
    2011-07-10 18:35 . 2011-07-10 19:02 -------- d-----w- c:\documents and settings\Laurie\Application Data\Miugy
    2011-07-10 18:34 . 2011-07-10 18:34 106496 --sha-r- c:\windows\system32\proctexet.dll
    2011-07-10 18:17 . 2011-07-10 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
    2011-07-10 18:17 . 2011-07-10 18:17 -------- d-----w- c:\program files\Common Files\Sandlot Shared
    2011-07-10 18:17 . 2011-07-10 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
    2011-07-10 18:17 . 2011-07-10 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
    2011-07-10 01:35 . 2011-07-10 01:35 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-09 21:55 . 2011-07-09 21:57 -------- d-----w- c:\documents and settings\Laurie\Application Data\PeaceCraft2
    2011-07-09 20:19 . 2011-07-22 22:56 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\QuickPar
    2011-07-09 15:45 . 2011-07-09 15:45 -------- d-----w- c:\documents and settings\Laurie\Application Data\Meridian93
    2011-07-09 04:59 . 2011-07-09 04:59 -------- d-----w- c:\windows\system32\XPSViewer
    2011-07-09 04:58 . 2011-07-09 04:58 -------- d-----w- c:\program files\MSBuild
    2011-07-09 04:58 . 2011-07-09 04:58 -------- d-----w- c:\program files\Reference Assemblies
    2011-07-09 04:58 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2011-07-09 04:58 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2011-07-09 04:58 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2011-07-09 04:58 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2011-07-09 04:58 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2011-07-09 04:58 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2011-07-09 04:58 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
    2011-07-09 04:58 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2011-07-09 04:58 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2011-07-09 04:52 . 2011-07-09 04:52 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2011-07-08 11:56 . 2011-04-25 16:11 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
    2011-07-08 11:56 . 2011-04-25 16:11 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
    2011-07-08 11:56 . 2011-04-25 16:11 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2011-07-08 11:56 . 2011-04-25 16:11 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2011-07-08 11:56 . 2011-04-25 16:11 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2011-07-08 11:55 . 2011-04-25 16:11 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
    2011-07-08 11:49 . 2011-07-08 11:49 -------- d-----w- c:\documents and settings\Laurie\Application Data\Malwarebytes
    2011-07-08 11:49 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-08 11:49 . 2011-07-08 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-07-08 11:49 . 2011-07-08 11:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-07-08 11:49 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-08 11:44 . 2011-07-12 01:58 -------- d-----w- c:\documents and settings\Laurie\Application Data\uTorrent
    2011-07-08 11:38 . 2011-07-08 11:38 -------- d-----w- c:\program files\QuickPar
    2011-07-08 11:18 . 2011-07-24 19:48 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Newsbin
    2011-07-08 11:18 . 2011-07-08 11:19 -------- d-----w- c:\program files\Newsbin
    2011-07-08 10:56 . 2010-07-15 12:44 86408 ----a-w- c:\windows\system32\setupempdrv03.exe
    2011-07-08 10:56 . 2010-07-15 12:44 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys
    2011-07-08 10:56 . 2010-07-15 12:44 13192 ----a-w- c:\windows\system32\epmntdrv.sys
    2011-07-08 10:56 . 2010-07-15 12:44 14848 ----a-w- c:\windows\system32\EuEpmGdi.dll
    2011-07-08 10:55 . 2011-07-08 10:55 -------- d-----w- c:\program files\EASEUS
    2011-07-08 10:49 . 2011-07-08 10:49 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Mozilla
    2011-07-08 10:46 . 2011-07-08 10:48 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Google
    2011-07-08 10:46 . 2011-07-08 10:46 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Deployment
    2011-07-08 10:45 . 2011-07-08 10:45 -------- d-sh--w- c:\documents and settings\Laurie\IECompatCache
    2011-07-08 10:44 . 2011-07-08 10:44 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
    2011-07-08 10:43 . 2011-07-08 10:44 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
    2011-07-08 10:43 . 2011-07-08 10:43 -------- d-----w- c:\windows\OPTIONS
    2011-07-08 10:43 . 2010-03-31 18:58 342784 ----a-w- c:\windows\system32\drivers\rtl8187B.sys
    2011-07-08 10:43 . 2008-06-27 13:39 332928 ----a-w- c:\windows\system32\drivers\rtl8187.sys
    2011-07-08 10:43 . 2011-07-11 22:09 -------- d-----w- c:\windows\system32\RtlGina
    2011-07-08 10:43 . 2010-12-01 13:31 451072 ----a-w- c:\windows\system32\ISSRemoveSP.exe
    2011-07-06 07:28 . 2011-07-08 11:17 -------- d-----w- C:\mplayer
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-02 15:31 . 2009-08-17 18:07 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-29 17:25 . 2009-08-17 17:51 151552 ----a-w- c:\windows\system32\schannel.dll
    2011-04-29 16:19 . 2009-08-17 17:51 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-06-16 04:17 . 2011-07-10 22:29 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-07-10 700416]
    "AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-05-08 98304]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-04-09 1512744]
    "SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-04-09 79144]
    "LiveUpdate"="c:\program files\Asus\LiveUpdate\LiveUpdate.exe" [2009-06-25 712704]
    "EasyMode"="c:\program files\\ASUS\\Easy Mode\\Easy Mode.exe" [2009-03-18 1249280]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    REALTEK Wireless LAN Utility.lnk - c:\program files\Realtek\Wireless LAN Utility\RtWLan.exe [2011-7-8 1015808]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2007-10-10 23:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    2009-02-06 22:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Realtek\\Wireless LAN Utility\\RtWLan.exe"=
    "c:\\Program Files\\Newsbin\\newsbinpro.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
    "1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
    "53:UDP"= 53:UDP:Realtek AP UDP Prot
    .
    R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [8/17/2009 2:24 PM 5097632]
    R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [8/12/2009 5:35 AM 38912]
    R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [7/8/2011 6:43 AM 332928]
    R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [8/12/2009 5:35 AM 39040]
    S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/24/2011 5:33 PM 136360]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/17/2009 2:25 PM 1684736]
    S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/8/2011 6:56 AM 13192]
    S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/8/2011 6:56 AM 8456]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/8/2011 7:49 AM 39984]
    .
    --- Other Services/Drivers In Memory ---
    .
    *NewlyCreated* - SSMDRV
    *Deregistered* - avipbb
    *Deregistered* - ssmdrv
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-54177274-1042514724-1164472201-1005Core.job
    - c:\documents and settings\Laurie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-08 10:46]
    .
    2011-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-54177274-1042514724-1164472201-1005UA.job
    - c:\documents and settings\Laurie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-08 10:46]
    .
    .
    ------- Supplementary Scan -------
    .
    TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
    FF - ProfilePath - c:\documents and settings\Laurie\Application Data\Mozilla\Firefox\Profiles\sqwakfbo.default\
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 60061
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-07-24 21:26
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(4008)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-07-24 21:29:14
    ComboFix-quarantined-files.txt 2011-07-25 01:29
    ComboFix2.txt 2011-07-12 01:49
    .
    Pre-Run: 37,329,793,024 bytes free
    Post-Run: 37,377,388,544 bytes free
    .
    - - End Of File - - 45BCC011548F0AF0CA9DD82425B12917

