TechSpot

Infected with win32/zbot.g & vbs generic virus

By rob3000
Feb 1, 2011
  1. My AVG resident shield picked up around 3000 infected files recently which were described as either win32/zbot.g or VBS generic infections. Most of these were healed although it said that some could not be removed. I then ran Malwarebytes (not an up to date edition) which only picked up 3 problems which it fixed. Resident shield still pops up with detected infections but not as many as before which it is able to heal. I am no longer able to get internet access and AVG is blocked so I can't scan my system but when I do a full system scan with Malwarebytes or Spybot it doesn't find any problems.

    I have read that this type of virus can leave a backdoor Trojan, can my machine be cleaned or am I better off re-formatting and starting again?

    Thanks in advance for any help.

    Rob
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to TechSpot![​IMG]
    (Image courtesy animationplayhouse.com)

    Win32/Zbot is a family of Trojans designed to steal sensitive information including users' online banking credentials.Depending on the length of time is has been on the system and what types of programs you're running or participating in-such as online banking- you are going to have to decide whether to reformat/reinstall or make an attempt to chase the entries down and try to remove them/
    I will try to help with the malware. If you have a flash drive, you can download the scanning programs to it and then install them on the problem computer. I can't say more than that because I don't have anything to work with.


    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. rob3000

    rob3000 TS Rookie Topic Starter Posts: 22

    Hi Bobbye

    I think I have had the virus for about 10 days and haven't used it much since so I am sure I haven't used online banking in that time. If you could help me go for a clean up to start with and depending on what you find may be I will re-fomatt.

    I tried to run TFC but the message I got was C:/Documents and settings/mark's PC /desktop/TFC.exe is not a valid Win32 application, so maybe I downloaded it wrong or something. I carried out the other instructions and have pasted the logs.

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5363

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    03/02/2011 09:35:51
    mbam-log-2011-02-03 (09-35-51).txt

    Scan type: Quick scan
    Objects scanned: 138783
    Time elapsed: 11 minute(s), 0 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 2
    Folders Infected: 0
    Files Infected: 5

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    c:\documents and settings\mark's pc\Desktop\TFC.exe (Trojan.Dropper.PGen) -> Quarantined and deleted successfully.
    c:\documents and settings\mark's pc\application data\02000000dd41df17891c.manifest (Malware.Trace) -> Quarantined and deleted successfully.
    c:\documents and settings\mark's pc\application data\02000000dd41df17891o.manifest (Malware.Trace) -> Quarantined and deleted successfully.
    c:\documents and settings\mark's pc\application data\02000000dd41df17891p.manifest (Malware.Trace) -> Quarantined and deleted successfully.
    c:\documents and settings\mark's pc\application data\02000000dd41df17891s.manifest (Malware.Trace) -> Quarantined and deleted successfully.




    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-02-03 10:06:43
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 Maxtor_6Y120L0 rev.YAR41BW0
    Running: 0nps20bx.exe; Driver: C:\DOCUME~1\MARK'S~1\LOCALS~1\Temp\pgtdqpow.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior;

    ---- System - GMER 1.0.15 ----

    SSDT sptd.sys ZwEnumerateKey [0xF7582C7E]
    SSDT sptd.sys ZwEnumerateValueKey [0xF7582FF6]

    ---- Devices - GMER 1.0.15 ----

    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 83A2939B
    Device \Driver\atapi \Device\Ide\IdePort0 [F74D2B40] atapi.sys[unknown section] {MOV EAX, 0x83b8d008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7593442; RET }
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 83A2939B
    Device \Driver\atapi \Device\Ide\IdePort1 [F74D2B40] atapi.sys[unknown section] {MOV EAX, 0x83b8d008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7593442; RET }
    Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-e 83A2939B
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F74D2B40] atapi.sys[unknown section] {MOV EAX, 0x83b8d008; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7593442; RET }
    Device \Driver\viasraid \Device\Scsi\viasraid1 83B8DEB0
    Device \FileSystem\Ntfs \Ntfs 83B8D940

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )

    Device \FileSystem\Fastfat \Fat 8345E0E8

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)

    Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMaxtor_6Y120L0__________________________YAR41BW0#3359384d58444550202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----





    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Mark's Pc at 10:14:39.04 on 03/02/2011
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.767.147 [GMT 0:00]

    AV: AVG Anti-Virus Free Edition 2011 *Disabled/Outdated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    C:\WINDOWS\system32\svchost -k rpcss
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    C:\WINDOWS\System32\svchost.exe -k NetworkService
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe -k LocalService
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\svchost.exe -k LocalService
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Added Programs\Media\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    C:\Program Files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\Program Files\Canon\CAL\CALMAIN.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
    C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
    C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe
    C:\Program Files\AVG\AVG10\avgemcx.exe
    C:\Program Files\AVG\AVG10\avgnsx.exe
    C:\Documents and Settings\Mark's Pc\Desktop\dds.scr
    C:\WINDOWS\system32\wbem\wmiprvse.exe

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.google.co.uk/
    uSearch Page = hxxp://www.google.com
    uSearch Bar = hxxp://www.google.com/ie
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    mSearchAssistant = hxxp://www.google.com/ie
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\iuborlvs\qbpbcofg.exe,
    BHO: XBTP05231 Class: {031f120a-bbaf-45d8-b306-375f2a6b9398} - c:\progra~1\alcoho~1\alcoho~1\a120_tb.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
    BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
    BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SEPsearchhelperie.dll
    BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.6.5805.1910\swg.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    TB: Alcohol Soft - Alcohol 120% Toolbar: {1ce4ee89-2d5c-4361-af3b-d902ab545381} - c:\program files\alcohol soft\alcohol 120% toolbar\a120_tb.dll
    TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
    TB: {8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - No File
    TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
    TB: {472734EA-242A-422B-ADF8-83D1E48CC825} - No File
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
    uRun: [<NO NAME>]
    uRun: [NokiaOviSuite2] c:\program files\nokia\nokia ovi suite\NokiaOviSuite.exe -tray
    uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
    mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
    mRun: [nwiz] nwiz.exe /install
    mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
    mRun: [SoundMan] SOUNDMAN.EXE
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    mRun: [NokiaMServer] c:\program files\common files\nokia\mplatform\NokiaMServer /watchfiles startup
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [QuickTime Task] "c:\program files\added programs\media\quicktime\qttask.exe" -atboottime
    mRun: [iTunesHelper] "c:\program files\added programs\media\itunes\iTunesHelper.exe"
    dRun: [KB3819796.exe] c:\adobe\plugs\KB3819796.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\limewi~1.lnk - d:\new folder\limewire\LimeWire.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pmbmed~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\limewi~1.lnk - d:\new folder\limewire\LimeWire.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pmbmed~1.lnk - c:\program files\sony\sony picture utility\pmbcore\SPUVolumeWatcher.exe
    uPolicies-explorer: MaxRecentDocs = 11 (0xb)
    IE: Google Sidewiki... - c:\program files\google\google toolbar\component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
    IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
    DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2-48D9-9B0E-1719D1177202/LegitCheckControl.cab
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
    DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0018-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_18-windows-i586.cab
    DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} - hxxp://skyonline.oberon-media.com/Gameshell/GameHost/1.0/OberonGameHost.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Notify: WRNotifier - WRLogonNTF.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    LSA: Authentication Packages = msv1_0 relog_ap
    Hosts: 127.0.0.1 www.spywareinfo.com

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [2006-3-3 77056]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 251728]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]
    R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-23 6128208]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
    R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-7-16 55152]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2009-4-8 92008]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-15 135664]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-10-17 517448]
    S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [2010-12-29 17280]
    S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
    S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [2006-3-9 223128]

    =============== Created Last 30 ================

    2011-01-23 16:01:49 -------- d-----w- c:\program files\iuborlvs
    2011-01-23 15:40:11 -------- d-----w- C:\Adobe

    ==================== Find3M ====================

    2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll
    2010-11-06 00:26:58 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-11-06 00:26:58 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-11-06 00:26:58 1469440 ------w- c:\windows\system32\inetcpl.cpl
    2010-04-26 16:03:35 203776 --sh--w- c:\windows\system32\unrar.exe

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: Maxtor_6Y120L0 rev.YAR41BW0 -> Harddisk0\DR0 -> \Device\Ide\IdePort0 P0T0L0-3

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntoskrnl.exe >>UNKNOWN [0x83B8DBF8]<<
    _asm { MOV EAX, 0x83b8db18; XCHG [ESP], EAX; PUSH EAX; PUSH 0x83bdbc94; RET ; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; }
    1 nt!IofCallDriver[0x804E37D5] -> \Device\Harddisk0\DR0[0x83BCB030]
    \Driver\Disk[0x83ACE940] -> IRP_MJ_CREATE -> 0x83B8DBF8
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
    detected disk devices:
    \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskMaxtor_6Y120L0__________________________YAR41BW0#3359384d58444550202020202020202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    \Driver\Disk -> 0x83b8dbf8
    \Driver\atapi DriverStartIo -> 0x83A2939B
    user & kernel MBR OK
    Warning: possible TDL3 rootkit infection !

    ============= FINISH: 10:16:49.32 ===============





    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 07/05/2005 16:24:05
    System Uptime: 03/02/2011 09:42:10 (1 hours ago)

    Motherboard: | | KT600-8237
    Processor: AMD Athlon(tm) XP 3000+ | Socket A | 2158/166mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 20 GiB total, 8.349 GiB free.
    D: is FIXED (NTFS) - 78 GiB total, 59.61 GiB free.
    E: is FIXED (NTFS) - 17 GiB total, 14.659 GiB free.
    G: is Removable
    H: is Removable
    I: is Removable
    J: is CDROM (CDFS)
    K: is Removable

    ==== Disabled Device Manager Items =============

    Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
    Description: Nokia 6303 classic
    Device ID: ROOT\WPD\0000
    Manufacturer: Nokia
    Name: Nokia 6303 classic
    PNP Device ID: ROOT\WPD\0000
    Service: WUDFRd

    ==== System Restore Points ===================

    No restore point in system.

