TechSpot

[Not curable - Ramnit] Google Re-direct-having problems, can't download GMER

By Sixx1402
Apr 23, 2011
  1. I've had a read through some of the other posts on here and seem to have the virus/malware that causes google to redirect (usually to Lico Search). I started following the 8 step program but got stuck at step 4 as i couldn't get to the GMER link page. I'm also a bit concerned in case i do anything wrong without the professional's advice on here. Any help would be much appreciated.
     
  2. Broni

    Broni Malware Annihilator Posts: 47,664   +267

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ====================================================================

    Skip GMER for now.
     
  3. Sixx1402

    Sixx1402 TS Rookie Topic Starter Posts: 60

    Hi Broni, thanks for the quick response. Ok i can't use either the GMER link or the DDS link - I get the 'Internet Explore cannot display the webpage' screen on both. here is the Malwarebytes log:

    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 6422

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    23/04/2011 16:52:52
    mbam-log-2011-04-23 (16-52-52).txt

    Scan type: Quick scan
    Objects scanned: 143377
    Time elapsed: 2 minute(s), 48 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)
     
  4. Broni

    Broni Malware Annihilator Posts: 47,664   +267

    Download TDSSKiller and save it to your desktop.
    • Extract (unzip) its contents to your desktop.
    • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
    • If an infected file is detected, the default action will be Cure, click on Continue.
    • If a suspicious file is detected, the default action will be Skip, click on Continue.
    • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
    • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
    • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
     
  5. Sixx1402

    Sixx1402 TS Rookie Topic Starter Posts: 60

    That link won't work either, is it the virus blocking the links? I've had a look in the Internet Options-Connections tab but it looks normal, the 'use a proxy server for your LAN' isn't ticked.
     
  6. Broni

    Broni Malware Annihilator Posts: 47,664   +267

  7. Sixx1402

    Sixx1402 TS Rookie Topic Starter Posts: 60

    That one isn't working either, it just sticks on the screen and doesn't go to the link. I can access anything from my favourites menu including my email (and also sendspace if that helps) but its hit and miss if i try and access anything else from google or on this site. I had an issue with my internet explorer before this: i often had the browser pause and then say 'the tab has been recovered' when going to pages, i don't know if this makes any difference?
     
  8. Sixx1402

    Sixx1402 TS Rookie Topic Starter Posts: 60

    I've realised i can use my girfriends laptop to retrieve things! Ok i did the TDSSKiller scan, it didn't find anything, here is the report:

    2011/04/23 18:41:30.0953 2120 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
    2011/04/23 18:41:31.0984 2120 ================================================================================
    2011/04/23 18:41:31.0984 2120 SystemInfo:
    2011/04/23 18:41:31.0984 2120
    2011/04/23 18:41:31.0984 2120 OS Version: 5.1.2600 ServicePack: 3.0
    2011/04/23 18:41:31.0984 2120 Product type: Workstation
    2011/04/23 18:41:31.0984 2120 ComputerName: USER-1EBAC01BAD
    2011/04/23 18:41:31.0984 2120 UserName: User
    2011/04/23 18:41:31.0984 2120 Windows directory: C:\WINDOWS
    2011/04/23 18:41:31.0984 2120 System windows directory: C:\WINDOWS
    2011/04/23 18:41:31.0984 2120 Processor architecture: Intel x86
    2011/04/23 18:41:31.0984 2120 Number of processors: 2
    2011/04/23 18:41:31.0984 2120 Page size: 0x1000
    2011/04/23 18:41:31.0984 2120 Boot type: Normal boot
    2011/04/23 18:41:31.0984 2120 ================================================================================
    2011/04/23 18:41:32.0046 2120 Initialize success
    2011/04/23 18:41:34.0125 0700 ================================================================================
    2011/04/23 18:41:34.0125 0700 Scan started
    2011/04/23 18:41:34.0125 0700 Mode: Manual;
    2011/04/23 18:41:34.0125 0700 ================================================================================
    2011/04/23 18:41:35.0156 0700 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
    2011/04/23 18:41:35.0218 0700 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
    2011/04/23 18:41:35.0265 0700 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
    2011/04/23 18:41:35.0312 0700 AFD (7618d5218f2a614672ec61a80d854a37) C:\WINDOWS\System32\drivers\afd.sys
    2011/04/23 18:41:35.0562 0700 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
    2011/04/23 18:41:35.0578 0700 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
    2011/04/23 18:41:35.0656 0700 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
    2011/04/23 18:41:35.0718 0700 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
    2011/04/23 18:41:36.0046 0700 avgio (0b497c79824f8e1bf22fa6aacd3de3a0) C:\Program Files\Avira\AntiVir Desktop\avgio.sys
    2011/04/23 18:41:36.0109 0700 Avgldx86 (5fe5a2c2330c376a1d8dcff8d2680a2d) C:\WINDOWS\system32\DRIVERS\avgldx86.sys
    2011/04/23 18:41:36.0140 0700 Avgmfx86 (54f1a9b4c9b540c2d8ac4baa171696b1) C:\WINDOWS\system32\DRIVERS\avgmfx86.sys
    2011/04/23 18:41:36.0171 0700 avgntflt (47b879406246ffdced59e18d331a0e7d) C:\WINDOWS\system32\DRIVERS\avgntflt.sys
    2011/04/23 18:41:36.0234 0700 avipbb (5fedef54757b34fb611b9ec8fb399364) C:\WINDOWS\system32\DRIVERS\avipbb.sys
    2011/04/23 18:41:36.0296 0700 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
    2011/04/23 18:41:36.0343 0700 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
    2011/04/23 18:41:36.0375 0700 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
    2011/04/23 18:41:36.0406 0700 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
    2011/04/23 18:41:36.0437 0700 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
    2011/04/23 18:41:36.0609 0700 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
    2011/04/23 18:41:36.0703 0700 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
    2011/04/23 18:41:36.0734 0700 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
    2011/04/23 18:41:36.0750 0700 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
    2011/04/23 18:41:36.0781 0700 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
    2011/04/23 18:41:36.0843 0700 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
    2011/04/23 18:41:36.0890 0700 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
    2011/04/23 18:41:36.0906 0700 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
    2011/04/23 18:41:36.0937 0700 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
    2011/04/23 18:41:36.0953 0700 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
    2011/04/23 18:41:37.0015 0700 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
    2011/04/23 18:41:37.0078 0700 fssfltr (e0087225b137e57239ff40f8ae82059b) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
    2011/04/23 18:41:37.0125 0700 FsUsbExDisk (790a4ca68f44be35967b3df61f3e4675) C:\WINDOWS\system32\FsUsbExDisk.SYS
    2011/04/23 18:41:37.0140 0700 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
    2011/04/23 18:41:37.0171 0700 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
    2011/04/23 18:41:37.0187 0700 gagp30kx (3a74c423cf6bcca6982715878f450a3b) C:\WINDOWS\system32\DRIVERS\gagp30kx.sys
    2011/04/23 18:41:37.0234 0700 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
    2011/04/23 18:41:37.0281 0700 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
    2011/04/23 18:41:37.0328 0700 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
    2011/04/23 18:41:37.0421 0700 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
    2011/04/23 18:41:37.0500 0700 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
    2011/04/23 18:41:37.0515 0700 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
    2011/04/23 18:41:37.0687 0700 IntcAzAudAddService (001aaca6ed0e6b00fc5b8faf74977e81) C:\WINDOWS\system32\drivers\RtkHDAud.sys
    2011/04/23 18:41:37.0765 0700 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
    2011/04/23 18:41:37.0796 0700 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
    2011/04/23 18:41:37.0828 0700 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
    2011/04/23 18:41:37.0843 0700 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
    2011/04/23 18:41:37.0859 0700 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
    2011/04/23 18:41:37.0890 0700 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
    2011/04/23 18:41:37.0921 0700 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
    2011/04/23 18:41:38.0140 0700 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
    2011/04/23 18:41:38.0171 0700 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
    2011/04/23 18:41:38.0203 0700 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
    2011/04/23 18:41:38.0296 0700 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
    2011/04/23 18:41:38.0343 0700 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
    2011/04/23 18:41:38.0390 0700 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
    2011/04/23 18:41:38.0437 0700 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
    2011/04/23 18:41:38.0453 0700 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
    2011/04/23 18:41:38.0500 0700 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
    2011/04/23 18:41:38.0546 0700 MRxSmb (0ea4d8ed179b75f8afa7998ba22285ca) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
    2011/04/23 18:41:38.0609 0700 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
    2011/04/23 18:41:38.0640 0700 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
    2011/04/23 18:41:38.0656 0700 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
    2011/04/23 18:41:38.0687 0700 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
    2011/04/23 18:41:38.0718 0700 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
    2011/04/23 18:41:38.0765 0700 MTsensor (d48659bb24c48345d926ecb45c1ebdf5) C:\WINDOWS\system32\DRIVERS\ASACPI.sys
    2011/04/23 18:41:38.0781 0700 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
    2011/04/23 18:41:38.0843 0700 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
    2011/04/23 18:41:38.0859 0700 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