    Thanks again for your time.
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome- glad to help. I'm setting up script for you to run through Combofix and there is a file I can't identify. There are no pages other than this thread on the internet for this process, so it needs to be submitted as follows:

    Please go to VirSCAN.org FREE on-line scan service:

    • [1]. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

      Code:
      c:\windows\system32\proctexet.dll
      
      [2]. At the upload site, click once inside the window next to Browse.
      [3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
      [4]. Click on the Upload button.
      This will perform a scan across multiple different virus scanning engines.
      Your file will possibly be entered into a queue which normally takes less than a minute to clear.
      Important: Wait for all of the scanning engines to complete.
      [5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
      [6]. Paste the contents of the Clipboard in your next reply.
    ===============================================
    You also need to update Avira because it's showing this: AV: AntiVir Desktop *Disabled/Outdated
    If you look in my instructions, you can note that I instruct you to update after the install. Even if you have to disable to to run a scan, it still needs to be current for the times the system is up and connected to the internet.
    ==============================================
    If the folders are still unhidden, you can do a right click> Delete on each of them as I am going to remove them in the script.
    Please be sure to go back and check 'don't show hidden files and folders' and check 'hide protected system files (Recommended)'. You won't need to unhide them unless I instruct you to do so.
    =====================================
    Go ahead and run the VirSCAN now and let me see the log.
    =====================================
    As for the D Drive, the partition you created, the infected, pirated program is in it.
     
  13. ldesim

    ldesim TS Rookie Topic Starter

    Hi there,

    I tried uploading and it starts, then I get a message "error, can't find upload file" I looked for the file in explorer.. found it and it's a read only file.. could that be why? I tried using the browse function and uploadng the file and I tried taking it off read only, but it wouldn't let me... I got an access is denied message.

    I had updated Avira, at least it told me it did.. regardless, I hated the program and went on to install avast! instead which seems much much better. Scan from that turned up clean as well.
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    See if either of these site will do the ID scan: Are you signed on t the Administrative Account?