    ==== Installed Programs ======================

    Acrobat.com
    Acronis*True*Image
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.2
    Adobe Shockwave Player 11.5
    Alcohol Soft - Alcohol 120% Toolbar
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft PhotoStudio 5.5
    µTorrent
    AVG 2011
    Bonjour
    BUFFALO TurboUSB for FLASH/HDD
    Camera Access Library
    Camera Support Core Library
    Camera Window DS
    Camera Window DVC
    Camera Window MC
    Canon Camera Access Library
    Canon Camera Support Core Library
    Canon Camera Window DC_DV 5 for ZoomBrowser EX
    Canon Camera Window DC_DV 6 for ZoomBrowser EX
    Canon Camera Window DSLR 5 for ZoomBrowser EX
    Canon Camera Window MC 6 for ZoomBrowser EX
    CANON iMAGE GATEWAY Task
    CANON iMAGE GATEWAY Task for ZoomBrowser EX
    Canon Internet Library for ZoomBrowser EX
    Canon MovieEdit Task for ZoomBrowser EX
    Canon MP Drivers 6.0
    Canon MP Navigator 1.1
    Canon PhotoRecord
    Canon RAW Image Task for ZoomBrowser EX
    Canon ScanGear Starter
    Canon Utilities Easy-PhotoPrint
    Canon Utilities PhotoStitch 3.1
    Canon ZoomBrowser EX (E)
    CD-LabelPrint
    Choice Guard
    Convert Image To PDF
    Critical Update for Windows Media Player 11 (KB959772)
    EA SPORTS Gameface Browser Plugin 1.3.0.0
    EA.com Update
    Find Protected 2.0
    Football Manager 2006
    Football Manager 2009
    Google Toolbar for Internet Explorer
    Google Update Helper
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB954708)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Internet Library
    IomegaWare
    iTunes
    J2SE Runtime Environment 5.0 Update 6
    Java Auto Updater
    Java(TM) 6 Update 18
    Jetboat Superchamps 2
    Junk Mail filter update
    LimeWire 5.5.8
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
    Microsoft Office Live Add-in 1.3
    Microsoft Office XP Professional with FrontPage
    Microsoft Search Enhancement Pack
    Microsoft Silverlight
    Microsoft SQL Server 2005 Compact Edition [ENU]
    Microsoft Sync Framework Runtime Native v1.0 (x86)
    Microsoft Sync Framework Services Native v1.0 (x86)
    Microsoft User-Mode Driver Framework Feature Pack 1.7
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    MovieEdit Task
    MSVC80_x86_v2
    MSVC90_x86
    MSVCRT
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6 Service Pack 2 (KB973686)
    Nokia Connectivity Cable Driver
    Nokia Ovi Suite
    Nokia Ovi Suite Software Updater
    OGA Notifier 2.0.0048.0
    Ovi Desktop Sync Engine
    OviMPlatform
    PC Connectivity Solution
    PhotoStitch
    PowerDVD
    Primo
    QuickTime
    RAW Image Task 2.2
    Realtek AC'97 Audio
    Runtime
    Safari
    SAMSUNG CDMA Modem Driver Set
    SAMSUNG Mobile USB Modem 1.0 Software
    SAMSUNG Mobile USB Modem Software
    Samsung PC Studio
    Samsung PC Studio 3 USB Driver Installer
    Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
    Security Update for Windows Internet Explorer 8 (KB2183461)
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 10 (KB911565)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 10 (KB936782)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2160329)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165-v2)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981322)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Security Update for Windows XP (KB982802)
    Segoe UI
    Sky Broadband
    Sony Picture Utility
    Spybot - Search & Destroy
    Steam
    SureAnalysis 2.19
    sureanalysis version 3.15
    sureshotgps USB-UART
    TomTom HOME 2.6.2.1586
    TomTom HOME Visual Studio Merge Modules
    Tweak UI
    Unity Web Player
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Windows Internet Explorer 8 (KB973874)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB961503)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VIA Rhine-Family Fast Ethernet Adapter
    Vodafone 804SS USB driver Software
    WebFldrs XP
    WinAce Archiver
    Windows Driver Package - Nokia pccsmcfd (08/22/2008 7.0.0.0)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Internet Explorer 8
    Windows Live Call
    Windows Live Communications Platform
    Windows Live Essentials
    Windows Live Family Safety
    Windows Live Mail
    Windows Live Messenger
    Windows Live Photo Gallery
    Windows Live Sign-in Assistant
    Windows Live Sync
    Windows Live Toolbar
    Windows Live Upload Tool
    Windows Live Writer
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Service Pack 3
    WinFast(R) Display Driver
    WinRAR archiver
    WinZip Self-Extractor

    ==== Event Viewer Messages From Past Week ========

    31/01/2011 06:18:34, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 960 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    30/01/2011 22:18:28, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 480 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    30/01/2011 18:18:25, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 240 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    30/01/2011 16:18:21, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 120 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    29/01/2011 17:01:42, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 30 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    29/01/2011 16:46:58, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the ZipToA service to connect.
    29/01/2011 16:46:58, error: Service Control Manager [7000] - The ZipToA service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
    29/01/2011 16:46:42, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 15 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    29/01/2011 09:51:12, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\internet explorer\hmmapi.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 8.0.6001.18702.
    29/01/2011 09:50:13, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\msadc\msadco.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.3012.0.
    29/01/2011 09:50:12, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\msadc\msadce.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.3002.0.
    29/01/2011 09:50:11, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msjro.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.3012.0.
    29/01/2011 09:50:11, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msadox.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.3012.0.
    29/01/2011 09:50:10, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msadomd.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.3012.0.
    29/01/2011 09:50:09, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msado15.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 2.81.3012.0.
    29/01/2011 09:49:49, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\microsoft shared\vgx\vgx.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 8.0.6001.18702.
    29/01/2011 09:49:47, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\common files\microsoft shared\triedit\triedit.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.1.0.9246.
    27/01/2011 18:40:48, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows nt\accessories\wordpad.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.6010.
    27/01/2011 18:40:43, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\wmplayer.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 11.0.5721.5145.
    27/01/2011 18:40:42, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\wmpband.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 10.0.0.3646.
    27/01/2011 18:40:42, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\setup_wm.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 11.0.5721.5146.
    27/01/2011 18:40:36, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\mpvis.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 10.0.0.3646.
    27/01/2011 18:40:35, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\windows media player\migrate.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 10.0.0.3646.
    27/01/2011 18:28:25, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\outlook express\wab.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.6040.
    27/01/2011 18:28:23, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\outlook express\msoe.dll. This file was restored to the original version to maintain system stability. The file version of the system file is 6.0.2900.5931.
    27/01/2011 18:22:23, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\program files\movie maker\moviemk.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 2.1.4028.0.
    27/01/2011 18:15:23, error: W32Time [17] - Time Provider NtpClient: An error occurred during DNS lookup of the manually configured peer 'time.windows.com,0x1'. NtpClient will try the DNS lookup again in 60 minutes. The error was: A socket operation was attempted to an unreachable host. (0x80072751)
    03/02/2011 10:16:53, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\movie maker\moviemk.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 2.1.4028.0, the version of the system file is 2.1.4028.0.
    03/02/2011 10:12:39, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\internet explorer\hmmapi.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 8.0.6001.18702, the version of the system file is 8.0.6001.18702.
    03/02/2011 10:11:47, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\common files\system\msadc\msadco.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 2.81.3012.0, the version of the system file is 2.81.3012.0.
    03/02/2011 10:11:47, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\common files\system\msadc\msadce.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 2.81.3002.0, the version of the system file is 2.81.3002.0.
    03/02/2011 10:11:46, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msjro.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 2.81.3012.0, the version of the system file is 2.81.3012.0.
    03/02/2011 10:11:46, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msadox.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 2.81.3012.0, the version of the system file is 2.81.3012.0.
    03/02/2011 10:11:45, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msadomd.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 2.81.3012.0, the version of the system file is 2.81.3012.0.
    03/02/2011 10:11:44, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\common files\system\ado\msado15.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 2.81.3012.0, the version of the system file is 2.81.3012.0.
    03/02/2011 10:11:32, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\common files\microsoft shared\vgx\vgx.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 8.0.6001.18702, the version of the system file is 8.0.6001.18702.
    03/02/2011 10:11:32, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\program files\common files\microsoft shared\triedit\triedit.dll. This file was restored to the original version to maintain system stability. The file version of the bad file is 6.1.0.9246, the version of the system file is 6.1.0.9246.

    ==== End Of File ===========================
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Thanks for your patience. My internet has been down for almost 2 days!

    You have a rootkit, so we start with that:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ==========================================
    P2P or 'file sharing' Warning:
    I note that you have both uTorrent and LimeWire, the latter being on Startup:
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall bothe uTorrent and LimeWire for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • File sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    File sharing is one of the biggest contributors of malware.
     
  5. rob3000

    rob3000 TS Rookie Topic Starter Posts: 22

    Thanks for your help.

    I have removed both Limewire and UTorrent.

    I ran TDDSKILLER.ZIP, it found and cured one infection and quarantined one suspicious object. I have pasted the before and after disinfection logs.


