I Have the Browswer Redirect Problem

Solved
By heavystrato
Aug 15, 2010
Topic Status:
Not open for further replies.
  1. It looks like now im on the same boat as other people. This problem is really anoying.I would really appreciate any help on how to remove these redirections.

    I have posted the MalwareBites Log also GMER Log and the 2 DDS logs.

    Tanks in advance for the help guys.


    MALWAREBITES
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4432

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 7.0.5730.13

    8/15/2010 12:01:43 PM
    mbam-log-2010-08-15 (12-01-43).txt

    Scan type: Quick scan
    Objects scanned: 140909
    Time elapsed: 6 minute(s), 26 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)



    GMER
    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit quick scan 2010-08-15 15:50:43
    Windows 5.1.2600 Service Pack 2
    Running: v35jg8yr.exe; Driver: C:\DOCUME~1\Eduardo\LOCALS~1\Temp\ugrdifod.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

    ---- EOF - GMER 1.0.15 ----
  2. heavystrato

    heavystrato Newcomer, in training Topic Starter Posts: 56

    DDS

    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Eduardo at 15:14:34.09 on Sun 08/15/2010
    Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_21
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2402 [GMT -4:00]

    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Avira\AntiVir Desktop\sched.exe
    svchost.exe
    C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    C:\xampp\apache\bin\apache.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\xampp\mysql\bin\mysqld.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\OPHGLDCS.EXE
    C:\Program Files\Winsim\ConnectionManager\SimplyConnectionManager.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\xampp\apache\bin\apache.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe
    C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
    C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
    C:\WINDOWS\System32\DLA\DLACTRLW.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe
    C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
    C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe
    C:\xampp\mysql\bin\winmysqladmin.exe
    C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Eduardo\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://google.com/
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\DLASHX_W.DLL
    BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
    EB: GP Bar: {c3538050-face-11de-8a39-0800200c9a66} - %SystemRoot%\system32\shdocvw.dll
    uRun: [DAEMON Tools Pro Agent] "c:\program files\daemon tools pro\DTProAgent.exe"
    uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    mRun: [ehTray] c:\windows\ehome\ehtray.exe
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
    mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
    mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe"
    mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe"
    mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\sharedcom8\RoxWatchTray.exe"
    mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
    mRun: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
    mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [ConnectionManager] c:\program files\winsim\connectionmanager\Simply.SystemTrayIcon.exe
    mRun: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
    StartupFolder: c:\docume~1\eduardo\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
    StartupFolder: c:\docume~1\eduardo\startm~1\programs\startup\winmys~1.lnk - c:\xampp\mysql\bin\winmysqladmin.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logite~1.lnk - c:\program files\logitech\setpoint\SetPoint.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\outloo~1.lnk - c:\program files\paypal payment request wizard\outlook wizard\OEHook.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\paloal~1.lnk - c:\program files\common files\palo alto software\9.0\PAS9_Update.exe
    IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
    IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
    IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} - hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_21-windows-i586.cab
    Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
    Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
    SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
    SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\eduardo\applic~1\mozilla\firefox\profiles\b7rhrs75.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
    FF - prefs.js: browser.search.selectedEngine - Live Search
    FF - prefs.js: browser.startup.homepage - hxxp://google.com/
    FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
    FF - component: c:\documents and settings\eduardo\application data\mozilla\firefox\profiles\b7rhrs75.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\winnt_x86-msvc\components\ipc.dll
    FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}
    FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0021-ABCDEFFEDCBA}

    ============= SERVICES / DRIVERS ===============

    R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-8-15 11608]
    R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-2-17 8944]
    R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-2-17 55024]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-8-15 135336]
    R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-8-15 267432]
    R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [2008-12-9 24636]
    R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2010-8-15 60936]
    R2 OKI OPHG DCS Loader;OKI OPHG DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHGLDCS.EXE [2009-5-29 24576]
    R2 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\connectionmanager\SimplyConnectionManager.exe [2009-8-23 29992]
    S3 block_reader;MPR DRV;c:\documents and settings\eduardo\desktop\portablesoftware\mpr_1.1.9\multi_password_recovery_1.1.9_portable\multi password recovery 1.1.9 portable\block_reader.sys [2010-1-10 1920]
    S3 PD1030VID;Creative WebCam Pro;c:\windows\system32\drivers\p1030vid.sys [2009-10-3 167673]
    S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-2-17 7408]
    S3 Simply Accounting Transaction Manager 2010 - CDN;Simply Accounting Transaction Manager 2010 - CDN;c:\program files\winsim\transactionmanager2010 - cdn\Sage_SA.TransactionManager.exe [2009-12-10 42280]

    =============== Created Last 30 ================

    2010-08-15 14:37:52 0 d-----w- c:\windows\system32\NtmsData
    2010-08-15 14:36:29 0 d-----w- c:\docume~1\eduardo\applic~1\Avira
    2010-08-15 14:33:53 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-08-15 14:33:20 0 d-----w- c:\program files\Avira
    2010-08-15 14:33:20 0 d-----w- c:\docume~1\alluse~1\applic~1\Avira
    2010-08-15 14:27:14 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-08-15 05:28:08 0 d-sha-r- C:\cmdcons
    2010-08-15 05:24:25 98816 ----a-w- c:\windows\sed.exe
    2010-08-15 05:24:25 77312 ----a-w- c:\windows\MBR.exe
    2010-08-15 05:24:25 256512 ----a-w- c:\windows\PEV.exe
    2010-08-15 05:24:25 161792 ----a-w- c:\windows\SWREG.exe
    2010-08-15 04:47:49 77312 ----a-w- c:\windows\system32\ztvunace26.dll
    2010-08-15 04:47:49 75264 ----a-w- c:\windows\system32\unacev2.dll
    2010-08-15 04:47:49 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
    2010-08-15 04:47:49 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
    2010-08-15 04:47:49 153088 ----a-w- c:\windows\system32\UNRAR3.dll

    ==================== Find3M ====================


    ============= FINISH: 15:15:03.87 ===============
  3. heavystrato

    heavystrato Newcomer, in training Topic Starter Posts: 56

    DDS ATTACH
    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 5/7/2005 11:24:05 AM
    System Uptime: 8/15/2010 2:02:56 PM (1 hours ago)

    Motherboard: ASUSTek Computer INC. | | Buckeye
    Processor: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz | Socket 775 | 1866/266mhz
    Processor: Intel(R) Core(TM)2 CPU 6300 @ 1.86GHz | Socket 775 | 1866/266mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 233 GiB total, 43.729 GiB free.
    D: is CDROM ()
    E: is Removable
    F: is Removable
    G: is Removable
    H: is Removable
    K: is FIXED (NTFS) - 466 GiB total, 216.619 GiB free.

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1: 8/14/2010 12:52:01 PM - System Checkpoint
    RP2: 8/15/2010 10:22:23 AM - Avira AntiVir Personal - 8/15/2010 10:22
    RP3: 8/15/2010 10:26:51 AM - Installed Java(TM) 6 Update 21