    VirusTotal
    Jotti

    • [1]. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

      Code:
      c:\windows\system32\proctexet.dll
      
      [2]. At the upload site, click once inside the window next to Browse.
      [3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
      [4]. Click on the Upload button.
      This will perform a scan across multiple different virus scanning engines.
      Your file will possibly be entered into a queue which normally takes less than a minute to clear.
      Important: Wait for all of the scanning engines to complete.
      [5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
      [6]. Paste the contents of the Clipboard in your next reply.
     
  15. ldesim

    ldesim TS Rookie Topic Starter

    This is a bit frustrating, Neither of the sites worked.. the first I got no response and the second said "file is empty (0 bytes).

    The only way that I know how to log into the "administrator" account is to go in safe mode... if I log out normally, I don't get the option to go in to administrator. So I did the safe mode and that .dll does not show up, (I made sure the hide files feature was off) although the accompanying file of proctexe.ocx did. I logged off and into the normal one still in safe mode and again tried to take the read only feature off, but was unable to.
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Don't worry about that file. I am going to 'look' at it:

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    Folder::
    c:\windows\system32\PreInstall
    c:\program files\uTorrent
    c:\documents and settings\laurie\local settings\application data\uTorrent
    c:\documents and settings\Laurie\DoctorWeb
    c:\documents and settings\laurie\application data\uTorrent
    c:\documents and settings\Laurie\Application Data\Qeomb
    c:\documents and settings\Laurie\Application Data\Miugy
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\All Users\Application Data\Trymedia
    FileLook::
    c:\windows\system32\setupempdrv03.exe
    c:\windows\system32\proctexet.dll
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=-
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    =============================================
    Recommend you remove Trymedia The site is rating low by all 4 indices in the WOT Site Advisor.

    Please update the Adobe Reader: Adobe Reader site Uninstall any earlier updates as they are vulnerabilities.
     
  17. ldesim

    ldesim TS Rookie Topic Starter

    Hi Bobeye,

    I updated Adobe and ran Combofix and here is log.. Question, is it ok that Avast! seems to have disabled Windows security center? Thank you.