    Initial log:


    2011/02/04 09:52:08.0265 4872 TDSS rootkit removing tool 2.4.16.0 Feb 1 2011 10:34:03
    2011/02/04 09:52:09.0234 4872 ================================================================================
    2011/02/04 09:52:09.0234 4872 SystemInfo:
    2011/02/04 09:52:09.0234 4872
    2011/02/04 09:52:09.0234 4872 OS Version: 5.1.2600 ServicePack: 3.0
    2011/02/04 09:52:09.0234 4872 Product type: Workstation
    2011/02/04 09:52:09.0234 4872 ComputerName: NOVA
    2011/02/04 09:52:09.0265 4872 UserName: Mark's Pc
    2011/02/04 09:52:09.0265 4872 Windows directory: C:\WINDOWS
    2011/02/04 09:52:09.0265 4872 System windows directory: C:\WINDOWS
    2011/02/04 09:52:09.0265 4872 Processor architecture: Intel x86
    2011/02/04 09:52:09.0265 4872 Number of processors: 1
    2011/02/04 09:52:09.0265 4872 Page size: 0x1000
    2011/02/04 09:52:09.0265 4872 Boot type: Normal boot
    2011/02/04 09:52:09.0265 4872 ================================================================================
    2011/02/04 09:52:09.0984 4872 Initialize success
    2011/02/04 09:52:12.0343 4012 ================================================================================
    2011/02/04 09:52:12.0343 4012 Scan started
    2011/02/04 09:52:12.0343 4012 Mode: Manual;
    2011/02/04 09:52:12.0343 4012 ================================================================================
    2011/02/04 09:52:14.0250 4012 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/02/04 09:52:14.0328 4012 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/02/04 09:52:14.0718 4012 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/02/04 09:52:14.0828 4012 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2011/02/04 09:52:15.0140 4012 ALCXSENS (1db5287e953772a6565f15689fcd575b) C:\WINDOWS\system32\drivers\ALCXSENS.SYS
    2011/02/04 09:52:15.0265 4012 ALCXWDM (956ebf830520263ca2d4137817ac5ef1) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
    2011/02/04 09:52:15.0484 4012 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
    2011/02/04 09:52:15.0906 4012 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/02/04 09:52:16.0000 4012 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/02/04 09:52:16.0156 4012 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/02/04 09:52:16.0281 4012 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/02/04 09:52:16.0406 4012 AVGIDSDriver (0c61f066f4d94bd67063dc6691935143) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
    2011/02/04 09:52:16.0500 4012 AVGIDSEH (84853f800cd69252c3c764fe50d0346f) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
    2011/02/04 09:52:16.0609 4012 AVGIDSFilter (28d6adcd03e10f3838488b9b5d407dd4) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
    2011/02/04 09:52:16.0718 4012 AVGIDSShim (0eb16f4dbbb946360af30d2b13a52d1d) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
    2011/02/04 09:52:16.0828 4012 Avgldx86 (5fe5a2c2330c376a1d8dcff8d2680a2d) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
    2011/02/04 09:52:16.0906 4012 Avgmfx86 (54f1a9b4c9b540c2d8ac4baa171696b1) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
    2011/02/04 09:52:17.0000 4012 Avgrkx86 (8da3b77993c5f354cc2977b7ea06d03a) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
    2011/02/04 09:52:17.0109 4012 Avgtdix (660788ec46f10ece80274d564fa8b4aa) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
    2011/02/04 09:52:17.0250 4012 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/02/04 09:52:17.0359 4012 bfturboh (fd4427b3538997b8333723fd500b4f8c) C:\WINDOWS\system32\drivers\bfturboh.sys
    2011/02/04 09:52:17.0531 4012 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/02/04 09:52:17.0687 4012 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/02/04 09:52:17.0781 4012 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/02/04 09:52:17.0890 4012 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/02/04 09:52:18.0421 4012 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/02/04 09:52:18.0578 4012 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/02/04 09:52:18.0703 4012 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/02/04 09:52:18.0781 4012 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/02/04 09:52:18.0875 4012 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/02/04 09:52:19.0062 4012 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/02/04 09:52:19.0218 4012 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/02/04 09:52:19.0343 4012 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/02/04 09:52:19.0468 4012 FETND5BV (cfc4cc73c903152a23e1db28eaba1f03) C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
    2011/02/04 09:52:19.0562 4012 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
    2011/02/04 09:52:19.0671 4012 FETNDISB (cc6b6df3c35c20531492e1b700f700fa) C:\WINDOWS\system32\DRIVERS\fetnd5b.sys
    2011/02/04 09:52:19.0781 4012 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/02/04 09:52:19.0859 4012 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/02/04 09:52:19.0968 4012 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/02/04 09:52:20.0125 4012 fssfltr (960f5e5e4e1f720465311ac68a99c2df) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
    2011/02/04 09:52:20.0218 4012 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/02/04 09:52:20.0312 4012 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/02/04 09:52:20.0437 4012 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
    2011/02/04 09:52:20.0515 4012 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/02/04 09:52:20.0671 4012 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/02/04 09:52:20.0953 4012 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/02/04 09:52:21.0203 4012 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/02/04 09:52:21.0328 4012 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/02/04 09:52:21.0593 4012 Intels51 (cb5c2935491f0f998f1b62bffa258464) C:\WINDOWS\system32\DRIVERS\Intels51.sys
    2011/02/04 09:52:21.0750 4012 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/02/04 09:52:21.0984 4012 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/02/04 09:52:22.0171 4012 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/02/04 09:52:22.0390 4012 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/02/04 09:52:22.0484 4012 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/02/04 09:52:22.0562 4012 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/02/04 09:52:22.0687 4012 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/02/04 09:52:22.0796 4012 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/02/04 09:52:22.0890 4012 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2011/02/04 09:52:23.0000 4012 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/02/04 09:52:23.0125 4012 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/02/04 09:52:23.0500 4012 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/02/04 09:52:23.0578 4012 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/02/04 09:52:23.0671 4012 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
    2011/02/04 09:52:23.0765 4012 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/02/04 09:52:23.0875 4012 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/02/04 09:52:23.0953 4012 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/02/04 09:52:24.0109 4012 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/02/04 09:52:24.0218 4012 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/02/04 09:52:24.0359 4012 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/02/04 09:52:24.0453 4012 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/02/04 09:52:24.0546 4012 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/02/04 09:52:24.0625 4012 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/02/04 09:52:24.0718 4012 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/02/04 09:52:24.0796 4012 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/02/04 09:52:24.0921 4012 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/02/04 09:52:25.0015 4012 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/02/04 09:52:25.0125 4012 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/02/04 09:52:25.0218 4012 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/02/04 09:52:25.0312 4012 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/02/04 09:52:25.0421 4012 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/02/04 09:52:25.0531 4012 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/02/04 09:52:25.0718 4012 nmwcd (28e36e677849174c910faaead3e60e9e) C:\WINDOWS\system32\drivers\ccdcmb.sys
    2011/02/04 09:52:25.0843 4012 nmwcdc (3823deb17f9f6775de0187a98fa0536d) C:\WINDOWS\system32\drivers\ccdcmbo.sys
    2011/02/04 09:52:25.0937 4012 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/02/04 09:52:26.0046 4012 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/02/04 09:52:26.0187 4012 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/02/04 09:52:26.0390 4012 nv (c823d5e609762c075f26f7fc56690f34) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2011/02/04 09:52:26.0593 4012 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/02/04 09:52:26.0765 4012 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/02/04 09:52:26.0875 4012 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/02/04 09:52:26.0984 4012 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/02/04 09:52:27.0078 4012 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/02/04 09:52:27.0171 4012 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
    2011/02/04 09:52:27.0281 4012 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/02/04 09:52:27.0515 4012 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/02/04 09:52:28.0031 4012 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/02/04 09:52:28.0140 4012 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    2011/02/04 09:52:28.0250 4012 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/02/04 09:52:28.0343 4012 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/02/04 09:52:28.0484 4012 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/02/04 09:52:28.0828 4012 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/02/04 09:52:28.0906 4012 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/02/04 09:52:29.0000 4012 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/02/04 09:52:29.0093 4012 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/02/04 09:52:29.0187 4012 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/02/04 09:52:29.0281 4012 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/02/04 09:52:29.0406 4012 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/02/04 09:52:29.0515 4012 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/02/04 09:52:29.0625 4012 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/02/04 09:52:29.0843 4012 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/02/04 09:52:29.0953 4012 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/02/04 09:52:30.0031 4012 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/02/04 09:52:30.0203 4012 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/02/04 09:52:30.0390 4012 slabbus (444186c720885429a2354095c1938143) C:\WINDOWS\system32\DRIVERS\slabbus.sys
    2011/02/04 09:52:30.0484 4012 slabser (ed71f8c82ef11c0da1c57be021a2fdc9) C:\WINDOWS\system32\DRIVERS\slabser.sys
    2011/02/04 09:52:30.0593 4012 snapman (0f02dc766802d91a222f91564f02e8a0) C:\WINDOWS\system32\DRIVERS\snapman.sys
    2011/02/04 09:52:30.0750 4012 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/02/04 09:52:30.0859 4012 sptd (fee12822523f7230a79a8953b1530a7e) C:\WINDOWS\system32\Drivers\sptd.sys
    2011/02/04 09:52:30.0859 4012 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: fee12822523f7230a79a8953b1530a7e
    2011/02/04 09:52:30.0890 4012 sptd - detected Locked file (1)
    2011/02/04 09:52:30.0968 4012 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\System32\DRIVERS\sr.sys
    2011/02/04 09:52:31.0093 4012 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/02/04 09:52:31.0234 4012 ssm_bus (df5c19f053eff7f8ba25d73aea899656) C:\WINDOWS\system32\DRIVERS\ssm_bus.sys
    2011/02/04 09:52:31.0359 4012 ssm_mdfl (5347169fa449eabc4d0728ae39fab926) C:\WINDOWS\system32\DRIVERS\ssm_mdfl.sys
    2011/02/04 09:52:31.0421 4012 ssm_mdm (7aae23dd105eed15c4f45fc269fa42a9) C:\WINDOWS\system32\DRIVERS\ssm_mdm.sys
    2011/02/04 09:52:31.0546 4012 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/02/04 09:52:31.0640 4012 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/02/04 09:52:31.0984 4012 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/02/04 09:52:32.0093 4012 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/02/04 09:52:32.0218 4012 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/02/04 09:52:32.0312 4012 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/02/04 09:52:32.0421 4012 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/02/04 09:52:32.0546 4012 tifsfilter (6796c182db1507e14a76a572727272a9) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
    2011/02/04 09:52:32.0671 4012 timounter (61e00e614ed4d628e39bc9fcef5611b0) C:\WINDOWS\system32\DRIVERS\timntr.sys
    2011/02/04 09:52:32.0890 4012 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/02/04 09:52:33.0062 4012 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/02/04 09:52:33.0187 4012 upperdev (b1b8bee26227dad9835019201552cb05) C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys
    2011/02/04 09:52:33.0343 4012 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2011/02/04 09:52:33.0468 4012 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/02/04 09:52:33.0562 4012 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/02/04 09:52:33.0734 4012 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/02/04 09:52:33.0843 4012 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/02/04 09:52:33.0937 4012 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/02/04 09:52:34.0031 4012 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\drivers\usbser.sys
    2011/02/04 09:52:34.0125 4012 UsbserFilt (98e1ff1d732c6c7200b6c59d4ff8c1c3) C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys
    2011/02/04 09:52:34.0250 4012 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/02/04 09:52:34.0343 4012 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/02/04 09:52:34.0437 4012 vaxscsi (92cebc2bc7be2c8d49391b365569f306) C:\WINDOWS\System32\Drivers\vaxscsi.sys
    2011/02/04 09:52:34.0531 4012 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/02/04 09:52:34.0625 4012 viaagp1 (4b039bbd037b01f5db5a144c837f283a) C:\WINDOWS\system32\DRIVERS\viaagp1.sys
    2011/02/04 09:52:34.0734 4012 ViaIde (a5d8b6c8d43786d4215c1df6fab0aae0) C:\WINDOWS\system32\DRIVERS\viaidexp.sys
    2011/02/04 09:52:34.0859 4012 viasraid (45469fa05947d75874316649a22878d4) C:\WINDOWS\system32\DRIVERS\viasraid.sys
    2011/02/04 09:52:34.0953 4012 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/02/04 09:52:35.0078 4012 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/02/04 09:52:35.0171 4012 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
    2011/02/04 09:52:35.0328 4012 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/02/04 09:52:35.0578 4012 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
    2011/02/04 09:52:35.0687 4012 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    2011/02/04 09:52:35.0796 4012 WudfPf (6ff66513d372d479ef1810223c8d20ce) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/02/04 09:52:35.0875 4012 WudfRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/02/04 09:52:36.0000 4012 \HardDisk0 - detected Rootkit.Win32.TDSS.tdl4 (0)
    2011/02/04 09:52:36.0015 4012 ================================================================================
    2011/02/04 09:52:36.0015 4012 Scan finished
    2011/02/04 09:52:36.0015 4012 ================================================================================
    2011/02/04 09:52:36.0062 4084 Detected object count: 2
    2011/02/04 09:54:46.0046 4084 sptd (fee12822523f7230a79a8953b1530a7e) C:\WINDOWS\system32\Drivers\sptd.sys
    2011/02/04 09:54:46.0046 4084 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: fee12822523f7230a79a8953b1530a7e
    2011/02/04 09:54:46.0062 4084 C:\WINDOWS\system32\Drivers\sptd.sys - copied to quarantine
    2011/02/04 09:54:46.0062 4084 Locked file(sptd) - User select action: Quarantine
    2011/02/04 09:54:46.0109 4084 \HardDisk0 - will be cured after reboot
    2011/02/04 09:54:46.0109 4084 Rootkit.Win32.TDSS.tdl4(\HardDisk0) - User select action: Cure
    2011/02/04 09:54:52.0140 5208 Deinitialize success