    ==== Installed Programs ======================

    Video4Web Converter version 1.2.0.1
    Acrobat.com
    Adobe Acrobat 9 Pro - English, FranÁais, Deutsch
    Adobe After Effects CS4 Third Party Content
    Adobe AIR
    Adobe Anchor Service CS4
    Adobe Bridge 1.0
    Adobe Bridge CS4
    Adobe CMaps CS4
    Adobe Color - Photoshop Specific CS4
    Adobe Color EU Recommended Settings CS4
    Adobe Color JA Extra Settings CS4
    Adobe Color NA Extra Settings CS4
    Adobe Color Video Profiles CS CS4
    Adobe Common File Installer
    Adobe Creative Suite 4 Master Collection
    Adobe CSI CS4
    Adobe Default Language CS4
    Adobe Device Central CS4
    Adobe Dreamweaver CS4
    Adobe Drive CS4
    Adobe Dynamiclink Support
    Adobe Encore CS4 Codecs
    Adobe Encore CS4 Library
    Adobe ExtendScript Toolkit CS4
    Adobe Extension Manager CS4
    Adobe Flash CS4
    Adobe Flash CS4 Extension - Flash Lite STI en
    Adobe Flash CS4 STI-en
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Fonts All
    Adobe Help Center 1.0
    Adobe Illustrator CS4
    Adobe InDesign CS4
    Adobe InDesign CS4 Application Feature Set Files (Roman)
    Adobe InDesign CS4 Common Base Files
    Adobe InDesign CS4 Icon Handler
    Adobe Linguistics CS4
    Adobe Media Encoder CS4
    Adobe Media Encoder CS4 Exporter
    Adobe Media Encoder CS4 Importer
    Adobe Media Player
    Adobe Output Module
    Adobe PDF Library Files CS4
    Adobe Photoshop CS2
    Adobe Photoshop CS4
    Adobe Photoshop CS4 Support
    Adobe Premiere Pro CS4 Third Party Content
    Adobe Search for Help
    Adobe Service Manager Extension
    Adobe Setup
    Adobe SGM CS4
    Adobe Shockwave Player 11.5
    Adobe SING CS4
    Adobe Soundbooth CS4 Codecs
    Adobe Stock Photos 1.0
    Adobe Type Support CS4
    Adobe Update Manager CS4
    Adobe WinSoft Linguistics Plugin
    Adobe XMP Panels CS4
    AdobeColorCommonSetCMYK
    AdobeColorCommonSetRGB
    Advanced DHTML Popup Pro
    AV Bros. Page Curl Pro 2.2 (Remove Only)
    Avira AntiVir Personal - Free Antivirus
    AVS Update Manager 1.0
    AVS Video Converter 6
    AVS4YOU Software Navigator 1.3
    BitLord 1.1
    Business Plan Pro 2007 (CAN)
    C3400 UserGuide
    CamStudio
    CCleaner (remove only)
    CDDRV_Installer
    CDisplay 1.8
    Classic Menu 3.9x for Office 2007
    CoffeeCup Flash Form Builder - Registered
    Color Efex Pro 3.0 Complete
    Connect
    CTI 2009
    CuteFTP 8 Professional
    Data Fax SoftModem with SmartCP
    Demo Builder 7.2 ( 15-day Trial )
    DigiDelivery
    EZ Mask v1.5 for Adobe Photoshop & Photoshop Elements
    Facebook FriendAdder Pro
    FBP - Facebook Blaster Pro
    FFB - Facebook Friend Bomber
    Flash Decompiler Trillix
    Flash Optimizer 2
    FoldUP!3D v. 1.5
    FontExpert 2007
    Free Video to Flash Converter version 4.1
    GDR 4053 for SQL Server Database Services 2005 ENU (KB970892)
    GDR 4053 for SQL Server Tools and Workstation Components 2005 ENU (KB970892)
    Genuine Fractals 5.0
    GPL Ghostscript 8.71
    GraphixCALC Pro 2.0
    GSview 4.9
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows XP (KB914440)
    Hotfix for Windows XP (KB915865)
    Hotfix for Windows XP (KB935448)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    I-Faker Desktop Pro
    IBP 10.0.3
    IBP 11.5
    Intel(R) PRO Network Connections Drivers
    InterLok Driver Kit
    Java Auto Updater
    Java(TM) 6 Update 21
    JoomlaPack Native Tools 2009.4
    KhalInstallWrapper
    Kodak DIGITAL GEM Airbrush Professional Plug-In
    Kodak DIGITAL GEM Professional Plug-In
    Kodak DIGITAL ROC Professional Plug-In
    Kodak DIGITAL SHO Professional Plug-In
    kuler
    LizardTech DjVu Control
    Logitech Registration
    Logitech SetPoint
    LucisArt 3 ED/SE
    M2007 Ink Mixing System
    Malwarebytes' Anti-Malware
    Media Lab SiteGrinder 2 (Basic & Pro)
    Microsoft .NET Framework 1.0 Hotfix (KB930494)
    Microsoft .NET Framework 1.0 Hotfix (KB953295)
    Microsoft .NET Framework 1.0 Hotfix (KB979904)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Choice Guard
    Microsoft Internationalized Domain Names Mitigation APIs
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft National Language Support Downlevel APIs
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Runtime (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Enterprise 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Groove MUI (English) 2007
    Microsoft Office Groove Setup Metadata MUI (English) 2007
    Microsoft Office InfoPath MUI (English) 2007
    Microsoft Office OneNote MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft SQL Server 2005
    Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)
    Microsoft SQL Server 2005 Tools Express Edition
    Microsoft SQL Server Native Client
    Microsoft SQL Server Setup Support Files (English)
    Microsoft SQL Server VSS Writer
    Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    Mozilla Firefox (3.0.19)
    MSVCRT
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MSXML 6 Service Pack 2 (KB954459)
    MSXML 6 Service Pack 2 (KB973686)
    MySQL Connector/ODBC 3.51
    NVIDIA Drivers
    OKI C3300_3400 Status Monitor
    PayPal Payment Request Wizard For Outlook
    PDF Settings CS4
    Photoshop Camera Raw
    Pixel Bender Toolkit
    Poser 8 (8.0.0.10157)
    Price Perfect
    QuickTime
    RankEnhancer
    RealPlayer
    Realtek High Definition Audio Driver
    Roland SP-300V
    Roland VersaWorks
    Roxio RecordNow Premier
    Sage Invoicing and Start-up
    Security Update for 2007 Microsoft Office System (KB2277947)
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for 2007 Microsoft Office System (KB982312)
    Security Update for 2007 Microsoft Office System (KB982331)
    Security Update for Microsoft Office Access 2007 (KB979440)
    Security Update for Microsoft Office Excel 2007 (KB982308)
    Security Update for Microsoft Office InfoPath 2007 (KB979441)
    Security Update for Microsoft Office Outlook 2007 (KB980376)
    Security Update for Microsoft Office PowerPoint 2007 (KB982158)
    Security Update for Microsoft Office Publisher 2007 (KB982124)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
  4. heavystrato

    heavystrato Newcomer, in training Topic Starter Posts: 56

    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Microsoft Office Word 2007 (KB2251419)
    Security Update for Windows Internet Explorer 7 (KB938127-v2)
    Security Update for Windows Internet Explorer 7 (KB956390)
    Security Update for Windows Internet Explorer 7 (KB961260)
    Security Update for Windows Internet Explorer 7 (KB963027)
    Security Update for Windows Internet Explorer 7 (KB969897)
    Security Update for Windows Internet Explorer 7 (KB972260)
    Security Update for Windows Internet Explorer 7 (KB974455)
    Security Update for Windows Internet Explorer 7 (KB976325)
    Security Update for Windows Internet Explorer 7 (KB978207)
    Security Update for Windows Internet Explorer 7 (KB982381)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB900725)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB933729)
    Security Update for Windows XP (KB937894)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB943055)
    Security Update for Windows XP (KB944338-v2)
    Security Update for Windows XP (KB944653)
    Security Update for Windows XP (KB945553)
    Security Update for Windows XP (KB946026)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950749)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971032)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981349)
    Segoe UI
    SENuke
    Silver Efex Pro
    Simply Accounting by Sage 2009
    Simply Accounting by Sage 2010
    Sothink SWF Decompiler
    Spybot - Search & Destroy
    SpywareBlaster 4.2
    Suite Shared Configuration CS4
    Super-AlexaBooster v1.10
    SUPERAntiSpyware Free Edition
    SWF to MP3 Converter 2.3 build 171
    Swift 3D v5.00
    Template Manager
    TransType Pro
    TwitterBlasterPro
    Uninstall 1.0.0.1
    Update for 2007 Microsoft Office System (KB967642)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office 2007 Help for Common Features (KB957244)
    Update for Microsoft Office Access 2007 Help (KB957241)
    Update for Microsoft Office Excel 2007 Help (KB957242)
    Update for Microsoft Office InfoPath 2007 Help (KB957243)
    Update for Microsoft Office OneNote 2007 (KB980729)
    Update for Microsoft Office OneNote 2007 Help (KB957245)
    Update for Microsoft Office Outlook 2007 Help (KB957246)
    Update for Microsoft Office PowerPoint 2007 Help (KB957247)
    Update for Microsoft Office Publisher 2007 Help (KB957249)
    Update for Microsoft Office Word 2007 Help (KB957252)
    Update for Microsoft Script Editor Help (KB957253)
    Update for Outlook 2007 Junk Email Filter (kb2279264)
    Update for Windows Internet Explorer 7 (KB976749)
    Update for Windows Internet Explorer 7 (KB980182)
    Update for Windows XP (KB894391)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB908531)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB925720)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB932823-v3)
    Update for Windows XP (KB936357)
    Update for Windows XP (KB938828)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Vertus Fluid Mask 3 3.0.10
    Victoria 4.2 Base
    Viveza
    VLC media player 1.0.2
    VueRite
    WebFldrs XP
    Windows Driver Package - AMD System (04/06/2006 1.0.1.0)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Messenger
    Windows Live OneCare safety scanner
    Windows Live Sign-in Assistant
    Windows Live Upload Tool
    Windows Media Format Runtime
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    Windows XP Media Center Edition 2005 KB973768
    WinRAR archiver
    WriteExpress 4,001 Business, Sales & Personal Letters
    XAMPP 1.7.0

    ==== Event Viewer Messages From Past Week ========

    8/15/2010 3:13:50 PM, error: System Error [1003] - Error code 0000004e, parameter1 00000007, parameter2 0002532e, parameter3 00000001, parameter4 00000000.
    8/15/2010 11:16:49 AM, error: Service Control Manager [7034] - The SQL Server VSS Writer service terminated unexpectedly. It has done this 1 time(s).
    8/15/2010 11:16:49 AM, error: Service Control Manager [7034] - The Simply Accounting Database Connection Manager service terminated unexpectedly. It has done this 1 time(s).
    8/15/2010 11:16:49 AM, error: Service Control Manager [7034] - The Roxio Hard Drive Watcher service terminated unexpectedly. It has done this 1 time(s).
    8/15/2010 11:16:49 AM, error: Service Control Manager [7034] - The OKI OPHG DCS Loader service terminated unexpectedly. It has done this 1 time(s).
    8/15/2010 11:16:49 AM, error: Service Control Manager [7034] - The NVIDIA Display Driver Service service terminated unexpectedly. It has done this 1 time(s).
    8/15/2010 11:16:49 AM, error: Service Control Manager [7034] - The mysql service terminated unexpectedly. It has done this 1 time(s).
    8/15/2010 11:16:49 AM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    8/15/2010 11:16:49 AM, error: Service Control Manager [7034] - The Apache2.2 service terminated unexpectedly. It has done this 1 time(s).
    8/15/2010 10:21:03 AM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.VC90.CRT. Reference error message: The referenced assembly is not installed on your system. .
    8/15/2010 10:21:03 AM, error: SideBySide [59] - Generate Activation Context failed for C:\DOCUME~1\Eduardo\LOCALS~1\Temp\RarSFX0\redist.dll. Reference error message: The operation completed successfully. .
    8/15/2010 10:21:03 AM, error: SideBySide [32] - Dependent Assembly Microsoft.VC90.CRT could not be found and Last Error was The referenced assembly is not installed on your system.
    8/15/2010 1:50:09 AM, error: Service Control Manager [7023] - The HID Input Service service terminated with the following error: The specified module could not be found.
    8/15/2010 1:35:24 PM, error: System Error [1003] - Error code 0000004e, parameter1 00000007, parameter2 00006844, parameter3 00000002, parameter4 00000000.
    8/14/2010 12:42:05 PM, error: Service Control Manager [7034] - The ResultDns Service service terminated unexpectedly. It has done this 1 time(s).

    ==== End Of File ===========================
  5. heavystrato

    heavystrato Newcomer, in training Topic Starter Posts: 56

    I should also add that this redirecions are hapening with both, Internet explrorer and Firefox
  6. heavystrato

    heavystrato Newcomer, in training Topic Starter Posts: 56

    any help please? This problem is driving me insane
  7. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Welcome aboard [​IMG]

    Be patient. We 're just volunteers and we're not here 24/7.

    =======================================================================

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    =====================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
  8. heavystrato

    heavystrato Newcomer, in training Topic Starter Posts: 56

    Hi Broni, thank you so much for helping out. I am sorry if I seemed a bit impatient is just this thing is driving me nuts.
    Anyway, i will run these two things and post them Asap
  9. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    I understand your frustration, but you're not the only one, who got bitten by bad guys :)
    ....and we need to eat, sleep, work and go for a walk too...
  10. heavystrato

    heavystrato Newcomer, in training Topic Starter Posts: 56

    I Know, Broni. :eek:
    Here the the two logs. When i run Combofix it found something and it restarted my computer.