    ComboFix 11-07-27.03 - Laurie 07/27/2011 20:38:38.3.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.462 [GMT -4:00]
    Running from: c:\documents and settings\Laurie\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Laurie\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\documents and settings\All Users\Application Data\TEMP
    c:\documents and settings\All Users\Application Data\Trymedia
    c:\documents and settings\Laurie\Application Data\Miugy
    c:\documents and settings\Laurie\Application Data\Miugy\evzox.tmp
    c:\documents and settings\Laurie\Application Data\Qeomb
    c:\documents and settings\laurie\application data\uTorrent
    c:\documents and settings\laurie\application data\uTorrent\apps\3609FC884502A1DF0AA5D9D160C827BB1BD51FC9.btapp
    c:\documents and settings\laurie\application data\uTorrent\apps\4585805A0BEAAAA6F570825EB241201C227B5E09.btapp
    c:\documents and settings\laurie\application data\uTorrent\dht.dat
    c:\documents and settings\laurie\application data\uTorrent\dlimagecache\10E6FBE4D921B475FA5FEC6E9A535A540D6FEED1
    c:\documents and settings\laurie\application data\uTorrent\dlimagecache\2D78C93EC367E6C1D9894103FA04B3BE5B20A84E
    c:\documents and settings\laurie\application data\uTorrent\dlimagecache\BBEEC0395D21A2A7F91889D7C7509F3D5D46FC05
    c:\documents and settings\laurie\application data\uTorrent\ie\ie.1310125527.tmp
    c:\documents and settings\laurie\application data\uTorrent\resume.dat
    c:\documents and settings\laurie\application data\uTorrent\rss.dat
    c:\documents and settings\laurie\application data\uTorrent\settings.dat
    c:\documents and settings\laurie\application data\uTorrent\settings.dat.old
    c:\documents and settings\Laurie\DoctorWeb
    c:\documents and settings\Laurie\DoctorWeb\CureIt.log
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-28 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-27 22:21 . 2011-07-27 22:21 -------- d-----w- c:\program files\Common Files\Adobe
    2011-07-27 22:11 . 2011-07-27 22:11 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2011-07-25 02:14 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-07-25 02:14 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-07-25 02:14 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-07-25 02:14 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-07-25 02:14 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-07-25 02:14 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-07-25 02:14 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-07-25 02:14 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-07-25 02:13 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
    2011-07-25 02:13 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-07-25 02:13 . 2011-07-25 02:13 -------- d-----w- c:\program files\AVAST Software
    2011-07-25 02:13 . 2011-07-25 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-07-17 18:34 . 2011-07-17 18:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SulusGames
    2011-07-17 18:28 . 2011-07-17 18:30 -------- d-----w- c:\documents and settings\Laurie\Application Data\Peace Craft
    2011-07-15 23:29 . 2011-07-15 23:29 -------- d-----w- C:\_OTM
    2011-07-13 02:42 . 2011-07-13 02:42 -------- d-----w- c:\program files\ESET
    2011-07-10 20:19 . 2011-07-10 20:19 -------- d-----w- c:\documents and settings\Administrator
    2011-07-10 18:51 . 2011-07-10 18:51 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-07-10 18:40 . 2011-07-10 18:48 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Identities
    2011-07-10 18:36 . 2011-07-10 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
    2011-07-10 18:34 . 2011-07-10 18:34 106496 --sha-r- c:\windows\system32\proctexet.dll
    2011-07-10 18:17 . 2011-07-10 18:17 -------- d-----w- c:\program files\Common Files\Sandlot Shared
    2011-07-10 18:17 . 2011-07-10 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
    2011-07-10 01:35 . 2011-07-10 01:35 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-09 21:55 . 2011-07-09 21:57 -------- d-----w- c:\documents and settings\Laurie\Application Data\PeaceCraft2
    2011-07-09 20:19 . 2011-07-22 22:56 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\QuickPar
    2011-07-09 15:45 . 2011-07-09 15:45 -------- d-----w- c:\documents and settings\Laurie\Application Data\Meridian93
    2011-07-09 04:59 . 2011-07-09 04:59 -------- d-----w- c:\windows\system32\XPSViewer
    2011-07-09 04:58 . 2011-07-09 04:58 -------- d-----w- c:\program files\MSBuild
    2011-07-09 04:58 . 2011-07-09 04:58 -------- d-----w- c:\program files\Reference Assemblies
    2011-07-09 04:58 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2011-07-09 04:58 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2011-07-09 04:58 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2011-07-09 04:58 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2011-07-09 04:58 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2011-07-09 04:58 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2011-07-09 04:58 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
    2011-07-09 04:58 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2011-07-09 04:58 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2011-07-09 04:52 . 2011-07-09 04:52 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2011-07-08 11:56 . 2011-04-25 16:11 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
    2011-07-08 11:56 . 2011-04-25 16:11 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
    2011-07-08 11:56 . 2011-04-25 16:11 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2011-07-08 11:56 . 2011-04-25 16:11 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2011-07-08 11:56 . 2011-04-25 16:11 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2011-07-08 11:55 . 2011-04-25 16:11 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
    2011-07-08 11:49 . 2011-07-08 11:49 -------- d-----w- c:\documents and settings\Laurie\Application Data\Malwarebytes
    2011-07-08 11:49 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-08 11:49 . 2011-07-08 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-07-08 11:49 . 2011-07-08 11:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-07-08 11:49 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-08 11:38 . 2011-07-08 11:38 -------- d-----w- c:\program files\QuickPar
    2011-07-08 11:18 . 2011-07-27 23:39 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Newsbin
    2011-07-08 11:18 . 2011-07-08 11:19 -------- d-----w- c:\program files\Newsbin
    2011-07-08 10:56 . 2010-07-15 12:44 86408 ----a-w- c:\windows\system32\setupempdrv03.exe