    After disinfection log:

    2011/02/04 09:58:37.0593 3928 TDSS rootkit removing tool 2.4.16.0 Feb 1 2011 10:34:03
    2011/02/04 09:58:38.0578 3928 ================================================================================
    2011/02/04 09:58:38.0578 3928 SystemInfo:
    2011/02/04 09:58:38.0578 3928
    2011/02/04 09:58:38.0578 3928 OS Version: 5.1.2600 ServicePack: 3.0
    2011/02/04 09:58:38.0578 3928 Product type: Workstation
    2011/02/04 09:58:38.0578 3928 ComputerName: NOVA
    2011/02/04 09:58:38.0578 3928 UserName: Mark's Pc
    2011/02/04 09:58:38.0578 3928 Windows directory: C:\WINDOWS
    2011/02/04 09:58:38.0578 3928 System windows directory: C:\WINDOWS
    2011/02/04 09:58:38.0578 3928 Processor architecture: Intel x86
    2011/02/04 09:58:38.0578 3928 Number of processors: 1
    2011/02/04 09:58:38.0578 3928 Page size: 0x1000
    2011/02/04 09:58:38.0578 3928 Boot type: Normal boot
    2011/02/04 09:58:38.0578 3928 ================================================================================
    2011/02/04 09:58:39.0000 3928 Initialize success
    2011/02/04 09:58:47.0750 4284 ================================================================================
    2011/02/04 09:58:47.0750 4284 Scan started
    2011/02/04 09:58:47.0750 4284 Mode: Manual;
    2011/02/04 09:58:47.0750 4284 ================================================================================
    2011/02/04 09:58:48.0562 4284 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/02/04 09:58:48.0656 4284 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/02/04 09:58:48.0828 4284 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/02/04 09:58:48.0921 4284 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
    2011/02/04 09:58:49.0265 4284 ALCXSENS (1db5287e953772a6565f15689fcd575b) C:\WINDOWS\system32\drivers\ALCXSENS.SYS
    2011/02/04 09:58:49.0375 4284 ALCXWDM (956ebf830520263ca2d4137817ac5ef1) C:\WINDOWS\system32\drivers\ALCXWDM.SYS
    2011/02/04 09:58:49.0593 4284 AmdK7 (8fce268cdbdd83b23419d1f35f42c7b1) C:\WINDOWS\system32\DRIVERS\amdk7.sys
    2011/02/04 09:58:50.0015 4284 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/02/04 09:58:50.0125 4284 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/02/04 09:58:50.0296 4284 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/02/04 09:58:50.0421 4284 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/02/04 09:58:50.0562 4284 AVGIDSDriver (0c61f066f4d94bd67063dc6691935143) C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
    2011/02/04 09:58:50.0718 4284 AVGIDSEH (84853f800cd69252c3c764fe50d0346f) C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
    2011/02/04 09:58:50.0796 4284 AVGIDSFilter (28d6adcd03e10f3838488b9b5d407dd4) C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
    2011/02/04 09:58:50.0906 4284 AVGIDSShim (0eb16f4dbbb946360af30d2b13a52d1d) C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
    2011/02/04 09:58:51.0000 4284 Avgldx86 (5fe5a2c2330c376a1d8dcff8d2680a2d) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
    2011/02/04 09:58:51.0109 4284 Avgmfx86 (54f1a9b4c9b540c2d8ac4baa171696b1) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
    2011/02/04 09:58:51.0218 4284 Avgrkx86 (8da3b77993c5f354cc2977b7ea06d03a) C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
    2011/02/04 09:58:51.0328 4284 Avgtdix (660788ec46f10ece80274d564fa8b4aa) C:\WINDOWS\system32\DRIVERS\avgtdix.sys
    2011/02/04 09:58:51.0437 4284 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/02/04 09:58:51.0546 4284 bfturboh (fd4427b3538997b8333723fd500b4f8c) C:\WINDOWS\system32\drivers\bfturboh.sys
    2011/02/04 09:58:51.0671 4284 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/02/04 09:58:51.0843 4284 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/02/04 09:58:51.0937 4284 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/02/04 09:58:52.0031 4284 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/02/04 09:58:52.0546 4284 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/02/04 09:58:52.0671 4284 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/02/04 09:58:52.0796 4284 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/02/04 09:58:52.0890 4284 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/02/04 09:58:53.0015 4284 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/02/04 09:58:53.0187 4284 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/02/04 09:58:53.0328 4284 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/02/04 09:58:53.0453 4284 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/02/04 09:58:53.0546 4284 FETND5BV (cfc4cc73c903152a23e1db28eaba1f03) C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys
    2011/02/04 09:58:53.0640 4284 FETNDIS (e9648254056bce81a85380c0c3647dc4) C:\WINDOWS\system32\DRIVERS\fetnd5.sys
    2011/02/04 09:58:53.0750 4284 FETNDISB (cc6b6df3c35c20531492e1b700f700fa) C:\WINDOWS\system32\DRIVERS\fetnd5b.sys
    2011/02/04 09:58:53.0859 4284 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/02/04 09:58:53.0953 4284 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/02/04 09:58:54.0062 4284 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/02/04 09:58:54.0171 4284 fssfltr (960f5e5e4e1f720465311ac68a99c2df) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
    2011/02/04 09:58:54.0281 4284 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/02/04 09:58:54.0390 4284 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/02/04 09:58:54.0500 4284 GEARAspiWDM (8182ff89c65e4d38b2de4bb0fb18564e) C:\WINDOWS\system32\Drivers\GEARAspiWDM.sys
    2011/02/04 09:58:54.0578 4284 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/02/04 09:58:54.0734 4284 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/02/04 09:58:54.0968 4284 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/02/04 09:58:55.0218 4284 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/02/04 09:58:55.0343 4284 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/02/04 09:58:55.0625 4284 Intels51 (cb5c2935491f0f998f1b62bffa258464) C:\WINDOWS\system32\DRIVERS\Intels51.sys
    2011/02/04 09:58:55.0765 4284 ip6fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/02/04 09:58:55.0859 4284 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/02/04 09:58:55.0953 4284 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/02/04 09:58:56.0046 4284 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/02/04 09:58:56.0156 4284 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/02/04 09:58:56.0250 4284 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/02/04 09:58:56.0359 4284 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/02/04 09:58:56.0468 4284 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/02/04 09:58:56.0562 4284 kbdhid (9ef487a186dea361aa06913a75b3fa99) C:\WINDOWS\system32\DRIVERS\kbdhid.sys
    2011/02/04 09:58:56.0687 4284 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/02/04 09:58:56.0781 4284 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/02/04 09:58:57.0015 4284 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/02/04 09:58:57.0140 4284 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/02/04 09:58:57.0250 4284 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
    2011/02/04 09:58:57.0328 4284 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/02/04 09:58:57.0421 4284 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/02/04 09:58:57.0515 4284 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/02/04 09:58:57.0671 4284 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/02/04 09:58:57.0765 4284 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/02/04 09:58:57.0906 4284 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/02/04 09:58:58.0000 4284 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/02/04 09:58:58.0093 4284 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/02/04 09:58:58.0187 4284 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/02/04 09:58:58.0296 4284 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/02/04 09:58:58.0437 4284 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/02/04 09:58:58.0546 4284 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/02/04 09:58:58.0640 4284 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/02/04 09:58:58.0718 4284 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/02/04 09:58:58.0796 4284 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/02/04 09:58:58.0875 4284 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/02/04 09:58:58.0984 4284 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/02/04 09:58:59.0078 4284 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/02/04 09:58:59.0218 4284 nmwcd (28e36e677849174c910faaead3e60e9e) C:\WINDOWS\system32\drivers\ccdcmb.sys