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 2 (build 2600)
    Logical Drives Mask: 0x000004fc

    Kernel Drivers (total 141):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E2000 \WINDOWS\system32\hal.dll
    0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
    0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
    0xB9F79000 ACPI.sys
    0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xB9F68000 pci.sys
    0xBA0A8000 ohci1394.sys
    0xBA0B8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xBA0C8000 isapnp.sys
    0xBA670000 pciide.sys
    0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xBA0D8000 MountMgr.sys
    0xB9F49000 ftdisk.sys
    0xBA5AC000 dmload.sys
    0xB9F23000 dmio.sys
    0xBA330000 PartMgr.sys
    0xBA0E8000 VolSnap.sys
    0xB9F0B000 atapi.sys
    0xBA0F8000 disk.sys
    0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xB9EEB000 fltMgr.sys
    0xB9ED9000 sr.sys
    0xB9EC3000 DRVMCDB.SYS
    0xBA118000 PxHelp20.sys
    0xB9EB2000 TPkd.sys
    0xB9E9B000 KSecDD.sys
    0xB9E0E000 Ntfs.sys
    0xB9DE1000 NDIS.sys
    0xB9DC6000 Mup.sys
    0xBA198000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xB90DD000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
    0xB90C9000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB9091000 \SystemRoot\system32\DRIVERS\e1e5132.sys
    0xBA478000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xB906E000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xBA480000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xB9049000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xB9004000 \SystemRoot\system32\DRIVERS\HSXHWBS2.sys
    0xB8FE1000 \SystemRoot\system32\DRIVERS\ks.sys
    0xB8EEA000 \SystemRoot\system32\DRIVERS\HSX_DP.sys
    0xB8E34000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
    0xBA488000 \SystemRoot\System32\Drivers\Modem.SYS
    0xBA1A8000 \SystemRoot\system32\DRIVERS\nic1394.sys
    0xBA1B8000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xBA5EA000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
    0xBA1C8000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xBA1D8000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xBA74B000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xBA1E8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xB9D92000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB8E1D000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xBA1F8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xBA208000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xBA490000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xB8E0C000 \SystemRoot\system32\DRIVERS\psched.sys
    0xBA218000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xBA498000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xBA4A0000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xB8DDB000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xBA238000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xBA4A8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xBA4B0000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xBA5F0000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB8D5A000 \SystemRoot\system32\DRIVERS\update.sys
    0xBA548000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xBA258000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xBA268000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xBA5F2000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xB6324000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xB6302000 \SystemRoot\system32\drivers\portcls.sys
    0xBA278000 \SystemRoot\system32\drivers\drmk.sys
    0xBA5F6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xBA7C7000 \SystemRoot\System32\Drivers\Null.SYS
    0xBA5F8000 \SystemRoot\System32\Drivers\Beep.SYS
    0xBA390000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
    0xBA398000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xBA3A0000 \SystemRoot\System32\drivers\vga.sys
    0xBA5FA000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xBA5FC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xBA3A8000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xBA3B0000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB8DD7000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xB62A7000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xB624F000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xB6206000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xB61DE000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xBA298000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xB61BC000 \SystemRoot\System32\drivers\afd.sys
    0xBA2A8000 \SystemRoot\system32\DRIVERS\arp1394.sys
    0xBA2B8000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xBA3B8000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0xB619B000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
    0xBA3C0000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    0xB6170000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xB6101000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xBA2C8000 \SystemRoot\System32\Drivers\Fips.SYS
    0xB60DF000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0xBA606000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    0xBA318000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xBA3D0000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0xBA3D8000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xBA3E8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xB62FE000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xB9535000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xBA3F8000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
    0xB9525000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
    0xB5FC4000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
    0xB62FA000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xB62F6000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xBA400000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
    0xB5F84000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xBA664000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xB6237000 \SystemRoot\System32\drivers\Dxapi.sys
    0xBA430000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xBA6C1000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\nv4_disp.dll
    0xB514E000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0xBA2F8000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xBA747000 \SystemRoot\System32\DLA\DLADResN.SYS
    0xB5110000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
    0xB5267000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
    0xBA5C6000 \SystemRoot\System32\DLA\DLAPoolM.SYS
    0xBA438000 \SystemRoot\System32\DLA\DLABOIOM.SYS
    0xB50A8000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
    0xB5092000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
    0xB5146000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xB4636000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xB45FD000 \SystemRoot\System32\Drivers\adfs.SYS
    0xB3CF8000 \SystemRoot\system32\drivers\wdmaud.sys
    0xB4712000 \SystemRoot\system32\drivers\sysaudio.sys
    0xB3A4A000 \??\C:\WINDOWS\system32\drivers\hardlock.sys
    0xB3A27000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xB4555000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xB39A8000 \SystemRoot\system32\DRIVERS\srv.sys
    0xB2060000 \SystemRoot\System32\Drivers\HTTP.sys
    0xAEEEF000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 58):
    0 System Idle Process
    4 System
    668 C:\WINDOWS\system32\smss.exe
    724 csrss.exe
    748 C:\WINDOWS\system32\winlogon.exe
    796 C:\WINDOWS\system32\services.exe
    808 C:\WINDOWS\system32\lsass.exe
    1024 C:\WINDOWS\system32\svchost.exe
    1128 svchost.exe
    1224 C:\WINDOWS\system32\svchost.exe
    1292 svchost.exe
    1468 svchost.exe
    1624 C:\WINDOWS\system32\spoolsv.exe
    1668 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    1744 svchost.exe
    1836 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    1860 C:\xampp\apache\bin\apache.exe
    1960 C:\WINDOWS\ehome\ehRecvr.exe
    164 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    204 C:\WINDOWS\ehome\ehSched.exe
    288 C:\Program Files\Java\jre6\bin\jqs.exe
    412 sqlservr.exe
    480 C:\xampp\mysql\bin\mysqld.exe
    504 C:\WINDOWS\system32\nvsvc32.exe
    536 C:\WINDOWS\system32\spool\drivers\w32x86\3\OPHGLDCS.EXE
    1188 SP-300MC.EXE
    632 C:\Program Files\winsim\ConnectionManager\SimplyConnectionManager.exe
    1912 C:\WINDOWS\explorer.exe
    1996 sqlbrowser.exe
    1888 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    2068 C:\WINDOWS\system32\svchost.exe
    2204 C:\xampp\apache\bin\apache.exe
    3652 C:\WINDOWS\system32\dllhost.exe
    3932 C:\WINDOWS\ehome\ehtray.exe
    4040 alg.exe
    148 C:\WINDOWS\ehome\ehmsas.exe
    176 C:\WINDOWS\system32\rundll32.exe
    532 C:\WINDOWS\RTHDCPL.exe
    1572 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    2064 C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
    2400 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
    2280 C:\WINDOWS\system32\DLA\DLACTRLW.EXE
    1256 C:\Program Files\QuickTime\qttask.exe
    1052 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    596 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    1120 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    3824 C:\Program Files\winsim\ConnectionManager\Simply.SystemTrayIcon.exe
    3944 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    512 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
    2404 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    3832 C:\WINDOWS\system32\ctfmon.exe
    1056 C:\Program Files\Messenger\msmsgs.exe
    1952 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
    4352 C:\Program Files\Logitech\SetPoint\SetPoint.exe
    4376 C:\Program Files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe
    4432 C:\xampp\mysql\bin\winmysqladmin.exe
    4536 C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
    5564 C:\Documents and Settings\Eduardo\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\K: --> \\.\PhysicalDrive5 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: ST3250824AS, Rev: 3.AHH
    PhysicalDrive5 Model Number: SeagateFreeAgent Pro, Rev: 400A

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
    465 GB \\.\PhysicalDrive5 RE: Unknown MBR code
    SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!
  11. heavystrato

    heavystrato Newcomer, in training Topic Starter Posts: 56

    ComboFix 10-08-15.01 - Eduardo 08/16/2010 0:14.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2332 [GMT -4:00]
    Running from: c:\documents and settings\Eduardo\Desktop\ComboFix.exe
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\winlogon.exe . . . is infected!!

    Infected copy of c:\windows\explorer.exe was found and disinfected
    Restored copy from - c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-07-16 to 2010-08-16 )))))))))))))))))))))))))))))))
    .

    2010-08-15 14:37 . 2010-08-15 23:23 -------- d-----w- c:\windows\system32\NtmsData
    2010-08-15 14:36 . 2010-08-15 14:36 -------- d-----w- c:\documents and settings\Eduardo\Application Data\Avira
    2010-08-15 14:33 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-08-15 14:33 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-08-15 14:33 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-08-15 14:33 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-08-15 14:33 . 2010-08-15 14:33 -------- d-----w- c:\program files\Avira
    2010-08-15 14:33 . 2010-08-15 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-08-15 14:27 . 2010-08-15 14:27 -------- d-----w- c:\program files\Common Files\Java
    2010-08-15 14:27 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-08-15 04:47 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
    2010-08-15 04:47 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
    2010-08-15 04:47 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
    2010-08-15 04:47 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
    2010-08-15 04:47 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-16 03:31 . 2009-03-08 16:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-08-15 14:31 . 2009-04-20 18:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-08-15 14:27 . 2010-08-15 14:27 503808 ----a-w- c:\documents and settings\Eduardo\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-36f87ce3-n\msvcp71.dll
    2010-08-15 14:27 . 2010-08-15 14:27 499712 ----a-w- c:\documents and settings\Eduardo\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-36f87ce3-n\jmc.dll
    2010-08-15 14:27 . 2010-08-15 14:27 348160 ----a-w- c:\documents and settings\Eduardo\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-36f87ce3-n\msvcr71.dll
    2010-08-15 14:27 . 2010-08-15 14:27 61440 ----a-w- c:\documents and settings\Eduardo\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6227762b-n\decora-sse.dll
    2010-08-15 14:27 . 2010-08-15 14:27 12800 ----a-w- c:\documents and settings\Eduardo\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6227762b-n\decora-d3d.dll
    2010-08-15 14:27 . 2009-03-26 22:14 -------- d-----w- c:\program files\Java
    2010-08-15 05:46 . 2009-10-26 14:17 -------- d-----w- c:\documents and settings\Eduardo\Application Data\vlc
    2010-08-15 05:08 . 2009-09-16 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-08-14 17:12 . 2010-08-14 17:11 52224 ----a-w- c:\documents and settings\Eduardo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-08-14 17:12 . 2009-09-15 16:59 117760 ----a-w- c:\documents and settings\Eduardo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-08-12 10:04 . 2009-03-08 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-08-07 11:59 . 2010-07-09 21:04 452104 ----a-w- c:\documents and settings\Eduardo\Application Data\Real\Update\setup3.12\setup.exe
    2010-08-02 23:14 . 2009-03-09 01:20 189000 ----a-w- c:\documents and settings\Eduardo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-07-28 16:03 . 2010-05-27 23:40 -------- d-----w- c:\program files\Facebook FriendAdder Pro
    2010-07-21 12:08 . 2009-03-08 11:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-11 00:21 . 2010-07-10 23:55 -------- d-----w- c:\program files\Super_DVD_Creator_9.8
    2010-07-02 21:03 . 2010-04-13 20:59 439816 ----a-w- c:\documents and settings\Eduardo\Application Data\Real\Update\setup3.10\setup.exe
    2010-06-14 14:30 . 2009-03-08 11:12 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    .