    2011-07-08 10:56 . 2010-07-15 12:44 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys
    2011-07-08 10:56 . 2010-07-15 12:44 13192 ----a-w- c:\windows\system32\epmntdrv.sys
    2011-07-08 10:56 . 2010-07-15 12:44 14848 ----a-w- c:\windows\system32\EuEpmGdi.dll
    2011-07-08 10:55 . 2011-07-08 10:55 -------- d-----w- c:\program files\EASEUS
    2011-07-08 10:49 . 2011-07-08 10:49 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Mozilla
    2011-07-08 10:46 . 2011-07-08 10:48 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Google
    2011-07-08 10:46 . 2011-07-08 10:46 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Deployment
    2011-07-08 10:45 . 2011-07-08 10:45 -------- d-sh--w- c:\documents and settings\Laurie\IECompatCache
    2011-07-08 10:44 . 2011-07-08 10:44 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
    2011-07-08 10:43 . 2011-07-08 10:44 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
    2011-07-08 10:43 . 2011-07-08 10:43 -------- d-----w- c:\windows\OPTIONS
    2011-07-08 10:43 . 2010-03-31 18:58 342784 ----a-w- c:\windows\system32\drivers\rtl8187B.sys
    2011-07-08 10:43 . 2008-06-27 13:39 332928 ----a-w- c:\windows\system32\drivers\rtl8187.sys
    2011-07-08 10:43 . 2011-07-11 22:09 -------- d-----w- c:\windows\system32\RtlGina
    2011-07-08 10:43 . 2010-12-01 13:31 451072 ----a-w- c:\windows\system32\ISSRemoveSP.exe
    2011-07-06 07:28 . 2011-07-08 11:17 -------- d-----w- C:\mplayer
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-05-02 15:31 . 2009-08-17 18:07 692736 ----a-w- c:\windows\system32\inetcomm.dll
    2011-04-29 17:25 . 2009-08-17 17:51 151552 ----a-w- c:\windows\system32\schannel.dll
    2011-04-29 16:19 . 2009-08-17 17:51 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
    2011-06-16 04:17 . 2011-07-10 22:29 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    (((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    --- c:\windows\system32\proctexet.dll ---
    Company: ------
    File Description: ------
    File Version: ------
    Product Name: ------
    Copyright: ------
    Original Filename: ------
    File size: 106496
    Created time: 2011-07-10 18:34
    Modified time: 2011-07-10 18:34
    MD5: !HASH: COULD NOT OPEN FILE !!!!!
    SHA1: !HASH: COULD NOT OPEN FILE !!!!!
    .
    .
    --- c:\windows\system32\setupempdrv03.exe ---
    Company: ------
    File Description: ------
    File Version: ------
    Product Name: ------
    Copyright: ------
    Original Filename: ------
    File size: 86408
    Created time: 2011-07-08 10:56
    Modified time: 2010-07-15 12:44
    MD5: 780FB595E5E11355A8313F644329E3EB
    SHA1: 2A4714FF389BB2391F9C57CE9DA6064AC2AED8EE
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-07-25_01.26.54 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-08-17 17:51 . 2011-07-27 21:16 68062 c:\windows\system32\perfc009.dat
    - 2009-08-17 17:51 . 2011-07-25 01:15 68062 c:\windows\system32\perfc009.dat
    + 2011-07-27 22:11 . 2011-07-27 22:11 28160 c:\windows\Installer\372583.msi
    + 2009-08-17 17:51 . 2011-07-27 21:16 433256 c:\windows\system32\perfh009.dat
    - 2009-08-17 17:51 . 2011-07-25 01:15 433256 c:\windows\system32\perfh009.dat
    + 2011-07-27 22:21 . 2011-07-27 22:21 2295808 c:\windows\Installer\372873.msi
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-07-10 700416]
    "AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-05-08 98304]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-04-09 1512744]
    "SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-04-09 79144]
    "LiveUpdate"="c:\program files\Asus\LiveUpdate\LiveUpdate.exe" [2009-06-25 712704]
    "EasyMode"="c:\program files\\ASUS\\Easy Mode\\Easy Mode.exe" [2009-03-18 1249280]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    REALTEK Wireless LAN Utility.lnk - c:\program files\Realtek\Wireless LAN Utility\RtWLan.exe [2011-7-8 1015808]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    2009-02-06 22:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Realtek\\Wireless LAN Utility\\RtWLan.exe"=
    "c:\\Program Files\\Newsbin\\newsbinpro.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
    "1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
    "53:UDP"= 53:UDP:Realtek AP UDP Prot
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/24/2011 10:14 PM 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/24/2011 10:14 PM 307928]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/24/2011 10:14 PM 19544]
    R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [8/17/2009 2:24 PM 5097632]
    R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [8/12/2009 5:35 AM 38912]
    R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [7/8/2011 6:43 AM 332928]
    R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [8/12/2009 5:35 AM 39040]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/17/2009 2:25 PM 1684736]
    S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/8/2011 6:56 AM 13192]
    S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/8/2011 6:56 AM 8456]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/8/2011 7:49 AM 39984]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-54177274-1042514724-1164472201-1005Core.job
    - c:\documents and settings\Laurie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-08 10:46]
    .
    2011-07-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-54177274-1042514724-1164472201-1005UA.job
    - c:\documents and settings\Laurie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-08 10:46]
    .
    .
    ------- Supplementary Scan -------
    .
    TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
    FF - ProfilePath - c:\documents and settings\Laurie\Application Data\Mozilla\Firefox\Profiles\sqwakfbo.default\
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 60061
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    - - - - ORPHANS REMOVED - - - -
    .
    MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    .
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-07-27 20:50
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    Completion time: 2011-07-27 20:56:06
    ComboFix-quarantined-files.txt 2011-07-28 00:55
    ComboFix2.txt 2011-07-25 01:40
    ComboFix3.txt 2011-07-12 01:49
    .
    Pre-Run: 37,142,941,696 bytes free
    Post-Run: 37,128,638,464 bytes free
    .
    - - End Of File - - 9820B24607887307D7F03896DCD09F89
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    There is no indication in Combofix that the Security Center is disabled. And Avast would't disable ot. Please check the settings for the Security Center in the Control Panel. Also check the Avast configuration.