    2011/02/04 09:58:59.0312 4284 nmwcdc (3823deb17f9f6775de0187a98fa0536d) C:\WINDOWS\system32\drivers\ccdcmbo.sys
    2011/02/04 09:58:59.0406 4284 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/02/04 09:58:59.0500 4284 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/02/04 09:58:59.0656 4284 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/02/04 09:58:59.0828 4284 nv (c823d5e609762c075f26f7fc56690f34) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2011/02/04 09:59:00.0031 4284 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/02/04 09:59:00.0125 4284 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/02/04 09:59:00.0203 4284 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/02/04 09:59:00.0281 4284 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/02/04 09:59:00.0375 4284 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/02/04 09:59:00.0453 4284 pccsmcfd (fd2041e9ba03db7764b2248f02475079) C:\WINDOWS\system32\DRIVERS\pccsmcfd.sys
    2011/02/04 09:59:00.0546 4284 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/02/04 09:59:00.0765 4284 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/02/04 09:59:01.0265 4284 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/02/04 09:59:01.0359 4284 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    2011/02/04 09:59:01.0468 4284 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/02/04 09:59:01.0562 4284 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/02/04 09:59:01.0656 4284 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/02/04 09:59:02.0000 4284 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/02/04 09:59:02.0078 4284 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/02/04 09:59:02.0156 4284 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/02/04 09:59:02.0203 4284 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/02/04 09:59:02.0343 4284 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/02/04 09:59:02.0437 4284 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/02/04 09:59:02.0546 4284 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/02/04 09:59:02.0671 4284 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/02/04 09:59:02.0781 4284 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/02/04 09:59:03.0015 4284 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/02/04 09:59:03.0140 4284 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/02/04 09:59:03.0218 4284 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/02/04 09:59:03.0359 4284 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/02/04 09:59:03.0546 4284 slabbus (444186c720885429a2354095c1938143) C:\WINDOWS\system32\DRIVERS\slabbus.sys
    2011/02/04 09:59:03.0640 4284 slabser (ed71f8c82ef11c0da1c57be021a2fdc9) C:\WINDOWS\system32\DRIVERS\slabser.sys
    2011/02/04 09:59:03.0750 4284 snapman (0f02dc766802d91a222f91564f02e8a0) C:\WINDOWS\system32\DRIVERS\snapman.sys
    2011/02/04 09:59:03.0906 4284 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/02/04 09:59:04.0046 4284 sptd (fee12822523f7230a79a8953b1530a7e) C:\WINDOWS\system32\Drivers\sptd.sys
    2011/02/04 09:59:04.0046 4284 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: fee12822523f7230a79a8953b1530a7e
    2011/02/04 09:59:04.0078 4284 sptd - detected Locked file (1)
    2011/02/04 09:59:04.0171 4284 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\System32\DRIVERS\sr.sys
    2011/02/04 09:59:04.0281 4284 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/02/04 09:59:04.0406 4284 ssm_bus (df5c19f053eff7f8ba25d73aea899656) C:\WINDOWS\system32\DRIVERS\ssm_bus.sys
    2011/02/04 09:59:04.0531 4284 ssm_mdfl (5347169fa449eabc4d0728ae39fab926) C:\WINDOWS\system32\DRIVERS\ssm_mdfl.sys
    2011/02/04 09:59:04.0625 4284 ssm_mdm (7aae23dd105eed15c4f45fc269fa42a9) C:\WINDOWS\system32\DRIVERS\ssm_mdm.sys
    2011/02/04 09:59:04.0750 4284 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/02/04 09:59:04.0859 4284 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/02/04 09:59:05.0203 4284 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/02/04 09:59:05.0359 4284 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/02/04 09:59:05.0468 4284 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/02/04 09:59:05.0578 4284 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/02/04 09:59:05.0687 4284 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/02/04 09:59:05.0843 4284 tifsfilter (6796c182db1507e14a76a572727272a9) C:\WINDOWS\system32\DRIVERS\tifsfilt.sys
    2011/02/04 09:59:05.0937 4284 timounter (61e00e614ed4d628e39bc9fcef5611b0) C:\WINDOWS\system32\DRIVERS\timntr.sys
    2011/02/04 09:59:06.0140 4284 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/02/04 09:59:06.0359 4284 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/02/04 09:59:06.0484 4284 upperdev (b1b8bee26227dad9835019201552cb05) C:\WINDOWS\system32\DRIVERS\usbser_lowerflt.sys
    2011/02/04 09:59:06.0609 4284 USBAAPL (5c2bdc152bbab34f36473deaf7713f22) C:\WINDOWS\system32\Drivers\usbaapl.sys
    2011/02/04 09:59:06.0734 4284 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
    2011/02/04 09:59:06.0828 4284 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/02/04 09:59:06.0906 4284 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/02/04 09:59:07.0000 4284 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
    2011/02/04 09:59:07.0078 4284 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
    2011/02/04 09:59:07.0171 4284 usbser (1c888b000c2f9492f4b15b5b6b84873e) C:\WINDOWS\system32\drivers\usbser.sys
    2011/02/04 09:59:07.0265 4284 UsbserFilt (98e1ff1d732c6c7200b6c59d4ff8c1c3) C:\WINDOWS\system32\DRIVERS\usbser_lowerfltj.sys
    2011/02/04 09:59:07.0359 4284 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/02/04 09:59:07.0437 4284 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/02/04 09:59:07.0546 4284 vaxscsi (92cebc2bc7be2c8d49391b365569f306) C:\WINDOWS\System32\Drivers\vaxscsi.sys
    2011/02/04 09:59:07.0625 4284 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/02/04 09:59:07.0734 4284 viaagp1 (4b039bbd037b01f5db5a144c837f283a) C:\WINDOWS\system32\DRIVERS\viaagp1.sys
    2011/02/04 09:59:07.0812 4284 ViaIde (a5d8b6c8d43786d4215c1df6fab0aae0) C:\WINDOWS\system32\DRIVERS\viaidexp.sys
    2011/02/04 09:59:07.0906 4284 viasraid (45469fa05947d75874316649a22878d4) C:\WINDOWS\system32\DRIVERS\viasraid.sys
    2011/02/04 09:59:08.0000 4284 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/02/04 09:59:08.0125 4284 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/02/04 09:59:08.0218 4284 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
    2011/02/04 09:59:08.0406 4284 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/02/04 09:59:08.0640 4284 WpdUsb (cf4def1bf66f06964dc0d91844239104) C:\WINDOWS\system32\DRIVERS\wpdusb.sys
    2011/02/04 09:59:08.0718 4284 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    2011/02/04 09:59:08.0828 4284 WudfPf (6ff66513d372d479ef1810223c8d20ce) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/02/04 09:59:08.0937 4284 WudfRd (ac13cb789d93412106b0fb6c7eb2bcb6) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/02/04 09:59:09.0218 4284 ================================================================================
    2011/02/04 09:59:09.0218 4284 Scan finished
    2011/02/04 09:59:09.0218 4284 ================================================================================
    2011/02/04 09:59:09.0265 4276 Detected object count: 1
    2011/02/04 09:59:26.0671 4276 sptd (fee12822523f7230a79a8953b1530a7e) C:\WINDOWS\system32\Drivers\sptd.sys
    2011/02/04 09:59:26.0671 4276 Suspicious file (NoAccess): C:\WINDOWS\system32\Drivers\sptd.sys. md5: fee12822523f7230a79a8953b1530a7e
    2011/02/04 09:59:26.0687 4276 C:\WINDOWS\system32\Drivers\sptd.sys - copied to quarantine
    2011/02/04 09:59:26.0687 4276 Locked file(sptd) - User select action: Quarantine
    2011/02/04 10:00:00.0281 3944 Deinitialize success
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay- one down! And I think you made a wise decision in removing uTorrent and LimeWire. Now we'll check a bit further:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Re-enable your Antivirus software.
    10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    ===============================
    NOTE: You will need to uninstall AVG to run Combofix. That's a nuisance, I know, but this scan is worth the extra step. Be sure to get the AV back on when through
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  7. rob3000

    rob3000 TS Rookie Topic Starter Posts: 22

    You say to run Eset NOD32 Online AntiVirus scan, do you know if its possible to download this onto a flash drive? The reason I ask is that I don't think that my PC will let me connect to the internet yet, I could be wrong but will need to check when I get home.