    ------- Sigcheck -------

    [-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\winlogon.exe
    [-] 2004-12-02 . 91FDA1B9369FCA7100532DBF82E138B4 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

    [-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
    [-] 2007-06-13 . 7EA18D33626880BD22CFEF224451871F . 1033216 . . [6.00.2900.3156] . . c:\windows\explorer.exe
    [7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
    [7] 2004-12-02 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-06-22 133576]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-12-02 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
    "nwiz"="nwiz.exe" [2006-10-31 1622016]
    "RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
    "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2006-01-20 163840]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-01-03 122940]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-03-21 155648]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-19 198160]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "ConnectionManager"="c:\program files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe" [2009-08-23 91432]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

    c:\documents and settings\Eduardo\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    WinMySQLadmin.lnk - c:\xampp\mysql\bin\winmysqladmin.exe [2007-12-20 936448]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-6-2 813584]
    Outlook Plugin.lnk - c:\program files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe [2010-5-17 888987]
    Palo Alto Software Update Manager 9.0.lnk - c:\program files\Common Files\Palo Alto Software\9.0\PAS9_Update.exe [2006-9-5 122880]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^Eduardo^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\documents and settings\Eduardo\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
    2007-06-22 12:45 133576 ----a-w- c:\program files\DAEMON Tools Pro\DTProAgent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-03-21 17:36 155648 ----a-w- c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2009-04-19 21:37 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\BitLord\\BitLord.exe"=
    "c:\\xampp\\apache\\bin\\apache.exe"=
    "c:\\Program Files\\Electric Rain\\Swift 3D\\Version 5.00\\Program\\Swift3D.exe"=
    "c:\\xampp\\mysql\\bin\\mysqld.exe"=
    "c:\\Program Files\\IBP 10\\IBP.exe"=
    "c:\\Program Files\\Adobe\\Adobe Illustrator CS4\\Support Files\\Contents\\Windows\\Illustrator.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Adobe\\Adobe Flash CS4\\Flash.exe"=
    "c:\\Program Files\\Smith Micro\\Poser 8\\Poser.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\winsim\\ConnectionManager\\MySqlBinary\\5.0.38\\mysql\\mysqld-nt.exe"=
    "c:\\Program Files\\winsim\\ConnectionManager\\SimplyConnectionManager.exe"=
    "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
    "c:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Professional\\ftpte.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5353:TCP"= 5353:TCP:Adobe CSI CS4

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/15/2010 10:33 AM 135336]
    R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [12/9/2008 7:10 PM 24636]
    R2 OKI OPHG DCS Loader;OKI OPHG DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHGLDCS.EXE [5/29/2009 10:30 PM 24576]
    R2 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\ConnectionManager\SimplyConnectionManager.exe [8/23/2009 1:00 AM 29992]
    S3 block_reader;MPR DRV;c:\documents and settings\Eduardo\Desktop\PORTABLESOFTWARE\MPR_1.1.9\Multi_Password_Recovery_1.1.9_Portable\Multi Password Recovery 1.1.9 Portable\block_reader.sys [1/10/2010 11:00 PM 1920]
    S3 PD1030VID;Creative WebCam Pro;c:\windows\system32\drivers\p1030vid.sys [10/3/2009 11:31 AM 167673]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]
    S3 Simply Accounting Transaction Manager 2010 - CDN;Simply Accounting Transaction Manager 2010 - CDN;c:\program files\winsim\TransactionManager2010 - CDN\Sage_SA.TransactionManager.exe [12/10/2009 4:00 AM 42280]
    S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/8/2009 12:26 PM 685816]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    FF - ProfilePath - c:\documents and settings\Eduardo\Application Data\Mozilla\Firefox\Profiles\b7rhrs75.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
    FF - prefs.js: browser.search.selectedEngine - Live Search
    FF - prefs.js: browser.startup.homepage - hxxp://google.com/
    FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
    FF - component: c:\documents and settings\Eduardo\Application Data\Mozilla\Firefox\Profiles\b7rhrs75.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
    FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-16 00:27
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    c:\docume~1\Eduardo\LOCALS~1\Temp\Acrobat Distiller 9\00000BF0
    c:\docume~1\Eduardo\LOCALS~1\Temp\Acrobat Distiller 9\00000BF0\dirlock.tmp 0 bytes
    c:\docume~1\Eduardo\LOCALS~1\Temp\Acrobat Distiller 9\00000BF0\Temp.msg

    scan completed successfully
    hidden files: 3

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Sagekey Software\ *{9756-3768}]
    "D-Code"="0000000000"
    "U-Code"="Demo"
    "S-Code"="0000000000"
    "C-Code"="4353753922274815"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(748)
    c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
    c:\program files\common files\logitech\bluetooth\LBTServ.dll
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

    - - - - - - - > 'explorer.exe'(4044)
    c:\windows\system32\WININET.dll
    c:\windows\system32\nview.dll
    c:\program files\Logitech\SetPoint\lgscroll.dll
    c:\windows\system32\nvwddi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\mshtml.dll
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\windows\eHome\ehRecvr.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\windows\eHome\ehSched.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    c:\xampp\mysql\bin\mysqld.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\System32\spool\DRIVERS\W32X86\3\SP-300MC.EXE
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\windows\system32\dllhost.exe
    c:\windows\system32\rundll32.exe
    c:\windows\eHome\ehmsas.exe
    c:\windows\RTHDCPL.EXE
    c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
    c:\program files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
    c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    .
    **************************************************************************
    .
    Completion time: 2010-08-16 00:39:04 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-08-16 04:38
    ComboFix2.txt 2010-08-15 13:57
    ComboFix3.txt 2010-08-15 06:02

    Pre-Run: 47,856,824,320 bytes free
    Post-Run: 47,849,684,992 bytes free

    - - End Of File - - CD1B6A9693DC9E94D2134C80B8E2C233
     
  12. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    What is drive K?

    I see, you ran Combofix TWICE already.
    You shouldn't be doing it on your own. It's a very powerful tool.

    Please, go to C:\Qoobox and attach ComboFix2.txt and ComboFix3.txt files to your next reply
  13. heavystrato

    heavystrato Newcomer, in training Topic Starter Posts: 56

    Broni,
    yea i tired running it before trying to solve this problem by my own and then I realized i should just ask for some help. Drive K is and External drive I have attached to my computer Via USB. I have attached the logs

    Attached Files:

  14. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Just never run Combofix on your own.

    Run MBRCheck again.

    When it's done you'll see the following line:
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    Pres the Y key and then press Enter

    When the program asks you to Enter your choice, enter 2 and press the Enter key.

    Next the program will ask you to Enter the physical disk number to fix (0-99, -1 to cancel):
    Enter 5 and press the Enter key.

    Next the program will show Available MBR codes:, followed by a list of operating systems.
    Please enter 1 for Windows XP, and then press Enter.

    Next the program will prompt for confirmation.
    Type YES and hit Enter.

    When it's done there should be a text file with the results on your desktop.
    Please copy and paste it back here.

    Then reboot, run MBRCheck again and post new log.
  15. heavystrato

    heavystrato Newcomer, in training Topic Starter Posts: 56

    Broni,
    here is the log
    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 2 (build 2600)
    Logical Drives Mask: 0x000004fc