    The system looks good. But it won't stay that way if you go back to using uTorrent or other file sharing programs.
    The WinTools programs that was pirated became infected because of using a torrent site. You have the file on the D Drive.
    =======================================
    If you haven't done this, please do so:
    Reset your browser proxies
    o For Firefox:
    o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
    o Click on the "Network" tab, and then on the "Settings" button.
    o Please make sure that the "No Proxy" option is selected.
    ================================================
    I'd like you to update and run a new Eset online virus scan.
    ============================================
    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\setupempdrv03.exe
    c:\windows\system32\proctexet.dll
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
     
  19. ldesim

    ldesim TS Rookie Topic Starter

    Hiya,

    Eset turned up something that seems to look bad? Here's log:

    C:\System Volume Information\_restore{8244A3B9-3806-4325-B0B1-93AAAAE4ABBF}\RP7\A0001287.exe multiple threats
    C:\_OTM\MovedFiles\07152011_192950\D_Software\Wintools.neT.Ult.v10.7.1.rar probably a variant of Win32/SdBot.IBJMWKD trojan

    And here is ComboFix:

    ComboFix 11-08-01.05 - Laurie 08/01/2011 21:26:51.4.2 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.447 [GMT -4:00]
    Running from: c:\documents and settings\Laurie\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Laurie\Desktop\CFScript.txt
    AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
    .
    FILE ::
    "c:\windows\system32\proctexet.dll"
    "c:\windows\system32\setupempdrv03.exe"
    .
    .
    ((((((((((((((((((((((((( Files Created from 2011-07-02 to 2011-08-02 )))))))))))))))))))))))))))))))
    .
    .
    2011-07-31 22:44 . 2011-07-31 22:44 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Temp
    2011-07-27 22:21 . 2011-07-27 22:21 -------- d-----w- c:\program files\Common Files\Adobe
    2011-07-27 22:11 . 2011-07-27 22:11 -------- d-----w- c:\program files\Common Files\Adobe AIR
    2011-07-25 02:14 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2011-07-25 02:14 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2011-07-25 02:14 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
    2011-07-25 02:14 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2011-07-25 02:14 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2011-07-25 02:14 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
    2011-07-25 02:14 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
    2011-07-25 02:14 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
    2011-07-25 02:13 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
    2011-07-25 02:13 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
    2011-07-25 02:13 . 2011-07-25 02:13 -------- d-----w- c:\program files\AVAST Software
    2011-07-25 02:13 . 2011-07-25 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
    2011-07-17 18:34 . 2011-07-17 18:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SulusGames
    2011-07-17 18:28 . 2011-07-17 18:30 -------- d-----w- c:\documents and settings\Laurie\Application Data\Peace Craft
    2011-07-15 23:29 . 2011-07-15 23:29 -------- d-----w- C:\_OTM
    2011-07-13 02:42 . 2011-07-13 02:42 -------- d-----w- c:\program files\ESET
    2011-07-10 20:19 . 2011-07-10 20:19 -------- d-----w- c:\documents and settings\Administrator
    2011-07-10 18:51 . 2011-07-10 18:51 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
    2011-07-10 18:40 . 2011-07-10 18:48 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Identities
    2011-07-10 18:36 . 2011-07-10 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
    2011-07-10 18:34 . 2011-07-10 18:34 106496 --sha-r- c:\windows\system32\proctexet.dll
    2011-07-10 18:17 . 2011-07-10 18:17 -------- d-----w- c:\program files\Common Files\Sandlot Shared
    2011-07-10 18:17 . 2011-07-10 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
    2011-07-10 01:35 . 2011-07-10 01:35 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
    2011-07-09 21:55 . 2011-07-09 21:57 -------- d-----w- c:\documents and settings\Laurie\Application Data\PeaceCraft2
    2011-07-09 20:19 . 2011-07-22 22:56 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\QuickPar
    2011-07-09 15:45 . 2011-07-09 15:45 -------- d-----w- c:\documents and settings\Laurie\Application Data\Meridian93
    2011-07-09 04:59 . 2011-07-09 04:59 -------- d-----w- c:\windows\system32\XPSViewer
    2011-07-09 04:58 . 2011-07-09 04:58 -------- d-----w- c:\program files\MSBuild
    2011-07-09 04:58 . 2011-07-09 04:58 -------- d-----w- c:\program files\Reference Assemblies
    2011-07-09 04:58 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
    2011-07-09 04:58 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
    2011-07-09 04:58 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