    If I can't connect is it ok to run ComboFix anywaybecause I can download this to flash?
     
  8. rob3000

    rob3000 TS Rookie Topic Starter Posts: 22

    Ok I have a couple of problems. I haven't been able to connect to the internet since I got this virus and that is still the same so I couldn't run Eset NOD32. I downloaded Combofix to flash and installed it on my infected PC (at this time the PC also put a Trojan onto the flash drive) but it asked for AVG to be uninstalled which was expected. I used add/remove programs to do this but nothing happened when I selected remove. I then tried to use an AGV remover tool but I think you need to be online to use this,and I was not able to download to a flash drive. Maybe I need to re-install AVG first to be able to uninstall it but I have to be online for that which again I can't do?

    Do you think that its going to be possible to cure this problem? If I can back-up my D: Drive which has my documents etc on it then it may be just as easy to re-format and start again. I am a bit nervous about backing up to a portable hardrive seeing as it put a Trojan onto a brand new flash drive. Do you have any thoughts?
     
  9. rob3000

    rob3000 TS Rookie Topic Starter Posts: 22

    You still with me?
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I'm back Rob. Wasn't on the system much for past couple of days.
    Let's do these steps:
    1. Uninstall ComboFix and all Backups of the files it deleted
      • Click START> then RUN
      • Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
    2. Disinfect the Flash drive:
      Threat Removal Procedure:

      • [1]. Download Flash_Disinfector and save it to your Desktop.
        [2]. After downloading, double-click on Flash_Disinfector to run it.
        [3]. Just follow the prompts and continue until it begin scanning.
        [​IMG]
        [4]. If asked to insert your flash drive or any removable device including USB Pen Drive and Memory Stick, please do so.
        [5]. It will scan removable drives, wait for the scan to finish. Done.

      What will Flash Disinfector Do
      - Clean up junks created by flash malwares
      - Deletes autorun.inf from every root folder
      - Fix back damages done to your system
      - Creates an autorun.inf folder in the root of your system drives
      The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone.

      Please do so and allow the utility to clean up those drives as well.
      Wait until it has finished scanning and then exit the program.
      Reboot your computer when done.

      Note: Flash_Disinfector will create a hidden file named autorun.inf in each partition and every USB drive plugged in when you ran it. Don't delete this folder. It will help protect your drives from future infection.
      ================================================
    3. Then download Combofix again on the clean flash drive. Don't start it yet.
    4. Uninstall AVG:
      Download AppRemover and save to the desktop]
      How to Use AppRemover to Remove a Complete Security Application
      1. Double click the setup on the desktop> click Next
      2. Select “Remove Security Application”
      3. Let scan finish to determine security apps
      4. A screen like below will appear:
        http://www.appremover.com/about/chooseuninstall.gif/image_preview[/img[*] Click on [b]Next[/b] after choice has been made
        [*] Check the AVG program you want to uninstall
        [*] After uninstall shows complete, follow online prompts to Exit the program.[/list]

        [b][u]How to Use AppRemover to Clean Up a Failed Uninstall[/b][/u] [list=1]
        [*] Return to Step 1 above
        [*] Check [b]Clean Up Failed Uninstall> Click [b]Next[/b]
        [*] Allow program to rescan for the security program failed the uninstall
        [*] Carefully Choose which application to uninstall> Next
        [*] Follow prompts to close and Exit. [/list].
        =========================================
        [*][B]Now install the new Combofix onto the problem computer and run the scan[/B].[/list]
        I see at least one malware entr in the DDS log:
        [b]mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\program files\iuborlvs\qbpbcofg.exe,[/b]
        But I can't remove it until you have run Combofix and I can set up some script.

        It would help if you could describe what is preventing access to the internet- do you get a message? What? What happens when you try? I suspect it is the infected logon but the more info I have, the better I can help.
     
  11. rob3000

    rob3000 TS Rookie Topic Starter Posts: 22

    Ok, thanks for that, I probably won't get a chance to do it until tomorrow but I will let you know how I get on.

    Off the top of my head when I try to connect to the internet it comes up with a message saying that the address can't be found and to check the spelling. I will have to check this. I did try to un-install the internet provider software but then couldn't re-install it because I couldn't connect with the internet. I will double check what messages I get.
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Post when able.
     
  13. rob3000

    rob3000 TS Rookie Topic Starter Posts: 22

    Ok so I have ran Combofix, during the scan it came up with a message saying 'Machine does not have Microsoft console Installed, alternatively an existing installation of the recovery console may be present but requires updating' It said that I could download it but I needed an active internet connection, which I don't have at the moment. It continued with the rest of the scan ok and I have pasted the log.

    As for my internet connection, my router appears to be as it should and is indicating that it has a signal. When I look at Network connections in Control Panel the Status says 'connected.' When I try to connect it comes up with a message saying www.skybroadband not found, check spelling etc etc. If I try to connect through internet explorer there is no message it just doesn't do anything.

    Combofix log

    ComboFix 11-02-08.05 - Mark's Pc 11/02/2011 11:25:14.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.767.355 [GMT 0:00]
    Running from: c:\documents and settings\Mark's Pc\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Mark's Pc\Application Data\Mozilla\Firefox\Profiles\u7u54s3s.default\extensions\{5fd6afe3-d2e0-4cfd-ac33-60885246ce04}
    c:\documents and settings\Mark's Pc\Application Data\Mozilla\Firefox\Profiles\u7u54s3s.default\extensions\{5fd6afe3-d2e0-4cfd-ac33-60885246ce04}\chrome.manifest
    c:\documents and settings\Mark's Pc\Application Data\Mozilla\Firefox\Profiles\u7u54s3s.default\extensions\{5fd6afe3-d2e0-4cfd-ac33-60885246ce04}\chrome\xulcache.jar
    c:\documents and settings\Mark's Pc\Application Data\Mozilla\Firefox\Profiles\u7u54s3s.default\extensions\{5fd6afe3-d2e0-4cfd-ac33-60885246ce04}\defaults\preferences\xulcache.js
    c:\documents and settings\Mark's Pc\Application Data\Mozilla\Firefox\Profiles\u7u54s3s.default\extensions\{5fd6afe3-d2e0-4cfd-ac33-60885246ce04}\install.rdf
    c:\documents and settings\Mark's Pc\Application Data\Wigi
    c:\documents and settings\Mark's Pc\Application Data\Wigi\xohoo.ere
    c:\documents and settings\Mark's Pc\Application Data\Wigi\xohoo.tmp
    c:\documents and settings\Mark's Pc\Favorites\Thumbs.db
    c:\documents and settings\Mark's Pc\GoToAssistDownloadHelper.exe
    c:\program files\Internet Explorer\dmlconf.dat
    c:\windows\system32\315435436
    c:\windows\system32\Thumbs.db
    c:\windows\system32\u2g.f
    c:\windows\system32\winiconmon.ico
    c:\windows\system32\winiconmon.ico.bak0
    c:\windows\Tasks\At1.job
    c:\windows\Tasks\At10.job
    c:\windows\Tasks\At11.job
    c:\windows\Tasks\At12.job
    c:\windows\Tasks\At13.job
    c:\windows\Tasks\At14.job
    c:\windows\Tasks\At15.job
    c:\windows\Tasks\At16.job
    c:\windows\Tasks\At17.job
    c:\windows\Tasks\At18.job
    c:\windows\Tasks\At19.job
    c:\windows\Tasks\At2.job
    c:\windows\Tasks\At20.job
    c:\windows\Tasks\At21.job
    c:\windows\Tasks\At22.job
    c:\windows\Tasks\At23.job
    c:\windows\Tasks\At24.job
    c:\windows\Tasks\At3.job
    c:\windows\Tasks\At4.job
    c:\windows\Tasks\At5.job
    c:\windows\Tasks\At6.job
    c:\windows\Tasks\At7.job
    c:\windows\Tasks\At8.job
    c:\windows\Tasks\At9.job

    .
    ((((((((((((((((((((((((( Files Created from 2011-01-11 to 2011-02-11 )))))))))))))))))))))))))))))))
    .