    Kernel Drivers (total 144):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E2000 \WINDOWS\system32\hal.dll
    0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
    0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
    0xB9F79000 ACPI.sys
    0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xB9F68000 pci.sys
    0xBA0A8000 ohci1394.sys
    0xBA0B8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xBA0C8000 isapnp.sys
    0xBA670000 pciide.sys
    0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xBA0D8000 MountMgr.sys
    0xB9F49000 ftdisk.sys
    0xBA5AC000 dmload.sys
    0xB9F23000 dmio.sys
    0xBA330000 PartMgr.sys
    0xBA0E8000 VolSnap.sys
    0xB9F0B000 atapi.sys
    0xBA0F8000 disk.sys
    0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xB9EEB000 fltMgr.sys
    0xB9ED9000 sr.sys
    0xB9EC3000 DRVMCDB.SYS
    0xBA118000 PxHelp20.sys
    0xB9EB2000 TPkd.sys
    0xB9E9B000 KSecDD.sys
    0xB9E0E000 Ntfs.sys
    0xB9DE1000 NDIS.sys
    0xB9DC6000 Mup.sys
    0xBA198000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xB90D9000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
    0xB90C5000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB908D000 \SystemRoot\system32\DRIVERS\e1e5132.sys
    0xBA488000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xB906A000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xBA490000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xB9045000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xB9000000 \SystemRoot\system32\DRIVERS\HSXHWBS2.sys
    0xB8FDD000 \SystemRoot\system32\DRIVERS\ks.sys
    0xB8EE6000 \SystemRoot\system32\DRIVERS\HSX_DP.sys
    0xB8E30000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
    0xBA498000 \SystemRoot\System32\Drivers\Modem.SYS
    0xBA1A8000 \SystemRoot\system32\DRIVERS\nic1394.sys
    0xBA1B8000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xBA5E8000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
    0xBA1C8000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xBA1D8000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xBA759000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xBA1E8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xB9D96000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB8E19000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xBA1F8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xBA208000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xBA4A0000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xB8E08000 \SystemRoot\system32\DRIVERS\psched.sys
    0xBA218000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xBA4B0000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xBA340000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xB8DD7000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xBA228000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xBA370000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xBA378000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xBA5EA000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB8D56000 \SystemRoot\system32\DRIVERS\update.sys
    0xBA544000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xBA248000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xBA258000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xBA5EC000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xB6320000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xB62FE000 \SystemRoot\system32\drivers\portcls.sys
    0xBA268000 \SystemRoot\system32\drivers\drmk.sys
    0xBA5F0000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xBA7DA000 \SystemRoot\System32\Drivers\Null.SYS
    0xBA5F2000 \SystemRoot\System32\Drivers\Beep.SYS
    0xBA3A0000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
    0xBA3A8000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xBA3B0000 \SystemRoot\System32\drivers\vga.sys
    0xBA5F4000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xBA5F6000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xBA3B8000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xBA3C0000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB8DD3000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xB62A3000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xB624B000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xB6202000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xB61DA000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xBA288000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xB61B8000 \SystemRoot\System32\drivers\afd.sys
    0xBA298000 \SystemRoot\system32\DRIVERS\arp1394.sys
    0xBA2A8000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xBA3C8000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0xB6197000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
    0xBA3D0000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    0xB616C000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xB60FD000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xBA2B8000 \SystemRoot\System32\Drivers\Fips.SYS
    0xB60DB000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0xBA5FA000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    0xBA2D8000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xBA3E0000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0xBA3E8000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xBA3F0000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xB677E000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xBA2E8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xBA3F8000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
    0xBA2F8000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
    0xB5FC0000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
    0xB677A000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xB6776000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xBA400000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
    0xB5F80000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xBA61C000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xB62EA000 \SystemRoot\System32\drivers\Dxapi.sys
    0xBA428000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xBA750000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\nv4_disp.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xB514A000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0xBA178000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
    0xBA6DD000 \SystemRoot\System32\DLA\DLADResN.SYS
    0xB510C000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
    0xB5263000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
    0xBA62C000 \SystemRoot\System32\DLA\DLAPoolM.SYS
    0xBA430000 \SystemRoot\System32\DLA\DLABOIOM.SYS
    0xB50A4000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
    0xB508E000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
    0xB5082000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xB4632000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xB45F9000 \SystemRoot\System32\Drivers\adfs.SYS
    0xB4463000 \??\C:\WINDOWS\system32\drivers\hardlock.sys
    0xB4440000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xB4616000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xB43E9000 \SystemRoot\system32\DRIVERS\srv.sys
    0xB3094000 \SystemRoot\system32\drivers\wdmaud.sys
    0xBA168000 \SystemRoot\system32\drivers\sysaudio.sys
    0xBA408000 \??\C:\DOCUME~1\Eduardo\LOCALS~1\Temp\mbr.sys
    0xB2C51000 \SystemRoot\System32\Drivers\HTTP.sys
    0xBA438000 \??\C:\ComboFix\catchme.sys
    0xBA666000 \??\C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
    0xAEC0A000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 58):
    0 System Idle Process
    4 System
    660 C:\WINDOWS\system32\smss.exe
    724 csrss.exe
    748 C:\WINDOWS\system32\winlogon.exe
    796 C:\WINDOWS\system32\services.exe
    808 C:\WINDOWS\system32\lsass.exe
    1032 C:\WINDOWS\system32\svchost.exe
    1136 svchost.exe
    1232 C:\WINDOWS\system32\svchost.exe
    1320 svchost.exe
    1488 svchost.exe
    1616 C:\WINDOWS\system32\spoolsv.exe
    1656 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    1728 svchost.exe
    1816 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    1832 C:\xampp\apache\bin\apache.exe
    1864 C:\WINDOWS\ehome\ehRecvr.exe
    1904 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    1920 C:\WINDOWS\ehome\ehSched.exe
    1968 C:\Program Files\Java\jre6\bin\jqs.exe
    2024 sqlservr.exe
    120 C:\xampp\mysql\bin\mysqld.exe
    156 C:\WINDOWS\system32\nvsvc32.exe
    200 C:\WINDOWS\system32\spool\drivers\w32x86\3\OPHGLDCS.EXE
    1288 C:\xampp\apache\bin\apache.exe
    2856 C:\Program Files\winsim\ConnectionManager\SimplyConnectionManager.exe
    2868 SP-300MC.EXE
    2980 sqlbrowser.exe
    3000 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    3060 C:\WINDOWS\system32\svchost.exe
    3420 C:\WINDOWS\system32\dllhost.exe
    3548 alg.exe
    3824 C:\WINDOWS\ehome\ehtray.exe
    4064 C:\WINDOWS\system32\rundll32.exe
    584 C:\WINDOWS\ehome\ehmsas.exe
    3676 C:\WINDOWS\RTHDCPL.exe
    3744 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    3240 C:\WINDOWS\system32\ctfmon.exe
    672 C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
    708 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
    700 C:\WINDOWS\system32\DLA\DLACTRLW.EXE
    3260 C:\Program Files\QuickTime\qttask.exe
    3104 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    964 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    3948 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    3652 C:\Program Files\winsim\ConnectionManager\Simply.SystemTrayIcon.exe
    3788 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    3856 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    4200 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
    4308 C:\Program Files\Logitech\SetPoint\SetPoint.exe
    4404 C:\Program Files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe
    4492 C:\xampp\mysql\bin\winmysqladmin.exe
    4520 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
    4744 C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
    124 C:\Program Files\Mozilla Firefox\firefox.exe
    5176 C:\WINDOWS\explorer.exe
    5304 C:\Documents and Settings\Eduardo\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\K: --> \\.\PhysicalDrive5 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: ST3250824AS, Rev: 3.AHH
    PhysicalDrive5 Model Number: SeagateFreeAgent Pro, Rev: 400A

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
    465 GB \\.\PhysicalDrive5 RE: Unknown MBR code
    SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
    Options:
    [1] Dump the MBR of a physical disk to file.
    [2] Restore the MBR of a physical disk with a standard boot code.
    [3] Exit.

    Enter your choice: Enter the physical disk number to fix (0-99, -1 to cancel): 5Available MBR codes:
    [ 0] Default (Windows XP)
    [ 1] Windows XP
    [ 2] Windows Server 2003
    [ 3] Windows Vista
    [ 4] Windows 2008
    [ 5] Windows 7
    [-1] Cancel

    Please select the MBR code to write to this drive: 1
    Do you want to fix the MBR code? Type 'YES' and hit ENTER to continue: yes
    RE: Successfully wrote new MBR code!
    Please reboot your computer to complete the fix.


    Done!
  16. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    It's my bed time though, so I'll check on you tomorrow after work :)
  17. heavystrato

    heavystrato Newcomer, in training Topic Starter Posts: 56

    I really appreciate you helping me, Broni.
    Also I notice that now sometimes I'm getting a WINDOWS EXPLORER ERROR . When Click to see what this is it give me this

    AppName: explorer.exe AppVer: 6.0.2900.3156 ModName: dtproapi.dll
    ModVer: 4.10.215.0 Offset: 00003698

    Any idea what this could be?
    -----------------------------------
    Here is the new MBR Log

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 2 (build 2600)
    Logical Drives Mask: 0x000004fc