    2011-07-09 04:58 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
    2011-07-09 04:58 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
    2011-07-09 04:58 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
    2011-07-09 04:58 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
    2011-07-09 04:58 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
    2011-07-09 04:58 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
    2011-07-09 04:52 . 2011-07-09 04:52 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
    2011-07-08 11:56 . 2011-04-25 16:11 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
    2011-07-08 11:56 . 2011-04-25 16:11 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
    2011-07-08 11:56 . 2011-04-25 16:11 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
    2011-07-08 11:56 . 2011-04-25 16:11 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
    2011-07-08 11:56 . 2011-04-25 16:11 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
    2011-07-08 11:55 . 2011-04-25 16:11 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
    2011-07-08 11:49 . 2011-07-08 11:49 -------- d-----w- c:\documents and settings\Laurie\Application Data\Malwarebytes
    2011-07-08 11:49 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2011-07-08 11:49 . 2011-07-08 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
    2011-07-08 11:49 . 2011-07-08 11:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2011-07-08 11:49 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
    2011-07-08 11:38 . 2011-07-08 11:38 -------- d-----w- c:\program files\QuickPar
    2011-07-08 11:18 . 2011-08-02 01:19 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Newsbin
    2011-07-08 11:18 . 2011-07-08 11:19 -------- d-----w- c:\program files\Newsbin
    2011-07-08 10:56 . 2010-07-15 12:44 86408 ----a-w- c:\windows\system32\setupempdrv03.exe
    2011-07-08 10:56 . 2010-07-15 12:44 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys
    2011-07-08 10:56 . 2010-07-15 12:44 13192 ----a-w- c:\windows\system32\epmntdrv.sys
    2011-07-08 10:56 . 2010-07-15 12:44 14848 ----a-w- c:\windows\system32\EuEpmGdi.dll
    2011-07-08 10:55 . 2011-07-08 10:55 -------- d-----w- c:\program files\EASEUS
    2011-07-08 10:49 . 2011-07-08 10:49 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Mozilla
    2011-07-08 10:46 . 2011-07-08 10:48 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Google
    2011-07-08 10:46 . 2011-07-08 10:46 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Deployment
    2011-07-08 10:45 . 2011-07-08 10:45 -------- d-sh--w- c:\documents and settings\Laurie\IECompatCache
    2011-07-08 10:44 . 2011-07-08 10:44 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
    2011-07-08 10:43 . 2011-07-08 10:44 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
    2011-07-08 10:43 . 2011-07-08 10:43 -------- d-----w- c:\windows\OPTIONS
    2011-07-08 10:43 . 2010-03-31 18:58 342784 ----a-w- c:\windows\system32\drivers\rtl8187B.sys
    2011-07-08 10:43 . 2008-06-27 13:39 332928 ----a-w- c:\windows\system32\drivers\rtl8187.sys
    2011-07-08 10:43 . 2011-07-11 22:09 -------- d-----w- c:\windows\system32\RtlGina
    2011-07-08 10:43 . 2010-12-01 13:31 451072 ----a-w- c:\windows\system32\ISSRemoveSP.exe
    2011-07-06 07:28 . 2011-07-08 11:17 -------- d-----w- C:\mplayer
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-06-02 14:02 . 2009-08-17 17:51 1858944 ----a-w- c:\windows\system32\win32k.sys
    2011-06-16 04:17 . 2011-07-10 22:29 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-07-25_01.26.54 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2009-08-17 19:19 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll
    - 2009-08-17 19:19 . 2010-02-22 14:23 17272 c:\windows\system32\spmsg.dll
    - 2009-08-17 17:51 . 2011-07-25 01:15 68062 c:\windows\system32\perfc009.dat
    + 2009-08-17 17:51 . 2011-08-01 22:06 68062 c:\windows\system32\perfc009.dat
    + 2009-08-17 17:51 . 2011-04-26 11:07 33280 c:\windows\system32\dllcache\csrsrv.dll
    - 2009-08-17 17:51 . 2010-12-09 14:30 33280 c:\windows\system32\dllcache\csrsrv.dll
    - 2009-08-17 17:51 . 2010-12-09 14:30 33280 c:\windows\system32\csrsrv.dll
    + 2009-08-17 17:51 . 2011-04-26 11:07 33280 c:\windows\system32\csrsrv.dll
    + 2011-07-27 22:11 . 2011-07-27 22:11 28160 c:\windows\Installer\372583.msi
    - 2009-08-17 17:51 . 2010-06-18 17:45 293376 c:\windows\system32\winsrv.dll
    + 2009-08-17 17:51 . 2011-04-26 11:07 293376 c:\windows\system32\winsrv.dll
    + 2009-08-17 17:51 . 2011-08-01 22:06 433256 c:\windows\system32\perfh009.dat
    - 2009-08-17 17:51 . 2011-07-25 01:15 433256 c:\windows\system32\perfh009.dat
    - 2009-08-17 10:59 . 2011-07-09 20:12 248696 c:\windows\system32\FNTCACHE.DAT
    + 2009-08-17 10:59 . 2011-07-29 00:56 248696 c:\windows\system32\FNTCACHE.DAT
    - 2009-08-17 17:51 . 2010-06-18 17:45 293376 c:\windows\system32\dllcache\winsrv.dll