    2011-02-04 08:55 . 2011-02-04 09:59 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-01-23 16:01 . 2011-02-05 09:53 -------- d-----w- c:\program files\iuborlvs
    2011-01-23 16:01 . 2011-01-23 16:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2011-01-23 15:40 . 2011-01-23 15:40 -------- d-----w- C:\Adobe
    2011-01-23 15:40 . 2011-01-23 15:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-20 18:09 . 2010-08-15 13:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 18:08 . 2010-08-15 13:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-18 18:12 . 2006-02-28 23:40 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-04-26 16:03 203776 --sh--w- c:\windows\system32\unrar.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NokiaOviSuite2"="c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" [2010-02-24 385928]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-08-15 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-10-29 4620288]
    "nwiz"="nwiz.exe" [2004-10-29 921600]
    "NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-10-29 86016]
    "SoundMan"="SOUNDMAN.EXE" [2003-10-08 57344]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
    "iTunesHelper"="c:\program files\Added Programs\Media\iTunes\iTunesHelper.exe" [2010-11-17 421160]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-6-14 333088]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ CC?\0??\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "d:\\Games\\SteamApps\\common\\football manager 2009\\fm.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Nokia\\Nokia Ovi Suite\\NokiaOviSuite.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Added Programs\\Media\\iTunes\\iTunes.exe"=

    R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [03/03/2006 21:25 77056]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 10:38 92008]
    S0 sptd;sptd;c:\windows\system32\Drivers\sptd.sys --> c:\windows\system32\Drivers\sptd.sys [?]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [15/08/2010 13:26 135664]
    S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [29/12/2010 08:57 17280]
    S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [09/03/2006 17:38 223128]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-22 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

    2011-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-15 13:25]

    2011-02-11 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-15 13:25]

    2011-02-11 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.skybroadband.com
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    .
    - - - - ORPHANS REMOVED - - - -

    Toolbar-Locked - (no file)
    WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    HKLM-Run-QuickTime Task - c:\program files\Added Programs\Media\Quicktime\qttask.exe
    HKU-Default-Run-KB3819796.exe - c:\adobe\plugs\KB3819796.exe
    Notify-WgaLogon - (no file)
    SafeBoot-mcmscsvc
    SafeBoot-MCODS
    AddRemove-Easy-PhotoPrint - c:\program files\Canon\Easy-PhotoPrint\uninst.exe
    AddRemove-InstallShield_{0A146245-DB79-4197-BF5D-FE1A699A2CC7} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
    AddRemove-InstallShield_{33711828-7194-4446-8C05-0DC0E59A0C1B} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
    AddRemove-InstallShield_{4DBBF091-FACD-422C-B43C-786335BD5398} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
    AddRemove-InstallShield_{50E25180-3BDC-4B6D-80A2-3F1F0C9CF39D} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
    AddRemove-InstallShield_{6C3A75A6-9A90-44A3-A703-82AC1EA6A85D} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
    AddRemove-InstallShield_{874E44F3-B9A7-4AA1-B4BA-83E5684ED9C6} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
    AddRemove-InstallShield_{901F8ED7-13E8-43EF-B738-2FE89B0588EB} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
    AddRemove-InstallShield_{A1D0D14A-B776-4907-BC00-5149F2298086} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
    AddRemove-InstallShield_{A2EB8F2E-6D9B-4F8B-96EB-F976D33F416F} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
    AddRemove-InstallShield_{BAA43DA2-B6C5-46EC-B163-0E8EEAF975A4} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
    AddRemove-InstallShield_{D0E8C34D-19D2-49FD-A900-88DEB788FF86} - c:\program files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe
    AddRemove-IomegaNT - c:\program files\Iomega\DeIsL1.isu
    AddRemove-Windows Media Format Runtime - c:\program files\Windows Media Player\wmsetsdk.exe
    AddRemove-WinRAR archiver - c:\program files\Added Programs\Pc Tools\WinRaR\uninstall.exe
    AddRemove-UnityWebPlayer - c:\documents and settings\Mark's Pc\Local Settings\Application Data\Unity\WebPlayer\Uninstall.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-11 11:32
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @DACL=(02 0010)
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @DACL=(02 0010)
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @DACL=(02 0010)
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2072)
    c:\windows\system32\WININET.dll
    c:\windows\system32\nview.dll
    c:\windows\system32\NVWRSENG.DLL
    c:\windows\system32\nvwddi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\System32\nvsvc32.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\windows\SOUNDMAN.EXE
    c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Common Files\Nokia\NoA\nokiaaserver.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\PC Connectivity Solution\ServiceLayer.exe
    c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
    c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
    .
    **************************************************************************
    .
    Completion time: 2011-02-11 11:37:37 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-02-11 11:37

    Pre-Run: 9,215,787,008 bytes free
    Post-Run: 9,204,768,768 bytes free

    - - End Of File - - D843CC31545B4BB3030CB5EAFA86E245
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Do you know what this program is? I can't identify it: c:\program files\iuborlvs. Shows date of 2/5/2011.

    Does your ISP require you to set this port:uInternet Settings,ProxyServer = http=127.0.0.1:5577
    and then use override: uInternet Settings,ProxyOverride = <local>
     
  15. rob3000

    rob3000 TS Rookie Topic Starter Posts: 22

    Do you know what this program is? I can't identify it: c:\program files\iuborlvs. Shows date of 2/5/2011.

    No I don't recognise that program at all, should I delete it?

    I will check my internet settings and get back to you.

    Thanks for all your help
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\Drivers\sptd.sys
    
    Follder::
    C:\TDSSKiller_Quarantineo
    c:\program files\iuborlvs
    Registry::
    
    Driver::
    sptd    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    Uninstall the outdated Java v6u7.
    Check this site .Java Updates Uninstall any earlier versions in Add/Remove Programs as they are vulnerabilities for the system.
     
  17. rob3000

    rob3000 TS Rookie Topic Starter Posts: 22

    I tried to uninstall Java but it kept showing a Fatal error during installation message.

    I entered the script as instructed, Combofix ran a scan and during the procedure it said that Recovery Console wasn't installed and that it was connecting to Microsoft.com, so I thought my internet connection problem was sorted. It then said that the Recovery Console was successfully installed. I tried the internet after this but there was still no connection, I checked the settings as you suggested but it all looked ok.

    The log produced is below.



    ComboFix 11-02-08.05 - Mark's Pc 14/02/2011 17:01:05.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.767.341 [GMT 0:00]
    Running from: c:\documents and settings\Mark's Pc\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Mark's Pc\Desktop\CFScript.txt
    * Created a new restore point

    FILE ::
    "c:\windows\system32\Drivers\sptd.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_SPTD
    -------\Service_sptd


    ((((((((((((((((((((((((( Files Created from 2011-01-14 to 2011-02-14 )))))))))))))))))))))))))))))))
    .

    2011-02-11 12:22 . 2011-02-11 12:22 -------- d-----w- c:\program files\Sky Broadband
    2011-02-04 08:55 . 2011-02-04 09:59 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-01-23 16:01 . 2011-02-05 09:53 -------- d-----w- c:\program files\iuborlvs
    2011-01-23 16:01 . 2011-01-23 16:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2011-01-23 15:40 . 2011-01-23 15:40 -------- d-----w- C:\Adobe
    2011-01-23 15:40 . 2011-01-23 15:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-20 18:09 . 2010-08-15 13:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 18:08 . 2010-08-15 13:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-11-18 18:12 . 2006-02-28 23:40 81920 ----a-w- c:\windows\system32\isign32.dll
    2010-04-26 16:03 203776 --sh--w- c:\windows\system32\unrar.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NokiaOviSuite2"="c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" [2010-02-24 385928]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-08-15 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-10-29 4620288]
    "nwiz"="nwiz.exe" [2004-10-29 921600]
    "NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-10-29 86016]
    "SoundMan"="SOUNDMAN.EXE" [2003-10-08 57344]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
    "iTunesHelper"="c:\program files\Added Programs\Media\iTunes\iTunesHelper.exe" [2010-11-17 421160]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-6-14 333088]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ CC?\0??\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "d:\\Games\\SteamApps\\common\\football manager 2009\\fm.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Nokia\\Nokia Ovi Suite\\NokiaOviSuite.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Added Programs\\Media\\iTunes\\iTunes.exe"=

    R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [03/03/2006 21:25 77056]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 10:38 92008]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [15/08/2010 13:26 135664]
    S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [29/12/2010 08:57 17280]
    S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [09/03/2006 17:38 223128]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-22 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

    2011-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-15 13:25]

    2011-02-14 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-15 13:25]

    2011-02-14 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.skybroadband.com
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-14 17:07
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @DACL=(02 0010)
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @DACL=(02 0010)
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @DACL=(02 0010)
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(3680)
    c:\windows\system32\WININET.dll
    c:\windows\system32\nview.dll
    c:\windows\system32\NVWRSENG.DLL
    c:\windows\system32\nvwddi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\RUNDLL32.EXE
    c:\windows\SOUNDMAN.EXE
    c:\program files\Common Files\Nokia\MPlatform\NokiaMServer.exe
    c:\windows\System32\nvsvc32.exe
    c:\windows\system32\rundll32.exe
    c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
    c:\program files\Canon\CAL\CALMAIN.exe
    c:\program files\iPod\bin\iPodService.exe
    c:\program files\PC Connectivity Solution\ServiceLayer.exe
    c:\windows\system32\wscntfy.exe
    c:\program files\PC Connectivity Solution\Transports\NclUSBSrv.exe
    c:\program files\PC Connectivity Solution\Transports\NclRSSrv.exe
    .
    **************************************************************************
    .
    Completion time: 2011-02-14 17:12:46 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-02-14 17:12
    ComboFix2.txt 2011-02-11 11:37

    Pre-Run: 9,131,233,280 bytes free
    Post-Run: 9,103,147,008 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

    - - End Of File - - C99FC4EF9F4E13235A8C14F7F496C470
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    Folder::
    C:\TDSSKiller_Quarantine
    c:\program files\iuborlvs
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    What problems remain?
     
  19. rob3000

    rob3000 TS Rookie Topic Starter Posts: 22

    I have entered the script as directed and ran ComboFix, when I did this it said that there was a new version available but as I didn't think my internet connection was working yet I ran the scan with the version I had. After the scan I ran it again just to see if it would update to the latest version, which it did. I then ran another scan with this latest version.

    I then tried to update Malwarebytes which again it did. I ran a quick scan with this (I know Iam not supposed to!) and it came up with a PUM.BAD.PROXY infection.

    I have pasted both ComboFix logs and the Malwarebytes log.

    Although these programs updated successfully I don't seem to be able to access the internet through the normal channels, ie Explorer or Sky Broadband.

    First ComboFix log


    ComboFix 11-02-08.05 - Mark's Pc 19/02/2011 12:47:52.3.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.767.381 [GMT 0:00]
    Running from: c:\documents and settings\Mark's Pc\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Mark's Pc\Desktop\CFScript.txt
    .
    - REDUCED FUNCTIONALITY MODE -
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\program files\iuborlvs

    .
    ((((((((((((((((((((((((( Files Created from 2011-01-19 to 2011-02-19 )))))))))))))))))))))))))))))))
    .