    Kernel Drivers (total 146):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E2000 \WINDOWS\system32\hal.dll
    0xBA5A8000 \WINDOWS\system32\KDCOM.DLL
    0xBA4B8000 \WINDOWS\system32\BOOTVID.dll
    0xB9F79000 ACPI.sys
    0xBA5AA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xB9F68000 pci.sys
    0xBA0A8000 ohci1394.sys
    0xBA0B8000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xBA0C8000 isapnp.sys
    0xBA670000 pciide.sys
    0xBA328000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xBA0D8000 MountMgr.sys
    0xB9F49000 ftdisk.sys
    0xBA5AC000 dmload.sys
    0xB9F23000 dmio.sys
    0xBA330000 PartMgr.sys
    0xBA0E8000 VolSnap.sys
    0xB9F0B000 atapi.sys
    0xBA0F8000 disk.sys
    0xBA108000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xB9EEB000 fltMgr.sys
    0xB9ED9000 sr.sys
    0xB9EC3000 DRVMCDB.SYS
    0xBA118000 PxHelp20.sys
    0xB9EB2000 TPkd.sys
    0xB9E9B000 KSecDD.sys
    0xB9E0E000 Ntfs.sys
    0xB9DE1000 NDIS.sys
    0xB9DC6000 Mup.sys
    0xBA188000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xB918A000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
    0xB9176000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xB913E000 \SystemRoot\system32\DRIVERS\e1e5132.sys
    0xBA470000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xB911B000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xBA478000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xB90F6000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xB90B1000 \SystemRoot\system32\DRIVERS\HSXHWBS2.sys
    0xB908E000 \SystemRoot\system32\DRIVERS\ks.sys
    0xB8F97000 \SystemRoot\system32\DRIVERS\HSX_DP.sys
    0xB8EE1000 \SystemRoot\system32\DRIVERS\HSX_CNXT.sys
    0xBA480000 \SystemRoot\System32\Drivers\Modem.SYS
    0xBA198000 \SystemRoot\system32\DRIVERS\nic1394.sys
    0xBA1A8000 \SystemRoot\system32\DRIVERS\imapi.sys
    0xBA5E4000 \SystemRoot\System32\Drivers\DLACDBHM.SYS
    0xBA1B8000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xBA1C8000 \SystemRoot\system32\DRIVERS\redbook.sys
    0xBA74C000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xBA1D8000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xB9D92000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB8ECA000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xBA1E8000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xBA1F8000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xBA488000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xB8EB9000 \SystemRoot\system32\DRIVERS\psched.sys
    0xBA208000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xBA498000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xBA4A0000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xB8E88000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xBA218000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xBA4A8000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xBA4B0000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xBA5E6000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB8E07000 \SystemRoot\system32\DRIVERS\update.sys
    0xBA548000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xBA238000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xBA248000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xBA5E8000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xB63D1000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0xB63AF000 \SystemRoot\system32\drivers\portcls.sys
    0xBA258000 \SystemRoot\system32\drivers\drmk.sys
    0xBA5EC000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xBA7C2000 \SystemRoot\System32\Drivers\Null.SYS
    0xBA5EE000 \SystemRoot\System32\Drivers\Beep.SYS
    0xBA388000 \SystemRoot\System32\Drivers\DLARTL_N.SYS
    0xBA390000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xBA398000 \SystemRoot\System32\drivers\vga.sys
    0xBA5F0000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xBA5F2000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xBA3A0000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xBA3A8000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB8E80000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xB6354000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xB62FC000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xB62AC000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xB628B000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0xBA278000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xB6269000 \SystemRoot\System32\drivers\afd.sys
    0xBA288000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xBA3B0000 \SystemRoot\system32\DRIVERS\ssmdrv.sys
    0xB6248000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys
    0xBA298000 \SystemRoot\system32\DRIVERS\arp1394.sys
    0xBA3B8000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    0xB621D000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xB61AE000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xBA2A8000 \SystemRoot\System32\Drivers\Fips.SYS
    0xB618C000 \SystemRoot\system32\DRIVERS\avipbb.sys
    0xBA5F8000 \??\C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    0xBA2C8000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xBA3C8000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0xBA3D0000 \SystemRoot\system32\DRIVERS\USBSTOR.SYS
    0xBA3D8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xB683B000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xBA2E8000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xBA3E0000 \SystemRoot\system32\DRIVERS\LHidFilt.Sys
    0xBA2F8000 \SystemRoot\system32\DRIVERS\WDFLDR.SYS
    0xB6071000 \SystemRoot\system32\DRIVERS\Wdf01000.sys
    0xB6837000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xB6833000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xBA3E8000 \SystemRoot\system32\DRIVERS\LMouFilt.Sys
    0xB6031000 \SystemRoot\System32\Drivers\dump_atapi.sys
    0xBA606000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xB681F000 \SystemRoot\System32\drivers\Dxapi.sys
    0xBA3F0000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xBA72C000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\nv4_disp.dll
    0xB51FB000 \SystemRoot\system32\DRIVERS\avgntflt.sys
    0xBA178000 \SystemRoot\System32\Drivers\DRVNDDM.SYS
    0xBA78F000 \SystemRoot\System32\DLA\DLADResN.SYS
    0xB51BD000 \SystemRoot\System32\DLA\DLAIFS_M.SYS
    0xB531C000 \SystemRoot\System32\DLA\DLAOPIOM.SYS
    0xBA614000 \SystemRoot\System32\DLA\DLAPoolM.SYS
    0xBA3F8000 \SystemRoot\System32\DLA\DLABOIOM.SYS
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xB5155000 \SystemRoot\System32\DLA\DLAUDFAM.SYS
    0xB513F000 \SystemRoot\System32\DLA\DLAUDF_M.SYS
    0xB51F3000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0xB46E3000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xB46AA000 \SystemRoot\System32\Drivers\adfs.SYS
    0xB453C000 \??\C:\WINDOWS\system32\drivers\hardlock.sys
    0xB4519000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xB46BF000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xB449A000 \SystemRoot\system32\DRIVERS\srv.sys
    0xB320D000 \SystemRoot\system32\drivers\wdmaud.sys
    0xB3AC2000 \SystemRoot\system32\drivers\sysaudio.sys
    0xBA62A000 \SystemRoot\system32\drivers\splitter.sys
    0xB31EA000 \SystemRoot\system32\drivers\aec.sys
    0xB3D1A000 \SystemRoot\system32\drivers\swmidi.sys
    0xB3BCA000 \SystemRoot\system32\drivers\DMusic.sys
    0xB31BF000 \SystemRoot\system32\drivers\kmixer.sys
    0xBA785000 \SystemRoot\system32\drivers\drmkaud.sys
    0xB2D30000 \SystemRoot\System32\Drivers\HTTP.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 59):
    0 System Idle Process
    4 System
    660 C:\WINDOWS\system32\smss.exe
    724 csrss.exe
    748 C:\WINDOWS\system32\winlogon.exe
    796 C:\WINDOWS\system32\services.exe
    808 C:\WINDOWS\system32\lsass.exe
    1020 C:\WINDOWS\system32\svchost.exe
    1140 svchost.exe
    1236 C:\WINDOWS\system32\svchost.exe
    1400 svchost.exe
    1480 svchost.exe
    1612 C:\WINDOWS\system32\spoolsv.exe
    1660 C:\Program Files\Avira\AntiVir Desktop\sched.exe
    1728 svchost.exe
    1812 C:\Program Files\Avira\AntiVir Desktop\avguard.exe
    1828 C:\xampp\apache\bin\apache.exe
    1860 C:\WINDOWS\ehome\ehRecvr.exe
    1904 C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
    1928 C:\WINDOWS\ehome\ehSched.exe
    1960 C:\Program Files\Java\jre6\bin\jqs.exe
    160 sqlservr.exe
    208 C:\xampp\mysql\bin\mysqld.exe
    256 C:\WINDOWS\system32\nvsvc32.exe
    596 C:\xampp\apache\bin\apache.exe
    2588 C:\WINDOWS\system32\spool\drivers\w32x86\3\OPHGLDCS.EXE
    2604 SP-300MC.EXE
    2932 C:\Program Files\winsim\ConnectionManager\SimplyConnectionManager.exe
    3020 sqlbrowser.exe
    3048 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    3088 C:\WINDOWS\system32\svchost.exe
    3384 C:\WINDOWS\system32\dllhost.exe
    3548 alg.exe
    3268 C:\WINDOWS\ehome\ehtray.exe
    184 C:\WINDOWS\ehome\ehmsas.exe
    3824 C:\WINDOWS\system32\rundll32.exe
    3792 C:\WINDOWS\RTHDCPL.exe
    1168 C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    3764 C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrobat_sl.exe
    4088 C:\Program Files\Adobe\Acrobat 9.0\Acrobat\acrotray.exe
    284 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
    544 C:\WINDOWS\system32\DLA\DLACTRLW.EXE
    2668 C:\Program Files\QuickTime\qttask.exe
    2788 C:\WINDOWS\system32\ctfmon.exe
    3192 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    3640 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    152 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
    3888 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    3416 C:\Program Files\winsim\ConnectionManager\Simply.SystemTrayIcon.exe
    4144 C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
    4216 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    4292 C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
    4344 C:\Program Files\Logitech\SetPoint\SetPoint.exe
    4364 C:\Program Files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe
    4444 C:\xampp\mysql\bin\winmysqladmin.exe
    4528 C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.exe
    4932 C:\WINDOWS\system32\notepad.exe
    5200 C:\WINDOWS\explorer.exe
    5400 C:\Documents and Settings\Eduardo\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`00007e00 (NTFS)
    \\.\K: --> \\.\PhysicalDrive5 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: ST3250824AS, Rev: 3.AHH
    PhysicalDrive5 Model Number: SeagateFreeAgent Pro, Rev: 400A

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A
    465 GB \\.\PhysicalDrive5 RE: Unknown MBR code
    SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:

    Done!
  18. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    dtproapi.dll is a process belonging to the DAEMON Tools Pro.
    You may need to uninstall/reinstall.

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
    Upload following files to http://www.virustotal.com/ for security check:
    - c:\windows\explorer.exe
    - c:\windows\system32\winlogon.exe
    If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.
     
  19. heavystrato

    heavystrato Newcomer, in training Topic Starter Posts: 56

    Hi Broni, Thanks again for your help!
    here is the scan of the explorer.exe file


    Antivirus Version Last update Result

    AhnLab-V3 2010.08.17.00 2010.08.16 -

    AntiVir 8.2.4.34 2010.08.16 -

    Antiy-AVL 2.0.3.7 2010.08.16 -

    Authentium 5.2.0.5 2010.08.17 -

    Avast 4.8.1351.0 2010.08.16 -

    Avast5 5.0.332.0 2010.08.16 -

    AVG 9.0.0.851 2010.08.16 -

    BitDefender 7.2 2010.08.17 Gen:Trojan.Heur.TP.@q0@bq1fXSb

    CAT-QuickHeal 11.00 2010.08.16 -

    ClamAV 0.96.0.3-git 2010.08.17 -

    Comodo 5765 2010.08.17 -

    DrWeb 5.0.2.03300 2010.08.17 -

    Emsisoft 5.0.0.37 2010.08.16 -

    eSafe 7.0.17.0 2010.08.16 -

    eTrust-Vet 36.1.7794 2010.08.16 Win32/Patcher.F

    F-Prot 4.6.1.107 2010.08.17 -

    F-Secure 9.0.15370.0 2010.08.17 Gen:Trojan.Heur.TP.@q0@bq1fXSb

    Fortinet 4.1.143.0 2010.08.16 -

    GData 21 2010.08.17 Gen:Trojan.Heur.TP.@q0@bq1fXSb

    Ikarus T3.1.1.88.0 2010.08.16 -

    Jiangmin 13.0.900 2010.08.16 -

    Kaspersky 7.0.0.125 2010.08.16 -

    McAfee 5.400.0.1158 2010.08.17 -

    McAfee-GW-Edition 2010.1 2010.08.16 -

    NOD32 5371 2010.08.16 -

    Norman 6.05.11 2010.08.16 -

    nProtect 2010-08-16.02 2010.08.16 -

    Panda 10.0.2.7 2010.08.16 -

    PCTools 7.0.3.5 2010.08.17 -

    Prevx 3.0 2010.08.17 -

    Rising 22.61.00.04 2010.08.16 -

    Sophos 4.56.0 2010.08.17 Troj/Patched-O

    Sunbelt 6743 2010.08.17 -

    SUPERAntiSpyware 4.40.0.1006 2010.08.17 -

    Symantec 20101.1.1.7 2010.08.17 Suspicious.Mystic

    TheHacker 6.5.2.1.349 2010.08.16 -

    TrendMicro 9.120.0.1004 2010.08.16 -

    TrendMicro-HouseCall 9.120.0.1004 2010.08.17 -

    VBA32 3.12.14.0 2010.08.13 -

    ViRobot 2010.8.16.3990 2010.08.16 Win32.Patched.AF

    VirusBuster 5.0.27.0 2010.08.16 -

    MD5: 7ea18d33626880bd22cfef224451871f

    SHA1: 6e2998d9ca91843e4b008c1cf628c3e94ebf705c

    SHA256: 136dcd676b33b51baba4ecc80cef25284931d56758c33d7676b6243b2181e900

    File size: 1033216 bytes

    Scan date: 2010-08-17 00:11:01 (UTC)