    + 2009-08-17 17:51 . 2011-04-26 11:07 293376 c:\windows\system32\dllcache\winsrv.dll
    + 2009-08-17 17:51 . 2011-06-02 14:02 1858944 c:\windows\system32\dllcache\win32k.sys
    + 2011-07-27 22:21 . 2011-07-27 22:21 2295808 c:\windows\Installer\372873.msi
    + 2011-07-08 12:19 . 2011-07-29 00:49 49089992 c:\windows\system32\MRT.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-07-10 700416]
    "AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-05-08 98304]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-04-09 1512744]
    "SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-04-09 79144]
    "LiveUpdate"="c:\program files\Asus\LiveUpdate\LiveUpdate.exe" [2009-06-25 712704]
    "EasyMode"="c:\program files\\ASUS\\Easy Mode\\Easy Mode.exe" [2009-03-18 1249280]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
    .
    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    REALTEK Wireless LAN Utility.lnk - c:\program files\Realtek\Wireless LAN Utility\RtWLan.exe [2011-7-8 1015808]
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    2009-02-06 22:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Realtek\\Wireless LAN Utility\\RtWLan.exe"=
    "c:\\Program Files\\Newsbin\\newsbinpro.exe"=
    .
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
    "1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
    "53:UDP"= 53:UDP:Realtek AP UDP Prot
    .
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/24/2011 10:14 PM 441176]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/24/2011 10:14 PM 307928]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/24/2011 10:14 PM 19544]
    R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [8/17/2009 2:24 PM 5097632]
    R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [8/12/2009 5:35 AM 38912]
    R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [7/8/2011 6:43 AM 332928]
    R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [8/12/2009 5:35 AM 39040]
    S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/17/2009 2:25 PM 1684736]
    S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/8/2011 6:56 AM 13192]
    S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/8/2011 6:56 AM 8456]
    S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/8/2011 7:49 AM 39984]
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2011-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-54177274-1042514724-1164472201-1005Core.job
    - c:\documents and settings\Laurie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-08 10:46]
    .
    2011-08-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-54177274-1042514724-1164472201-1005UA.job
    - c:\documents and settings\Laurie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-08 10:46]
    .
    .
    ------- Supplementary Scan -------
    .
    TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
    FF - ProfilePath - c:\documents and settings\Laurie\Application Data\Mozilla\Firefox\Profiles\sqwakfbo.default\
    FF - prefs.js: network.proxy.http - 127.0.0.1
    FF - prefs.js: network.proxy.http_port - 60061
    FF - prefs.js: network.proxy.type - 0
    FF - user.js: network.cookie.cookieBehavior - 0
    FF - user.js: privacy.clearOnShutdown.cookies - false
    FF - user.js: security.warn_viewing_mixed - false
    FF - user.js: security.warn_viewing_mixed.show_once - false
    FF - user.js: security.warn_submit_insecure - false
    FF - user.js: security.warn_submit_insecure.show_once - false
    .
    .
    **************************************************************************
    .
    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-08-01 21:39
    Windows 5.1.2600 Service Pack 3 NTFS
    .
    scanning hidden processes ...
    .
    scanning hidden autostart entries ...
    .
    scanning hidden files ...
    .
    scan completed successfully
    hidden files: 0
    .
    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'explorer.exe'(3300)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-08-01 21:44:09
    ComboFix-quarantined-files.txt 2011-08-02 01:44
    ComboFix2.txt 2011-07-28 00:56
    ComboFix3.txt 2011-07-25 01:40
    ComboFix4.txt 2011-07-12 01:49
    .
    Pre-Run: 36,503,953,408 bytes free
    Post-Run: 36,541,816,832 bytes free
    .
    - - End Of File - - 73531F46C2CD6FBFE25E883F07509FAF
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Who is the Administrator in the system? Do you know if there are any policies set that would prevent logging in to this account?
     
  21. ldesim

    ldesim TS Rookie Topic Starter

    Well, nobody uses it but me.. and I do not know of any policies that would restrict. As I stated previously, the only way I seem to be able to log in as administrator is to run in safe mode.. If I log off normally from windows it only gives me the option to log back on as "laurie"... there is no log in as administrator option unless I am in safe mode. Not sure if that is normal or not...
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...