    2011-02-11 12:22 . 2011-02-11 12:22 -------- d-----w- c:\program files\Sky Broadband
    2011-02-04 08:55 . 2011-02-04 09:59 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-01-23 16:01 . 2011-01-23 16:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2011-01-23 15:40 . 2011-01-23 15:40 -------- d-----w- C:\Adobe
    2011-01-23 15:40 . 2011-01-23 15:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-20 18:09 . 2010-08-15 13:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 18:08 . 2010-08-15 13:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-26 16:03 203776 --sh--w- c:\windows\system32\unrar.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NokiaOviSuite2"="c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" [2010-02-24 385928]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-08-15 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-10-29 4620288]
    "nwiz"="nwiz.exe" [2004-10-29 921600]
    "NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-10-29 86016]
    "SoundMan"="SOUNDMAN.EXE" [2003-10-08 57344]
    "iTunesHelper"="c:\program files\Added Programs\Media\iTunes\iTunesHelper.exe" [2010-11-17 421160]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-6-14 333088]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ CC?\0??\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "d:\\Games\\SteamApps\\common\\football manager 2009\\fm.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Nokia\\Nokia Ovi Suite\\NokiaOviSuite.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Added Programs\\Media\\iTunes\\iTunes.exe"=

    R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [03/03/2006 21:25 77056]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 10:38 92008]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [15/08/2010 13:26 135664]
    S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [29/12/2010 08:57 17280]
    S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [09/03/2006 17:38 223128]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-22 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

    2011-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-15 13:25]

    2011-02-16 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-15 13:25]

    2011-02-19 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.skybroadband.com
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-19 12:49
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @DACL=(02 0010)
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @DACL=(02 0010)
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @DACL=(02 0010)
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(1640)
    c:\windows\system32\WININET.dll
    c:\windows\system32\nview.dll
    c:\windows\system32\NVWRSENG.DLL
    c:\windows\system32\nvwddi.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-02-19 12:53:19
    ComboFix-quarantined-files.txt 2011-02-19 12:53
    ComboFix2.txt 2011-02-14 17:12
    ComboFix3.txt 2011-02-11 11:37

    Pre-Run: 9,127,665,664 bytes free
    Post-Run: 9,111,252,992 bytes free

    - - End Of File - - F4F8C9281D9E6493E93E8E09D4E87983





    Updated ComboFix version log

    ComboFix 11-02-18.05 - Mark's Pc 19/02/2011 13:19:23.4.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.767.412 [GMT 0:00]
    Running from: c:\documents and settings\Mark's Pc\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Mark's Pc\Desktop\CFScript.txt
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\TDSSKiller_Quarantine
    c:\tdsskiller_quarantine\04.02.2011_09.52.09\susp0000\object.ini
    c:\tdsskiller_quarantine\04.02.2011_09.52.09\susp0000\svc0000\object.ini
    c:\tdsskiller_quarantine\04.02.2011_09.52.09\susp0000\svc0000\tsk0000.dta
    c:\tdsskiller_quarantine\04.02.2011_09.52.09\susp0000\svc0000\tsk0000.ini
    c:\tdsskiller_quarantine\04.02.2011_09.58.38\susp0000\object.ini
    c:\tdsskiller_quarantine\04.02.2011_09.58.38\susp0000\svc0000\object.ini
    c:\tdsskiller_quarantine\04.02.2011_09.58.38\susp0000\svc0000\tsk0000.dta
    c:\tdsskiller_quarantine\04.02.2011_09.58.38\susp0000\svc0000\tsk0000.ini

    .
    ((((((((((((((((((((((((( Files Created from 2011-01-19 to 2011-02-19 )))))))))))))))))))))))))))))))
    .

    2011-02-11 12:22 . 2011-02-11 12:22 -------- d-----w- c:\program files\Sky Broadband
    2011-02-10 08:29 . 2011-02-10 08:29 15205 ----a-w- c:\documents and settings\Mark's Pc\Application Data\sr8Mi6GZ.js
    2011-02-06 15:29 . 2011-02-06 15:29 15205 ----a-w- c:\documents and settings\NetworkService\Application Data\yIDmxJFVnQ.js
    2011-01-23 16:01 . 2011-01-23 16:06 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Adobe
    2011-01-23 15:40 . 2011-01-23 15:40 -------- d-----w- C:\Adobe
    2011-01-23 15:40 . 2011-01-23 15:40 -------- d-----w- c:\documents and settings\NetworkService\Local Settings\Application Data\Adobe
    2011-01-23 15:29 . 2011-01-24 17:29 11034 ----a-w- c:\windows\system32\345.js

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-12-20 18:09 . 2010-08-15 13:36 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 18:08 . 2010-08-15 13:36 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-04-26 16:03 203776 --sh--w- c:\windows\system32\unrar.exe
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NokiaOviSuite2"="c:\program files\Nokia\Nokia Ovi Suite\NokiaOviSuite.exe" [2010-02-24 385928]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2010-08-15 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NokiaMServer"="c:\program files\Common Files\Nokia\MPlatform\NokiaMServer" [X]
    "NvCplDaemon"="c:\windows\System32\NvCpl.dll" [2004-10-29 4620288]
    "nwiz"="nwiz.exe" [2004-10-29 921600]
    "NvMediaCenter"="c:\windows\System32\NvMcTray.dll" [2004-10-29 86016]
    "SoundMan"="SOUNDMAN.EXE" [2003-10-08 57344]
    "iTunesHelper"="c:\program files\Added Programs\Media\iTunes\iTunesHelper.exe" [2010-11-17 421160]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    PMB Media Check Tool.lnk - c:\program files\Sony\Sony Picture Utility\PMBCore\SPUVolumeWatcher.exe [2009-6-14 333088]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ CC?\0??\0c:\progra~1\AVG\AVG10\avgchsvx.exe /sync\0c:\progra~1\AVG\AVG10\avgrsx.exe /sync /restart

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
    @="Driver"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "d:\\Games\\SteamApps\\common\\football manager 2009\\fm.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Nokia\\Nokia Ovi Suite\\NokiaOviSuite.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Added Programs\\Media\\iTunes\\iTunes.exe"=

    R0 viasraid;viasraid;c:\windows\system32\drivers\viasraid.sys [03/03/2006 21:25 77056]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [08/04/2009 10:38 92008]
    S2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [15/08/2010 13:26 135664]
    S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [29/12/2010 08:57 17280]
    S3 vaxscsi;vaxscsi;c:\windows\system32\drivers\vaxscsi.sys [09/03/2006 17:38 223128]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-10-22 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 11:34]

    2011-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-15 13:25]

    2011-02-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2010-08-15 13:25]

    2011-02-19 c:\windows\Tasks\OGALogon.job
    - c:\windows\system32\OGAEXEC.exe [2009-08-03 14:07]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.skybroadband.com
    uInternet Settings,ProxyOverride = <local>
    uInternet Settings,ProxyServer = http=127.0.0.1:5577
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_E11712C84EA7E12B.dll/cmsidewiki.html
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-19 13:23
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
    @Denied: (A 2) (Everyone)
    @="FlashBroker"
    "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
    "Enabled"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
    @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
    @DACL=(02 0010)
    @Denied: (A 2) (Everyone)
    @="IFlashBroker4"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
    @DACL=(02 0010)
    @="{00020424-0000-0000-C000-000000000046}"

    [HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
    @DACL=(02 0010)
    @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
    "Version"="1.0"
    .
    Completion time: 2011-02-19 13:26:28
    ComboFix-quarantined-files.txt 2011-02-19 13:26
    ComboFix2.txt 2011-02-19 12:53
    ComboFix3.txt 2011-02-14 17:12
    ComboFix4.txt 2011-02-11 11:37

    Pre-Run: 9,106,186,240 bytes free
    Post-Run: 9,086,259,200 bytes free

    - - End Of File - - 174E372311471423C07019E2DE8F0DAC



    Malwarebytes log

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5808

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    19/02/2011 13:38:04
    mbam-log-2011-02-19 (13-38-04).txt

    Scan type: Quick scan
    Objects scanned: 142137
    Time elapsed: 3 minute(s), 49 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyServer (PUM.Bad.Proxy) -> Value: ProxyServer -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  20. rob3000

    rob3000 TS Rookie Topic Starter Posts: 22

    I tried to access my router to check the settings there by entering 192.168.0.1 into the adress bar but it showed a message 'windows cannot find (null)'. Does this mean anything do you know?
     
  21. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Why are you trying to access the router settings?

    Please contact the ISP for this information.
     
  22. rob3000

    rob3000 TS Rookie Topic Starter Posts: 22

    When I first got the router I saved the settings, I tried to access it just to double check that nothing had changed, I don't know enough about it to start changing things.

    Did you see anything wrong with the latest logs I pasted?
     
  23. rob3000

    rob3000 TS Rookie Topic Starter Posts: 22

    When I first got the router I saved the settings, I tried to access it just to double check that nothing had changed, I don't know enough about it to start changing things.

    Does your ISP require you to set this port:uInternet Settings,ProxyServer = http=127.0.0.1:5577 I have checked this and it appears to be ok.

    Did you see anything wrong with the latest logs I pasted?
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Yes:
    I was trying to determine if this was a False Positive.

    I cannot idenify these java script entries:
    Do you have any idea what they are from?
     
  25. rob3000

    rob3000 TS Rookie Topic Starter Posts: 22

    No sorry I have no idea where the java script entries come from. I have been trying to delete Java but when I select REMOVE it comes up with a 'Fatal error during installation' message, so I haven't been able to do this. I doubt this has anything to do with it but it might.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...