    and this is the scan for the Winlog.exe



    Antivirus Version Last update Result

    AhnLab-V3 2010.08.17.00 2010.08.16 -

    AntiVir 8.2.4.34 2010.08.16 -

    Antiy-AVL 2.0.3.7 2010.08.16 -

    Authentium 5.2.0.5 2010.08.17 -

    Avast 4.8.1351.0 2010.08.16 -

    Avast5 5.0.332.0 2010.08.16 -

    AVG 9.0.0.851 2010.08.16 -

    BitDefender 7.2 2010.08.17 Gen:Trojan.Heur.TP.Em0@bmZ1Zpb

    CAT-QuickHeal 11.00 2010.08.16 -

    ClamAV 0.96.0.3-git 2010.08.17 -

    Comodo 5765 2010.08.17 -

    DrWeb 5.0.2.03300 2010.08.17 -

    Emsisoft 5.0.0.37 2010.08.16 -

    eSafe 7.0.17.0 2010.08.16 -

    eTrust-Vet 36.1.7794 2010.08.16 Win32/Patcher.F

    F-Prot 4.6.1.107 2010.08.17 -

    F-Secure 9.0.15370.0 2010.08.17 Gen:Trojan.Heur.TP.Em0@bmZ1Zpb

    Fortinet 4.1.143.0 2010.08.16 -

    GData 21 2010.08.17 Gen:Trojan.Heur.TP.Em0@bmZ1Zpb

    Ikarus T3.1.1.88.0 2010.08.16 -

    Jiangmin 13.0.900 2010.08.16 TrojanDownloader.Small.aswj

    Kaspersky 7.0.0.125 2010.08.16 -

    McAfee 5.400.0.1158 2010.08.17 -

    McAfee-GW-Edition 2010.1 2010.08.16 -

    Microsoft 1.6004 2010.08.16 Virus:Win32/Bamital.C

    NOD32 5371 2010.08.16 -

    Norman 6.05.11 2010.08.16 -

    nProtect 2010-08-16.02 2010.08.16 Trojan-Downloader/W32.Small.502272.B

    Panda 10.0.2.7 2010.08.16 -

    PCTools 7.0.3.5 2010.08.17 -

    Prevx 3.0 2010.08.17 -

    Rising 22.61.00.04 2010.08.16 -

    Sophos 4.56.0 2010.08.17 Troj/Patched-O

    Sunbelt 6743 2010.08.17 -

    SUPERAntiSpyware 4.40.0.1006 2010.08.17 -

    Symantec 20101.1.1.7 2010.08.17 -

    TheHacker 6.5.2.1.349 2010.08.16 Trojan/Downloader.Small.atqr

    TrendMicro 9.120.0.1004 2010.08.16 -

    TrendMicro-HouseCall 9.120.0.1004 2010.08.17 -

    VBA32 3.12.14.0 2010.08.13 -

    ViRobot 2010.8.16.3990 2010.08.16 Win32.Patched.AF

    VirusBuster 5.0.27.0 2010.08.16 -

    MD5: 91fda1b9369fca7100532dbf82e138b4

    SHA1: 136228c05ac0a75087f26200c6eeb128d6589631

    SHA256: 31031226e3c0acc8b6d5b303a600867b46b0232ce3c7177aec51f6cd7a88be33

    File size: 502272 bytes

    Scan date: 2010-08-17 00:21:28 (UTC)

    Also, wanted to note that my anti virus, Avira, has given me 2 warnings today of a trojan, Twise i have hit delete. Im not sure if it will keep popping up
  20. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Well, no wonder.
    As you can see from the scan, you have two crucial Windows files, winlogon.exe and explorer.exe, infected.

    ======================================================================

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2

    • Double-click SystemLook.exe to run it.
    • Vista users:: Right click on SystemLook.exe, click Run As Administrator
    • Copy the content of the following box into the main textfield:
      Code:
      :filefind
      winlogon.exe
      explorer.exe
      
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt

    =======================================================================

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    Folder::
    c:\docume~1\Eduardo\LOCALS~1\Temp\Acrobat Distiller 9\00000BF0
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  21. heavystrato

    heavystrato Newcomer, in training Topic Starter Posts: 56

    Alrite, done
    here is the System Look log
    SystemLook v1.0 by jpshortstuff (11.01.10)
    Log created at 20:37 on 16/08/2010 by Eduardo (Administrator - Elevation successful)

    ========== filefind ==========

    Searching for "winlogon.exe"
    C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\winlogon.exe --a--- 507904 bytes [12:15 08/03/2009] [00:12 14/04/2008] ED0EF0A136DEC83DF69F04118870003E
    C:\WINDOWS\system32\winlogon.exe --a--- 502272 bytes [10:00 02/12/2004] [10:00 02/12/2004] 91FDA1B9369FCA7100532DBF82E138B4

    Searching for "explorer.exe"
    C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe --a--- 1033216 bytes [11:26 13/06/2007] [11:26 13/06/2007] 7712DF0CDDE3A5AC89843E61CD5B3658
    C:\WINDOWS\$NtUninstallKB938828$\explorer.exe -----c 1032192 bytes [11:06 21/04/2009] [10:00 02/12/2004] A0732187050030AE399B241436565E64
    C:\WINDOWS\explorer.exe --a--- 1033216 bytes [10:00 02/12/2004] [11:26 13/06/2007] 7EA18D33626880BD22CFEF224451871F
    C:\WINDOWS\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe --a--- 1033728 bytes [12:13 08/03/2009] [00:12 14/04/2008] 12896823FB95BFB3DC9B46BCAEDC9923

    -=End Of File=-
  22. heavystrato

    heavystrato Newcomer, in training Topic Starter Posts: 56

    Here is the new combofiixlog. It restarted the computer
    ComboFix 10-08-16.03 - Eduardo 08/16/2010 20:53:13.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3070.2320 [GMT -4:00]
    Running from: c:\documents and settings\Eduardo\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Eduardo\Desktop\CFScript.txt
    AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Eduardo\.exe

    c:\windows\system32\winlogon.exe . . . is infected!!

    Infected copy of c:\windows\explorer.exe was found and disinfected
    Restored copy from - c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-07-17 to 2010-08-17 )))))))))))))))))))))))))))))))
    .

    2010-08-15 14:37 . 2010-08-15 23:23 -------- d-----w- c:\windows\system32\NtmsData
    2010-08-15 14:36 . 2010-08-15 14:36 -------- d-----w- c:\documents and settings\Eduardo\Application Data\Avira
    2010-08-15 14:33 . 2010-03-01 14:05 124784 ----a-w- c:\windows\system32\drivers\avipbb.sys
    2010-08-15 14:33 . 2010-02-16 18:24 60936 ----a-w- c:\windows\system32\drivers\avgntflt.sys
    2010-08-15 14:33 . 2009-05-11 16:49 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
    2010-08-15 14:33 . 2009-05-11 16:49 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
    2010-08-15 14:33 . 2010-08-15 14:33 -------- d-----w- c:\program files\Avira
    2010-08-15 14:33 . 2010-08-15 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
    2010-08-15 14:27 . 2010-08-15 14:27 -------- d-----w- c:\program files\Common Files\Java
    2010-08-15 14:27 . 2010-08-15 14:27 503808 ----a-w- c:\documents and settings\Eduardo\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-36f87ce3-n\msvcp71.dll
    2010-08-15 14:27 . 2010-08-15 14:27 499712 ----a-w- c:\documents and settings\Eduardo\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-36f87ce3-n\jmc.dll
    2010-08-15 14:27 . 2010-08-15 14:27 348160 ----a-w- c:\documents and settings\Eduardo\Application Data\Sun\Java\Deployment\SystemCache\6.0\4\7ec4bf04-36f87ce3-n\msvcr71.dll
    2010-08-15 14:27 . 2010-08-15 14:27 61440 ----a-w- c:\documents and settings\Eduardo\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6227762b-n\decora-sse.dll
    2010-08-15 14:27 . 2010-08-15 14:27 12800 ----a-w- c:\documents and settings\Eduardo\Application Data\Sun\Java\Deployment\SystemCache\6.0\42\4488892a-6227762b-n\decora-d3d.dll
    2010-08-15 14:27 . 2010-07-17 09:00 423656 ----a-w- c:\windows\system32\deployJava1.dll
    2010-08-15 04:47 . 2006-06-19 17:01 69632 ----a-w- c:\windows\system32\ztvcabinet.dll
    2010-08-15 04:47 . 2006-05-25 19:52 162304 ----a-w- c:\windows\system32\ztvunrar36.dll
    2010-08-15 04:47 . 2005-08-26 05:50 77312 ----a-w- c:\windows\system32\ztvunace26.dll
    2010-08-15 04:47 . 2003-02-03 00:06 153088 ----a-w- c:\windows\system32\UNRAR3.dll
    2010-08-15 04:47 . 2002-03-06 05:00 75264 ----a-w- c:\windows\system32\unacev2.dll
    2010-08-14 17:11 . 2010-08-14 17:12 52224 ----a-w- c:\documents and settings\Eduardo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-16 13:03 . 2009-04-20 18:03 664 ----a-w- c:\windows\system32\d3d9caps.dat
    2010-08-16 03:31 . 2009-03-08 16:57 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-08-15 14:27 . 2009-03-26 22:14 -------- d-----w- c:\program files\Java
    2010-08-15 05:46 . 2009-10-26 14:17 -------- d-----w- c:\documents and settings\Eduardo\Application Data\vlc
    2010-08-15 05:08 . 2009-09-16 00:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2010-08-14 17:12 . 2009-09-15 16:59 117760 ----a-w- c:\documents and settings\Eduardo\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-08-12 10:04 . 2009-03-08 16:39 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
    2010-08-07 11:59 . 2010-07-09 21:04 452104 ----a-w- c:\documents and settings\Eduardo\Application Data\Real\Update\setup3.12\setup.exe
    2010-08-02 23:14 . 2009-03-09 01:20 189000 ----a-w- c:\documents and settings\Eduardo\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
    2010-07-28 16:03 . 2010-05-27 23:40 -------- d-----w- c:\program files\Facebook FriendAdder Pro
    2010-07-21 12:08 . 2009-03-08 11:42 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-07-11 00:21 . 2010-07-10 23:55 -------- d-----w- c:\program files\Super_DVD_Creator_9.8
    2010-07-02 21:03 . 2010-04-13 20:59 439816 ----a-w- c:\documents and settings\Eduardo\Application Data\Real\Update\setup3.10\setup.exe
    2010-06-14 14:30 . 2009-03-08 11:12 743936 ----a-w- c:\windows\pchealth\helpctr\binaries\helpsvc.exe
    .

    ------- Sigcheck -------

    [-] 2008-04-14 . ED0EF0A136DEC83DF69F04118870003E . 507904 . . [5.1.2600.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\winlogon.exe
    [-] 2004-12-02 . 91FDA1B9369FCA7100532DBF82E138B4 . 502272 . . [5.1.2600.2180] . . c:\windows\system32\winlogon.exe

    [-] 2008-04-14 . 12896823FB95BFB3DC9B46BCAEDC9923 . 1033728 . . [6.00.2900.5512] . . c:\windows\SoftwareDistribution\Download\e9500597a78495f397efb821e37bf356\explorer.exe
    [-] 2007-06-13 . 7EA18D33626880BD22CFEF224451871F . 1033216 . . [6.00.2900.3156] . . c:\windows\explorer.exe
    [7] 2007-06-13 . 7712DF0CDDE3A5AC89843E61CD5B3658 . 1033216 . . [6.00.2900.3156] . . c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
    [7] 2004-12-02 . A0732187050030AE399B241436565E64 . 1032192 . . [6.00.2900.2180] . . c:\windows\$NtUninstallKB938828$\explorer.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "DAEMON Tools Pro Agent"="c:\program files\DAEMON Tools Pro\DTProAgent.exe" [2007-06-22 133576]
    "msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-07-26 3883856]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-12-02 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ehTray"="c:\windows\ehome\ehtray.exe" [2004-08-10 59392]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2006-10-31 7634944]
    "nwiz"="nwiz.exe" [2006-10-31 1622016]
    "RTHDCPL"="RTHDCPL.EXE" [2006-07-21 16261632]
    "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2008-10-25 31072]
    "AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
    "Adobe Acrobat Speed Launcher"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrobat_sl.exe" [2008-06-12 37232]
    "Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe" [2008-06-12 640376]
    "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2006-01-20 163840]
    "DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2006-01-03 122940]
    "Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-03-21 155648]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-19 198160]
    "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
    "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "ConnectionManager"="c:\program files\Winsim\ConnectionManager\Simply.SystemTrayIcon.exe" [2009-08-23 91432]
    "Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" [2009-06-17 55824]
    "avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-03-02 282792]

    c:\documents and settings\Eduardo\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
    WinMySQLadmin.lnk - c:\xampp\mysql\bin\winmysqladmin.exe [2007-12-20 936448]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Logitech SetPoint.lnk - c:\program files\Logitech\SetPoint\SetPoint.exe [2009-6-2 813584]
    Outlook Plugin.lnk - c:\program files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe [2010-5-17 888987]
    Palo Alto Software Update Manager 9.0.lnk - c:\program files\Common Files\Palo Alto Software\9.0\PAS9_Update.exe [2006-9-5 122880]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
    2009-07-20 16:28 72208 ----a-w- c:\program files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
    @=""

    [HKLM\~\startupfolder\C:^Documents and Settings^Eduardo^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
    path=c:\documents and settings\Eduardo\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
    backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
    2007-06-22 12:45 133576 ----a-w- c:\program files\DAEMON Tools Pro\DTProAgent.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    2009-03-21 17:36 155648 ----a-w- c:\program files\QuickTime\qttask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    2009-04-19 21:37 198160 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\BitLord\\BitLord.exe"=
    "c:\\xampp\\apache\\bin\\apache.exe"=
    "c:\\Program Files\\Electric Rain\\Swift 3D\\Version 5.00\\Program\\Swift3D.exe"=
    "c:\\xampp\\mysql\\bin\\mysqld.exe"=
    "c:\\Program Files\\IBP 10\\IBP.exe"=
    "c:\\Program Files\\Adobe\\Adobe Illustrator CS4\\Support Files\\Contents\\Windows\\Illustrator.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Adobe\\Adobe Flash CS4\\Flash.exe"=
    "c:\\Program Files\\Smith Micro\\Poser 8\\Poser.exe"=
    "c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\winsim\\ConnectionManager\\MySqlBinary\\5.0.38\\mysql\\mysqld-nt.exe"=
    "c:\\Program Files\\winsim\\ConnectionManager\\SimplyConnectionManager.exe"=
    "c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
    "c:\\Program Files\\GlobalSCAPE\\CuteFTP 8 Professional\\ftpte.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "5353:TCP"= 5353:TCP:Adobe CSI CS4

    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2009 11:43 AM 8944]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2/17/2009 11:43 AM 55024]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [8/15/2010 10:33 AM 135336]
    R2 Apache2.2;Apache2.2;c:\xampp\apache\bin\apache.exe [12/9/2008 7:10 PM 24636]
    R2 OKI OPHG DCS Loader;OKI OPHG DCS Loader;c:\windows\system32\spool\drivers\w32x86\3\OPHGLDCS.EXE [5/29/2009 10:30 PM 24576]
    R2 Simply Accounting Database Connection Manager;Simply Accounting Database Connection Manager;c:\program files\winsim\ConnectionManager\SimplyConnectionManager.exe [8/23/2009 1:00 AM 29992]
    S3 block_reader;MPR DRV;c:\documents and settings\Eduardo\Desktop\PORTABLESOFTWARE\MPR_1.1.9\Multi_Password_Recovery_1.1.9_Portable\Multi Password Recovery 1.1.9 Portable\block_reader.sys [1/10/2010 11:00 PM 1920]
    S3 PD1030VID;Creative WebCam Pro;c:\windows\system32\drivers\p1030vid.sys [10/3/2009 11:31 AM 167673]
    S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2/17/2009 11:43 AM 7408]
    S3 Simply Accounting Transaction Manager 2010 - CDN;Simply Accounting Transaction Manager 2010 - CDN;c:\program files\winsim\TransactionManager2010 - CDN\Sage_SA.TransactionManager.exe [12/10/2009 4:00 AM 42280]
    S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [3/8/2009 12:26 PM 685816]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://google.com/
    uInternet Settings,ProxyOverride = *.local
    IE: Append Link Target to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
    IE: Append to Existing PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.html
    IE: Convert Link Target to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
    IE: Convert to Adobe PDF - c:\program files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.html
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
    IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    FF - ProfilePath - c:\documents and settings\Eduardo\Application Data\Mozilla\Firefox\Profiles\b7rhrs75.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
    FF - prefs.js: browser.search.selectedEngine - Live Search
    FF - prefs.js: browser.startup.homepage - hxxp://google.com/
    FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
    FF - component: c:\documents and settings\Eduardo\Application Data\Mozilla\Firefox\Profiles\b7rhrs75.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
    FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
    FF - plugin: c:\program files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdjvu.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-16 21:16
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Sagekey Software\ *{9756-3768}]
    "D-Code"="0000000000"
    "U-Code"="Demo"
    "S-Code"="0000000000"
    "C-Code"="4353753922274815"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(748)
    c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
    c:\program files\common files\logitech\bluetooth\LBTServ.dll
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll

    - - - - - - - > 'explorer.exe'(6028)
    c:\windows\system32\WININET.dll
    c:\windows\system32\nview.dll
    c:\program files\Logitech\SetPoint\lgscroll.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\nvwddi.dll
    c:\windows\system32\mshtml.dll
    c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Avira\AntiVir Desktop\avguard.exe
    c:\windows\eHome\ehRecvr.exe
    c:\program files\Avira\AntiVir Desktop\avshadow.exe
    c:\windows\eHome\ehSched.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
    c:\xampp\mysql\bin\mysqld.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\System32\spool\DRIVERS\W32X86\3\SP-300MC.EXE
    c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
    c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    c:\windows\system32\dllhost.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\eHome\ehmsas.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
    c:\program files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
    c:\program files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
    c:\windows\system32\wscntfy.exe
    .
    **************************************************************************
    .
    Completion time: 2010-08-16 21:26:07 - machine was rebooted
    ComboFix-quarantined-files.txt 2010-08-17 01:26
    ComboFix2.txt 2010-08-16 04:39
    ComboFix3.txt 2010-08-15 13:57
    ComboFix4.txt 2010-08-15 06:02

    Pre-Run: 47,294,402,560 bytes free
    Post-Run: 47,283,855,360 bytes free

    - - End Of File - - D074C846316BC256A4765B6DFC5098F8
  23. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Now...you'll have to be extremely careful while performing the following.
    Disregard Windows warning(s), if any.

    1. Create new restore point (important!)
    2. Download zipped winlogon.exe from here: http://www.smartestcomputing.us.com/index.php?app=core&module=attach&section=attach&attach_id=61856
    3. Unzip the file and paste winlogon.exe into your C:\ folder

    Then....

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    FCopy::
    c:\winlogon.exe | c:\windows\system32\winlogon.exe
    c:\windows\$NtUninstallKB938828$\explorer.exe | c:\windows\explorer.exe
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
  24. heavystrato

    heavystrato Newcomer, in training Topic Starter Posts: 56

    Ok now again Combofix rebooted and now windows is not starting,:(

    it gives me this error

    Aproblem is preventing windows from accuratelely cheking the licence of this computer Error code 0X80004005
  25. Broni

    Broni Malware Annihilator Posts: 46,164   +251

    Restart computer and keep tapping F8 key until menu appears.
    Using keyboard keys, select "Last Known Good Configuration".
    See, if it'll help.

    Do you have Windows CD?
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.