    2011/04/23 18:41:38.0890 0700 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
    2011/04/23 18:41:38.0906 0700 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
    2011/04/23 18:41:38.0984 0700 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
    2011/04/23 18:41:39.0000 0700 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
    2011/04/23 18:41:39.0046 0700 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
    2011/04/23 18:41:39.0093 0700 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
    2011/04/23 18:41:39.0140 0700 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
    2011/04/23 18:41:39.0234 0700 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
    2011/04/23 18:41:39.0468 0700 nv (ed9816dbaf6689542ea7d022631906a1) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
    2011/04/23 18:41:39.0640 0700 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
    2011/04/23 18:41:39.0656 0700 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
    2011/04/23 18:41:39.0687 0700 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
    2011/04/23 18:41:39.0734 0700 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
    2011/04/23 18:41:39.0781 0700 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
    2011/04/23 18:41:39.0796 0700 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
    2011/04/23 18:41:39.0843 0700 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
    2011/04/23 18:41:40.0031 0700 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
    2011/04/23 18:41:40.0531 0700 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
    2011/04/23 18:41:40.0578 0700 Processor (a32bebaf723557681bfc6bd93e98bd26) C:\WINDOWS\system32\DRIVERS\processr.sys
    2011/04/23 18:41:40.0593 0700 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
    2011/04/23 18:41:40.0609 0700 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
    2011/04/23 18:41:40.0656 0700 PxHelp20 (e42e3433dbb4cffe8fdd91eab29aea8e) C:\WINDOWS\system32\Drivers\PxHelp20.sys
    2011/04/23 18:41:40.0859 0700 RapportCerberus_25973 (3d80f6fb972cffab9a760892f9ab7232) C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys
    2011/04/23 18:41:40.0875 0700 RapportKELL (b64262f33c53d690ed662fde57102b10) C:\WINDOWS\system32\Drivers\RapportKELL.sys
    2011/04/23 18:41:40.0921 0700 RapportPG (c9b8a131aaf77d969cbc3987537b319d) C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys
    2011/04/23 18:41:40.0937 0700 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
    2011/04/23 18:41:40.0953 0700 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
    2011/04/23 18:41:40.0968 0700 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
    2011/04/23 18:41:40.0984 0700 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
    2011/04/23 18:41:41.0015 0700 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
    2011/04/23 18:41:41.0031 0700 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
    2011/04/23 18:41:41.0046 0700 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
    2011/04/23 18:41:41.0125 0700 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
    2011/04/23 18:41:41.0140 0700 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
    2011/04/23 18:41:41.0171 0700 RTL8023xp (3529828ec571fb2f64f6b142f9109993) C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys
    2011/04/23 18:41:41.0234 0700 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
    2011/04/23 18:41:41.0265 0700 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
    2011/04/23 18:41:41.0281 0700 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
    2011/04/23 18:41:41.0296 0700 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
    2011/04/23 18:41:41.0359 0700 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
    2011/04/23 18:41:41.0375 0700 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
    2011/04/23 18:41:41.0453 0700 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
    2011/04/23 18:41:41.0500 0700 sscdbus (92b69020fc480219683d429dca068d71) C:\WINDOWS\system32\DRIVERS\sscdbus.sys
    2011/04/23 18:41:41.0531 0700 sscdmdfl (77a2869d40cc84af711c321f9b0c7a78) C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
    2011/04/23 18:41:41.0562 0700 sscdmdm (b4255635195a8413fcde7af5b7c4e382) C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
    2011/04/23 18:41:41.0609 0700 ssmdrv (a36ee93698802cd899f98bfd553d8185) C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
    2011/04/23 18:41:41.0640 0700 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
    2011/04/23 18:41:41.0656 0700 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
    2011/04/23 18:41:41.0734 0700 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
    2011/04/23 18:41:41.0765 0700 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
    2011/04/23 18:41:41.0796 0700 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
    2011/04/23 18:41:41.0812 0700 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
    2011/04/23 18:41:41.0843 0700 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
    2011/04/23 18:41:41.0890 0700 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
    2011/04/23 18:41:41.0953 0700 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
    2011/04/23 18:41:41.0984 0700 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
    2011/04/23 18:41:42.0046 0700 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
    2011/04/23 18:41:42.0093 0700 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
    2011/04/23 18:41:42.0125 0700 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
    2011/04/23 18:41:42.0156 0700 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
    2011/04/23 18:41:42.0156 0700 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
    2011/04/23 18:41:42.0171 0700 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
    2011/04/23 18:41:42.0234 0700 W35UND (f4cfdbf69ec1025e0a62952da0710053) C:\WINDOWS\system32\DRIVERS\W35UND.SYS
    2011/04/23 18:41:42.0281 0700 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
    2011/04/23 18:41:42.0312 0700 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
    2011/04/23 18:41:42.0375 0700 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
    2011/04/23 18:41:42.0421 0700 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
    2011/04/23 18:41:42.0437 0700 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
    2011/04/23 18:41:42.0546 0700 ================================================================================
    2011/04/23 18:41:42.0546 0700 Scan finished
    2011/04/23 18:41:42.0546 0700 ================================================================================

    Do you want me to try and finish the rest of the 8 step routine by getting the applications off the laptop?
     
  9. Broni

    Broni Malware Annihilator Posts: 47,664   +267

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AppRemover to uninstall it: http://www.appremover.com/
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  10. Sixx1402

    Sixx1402 TS Rookie Topic Starter Posts: 60

    Ok i did combofix, the computer restarted after it had finished, i don't know if this is normal? Here is the report:

    ComboFix 11-04-23.01 - User 23/04/2011 19:22:36.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1441 [GMT 1:00]
    Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}


    ((((((((((((((((((((((((( Files Created from 2011-03-23 to 2011-04-23 )))))))))))))))))))))))))))))))


    2011-04-23 12:22:34 . 2011-04-23 13:15:05 -------- d---a-w- C:\Documents and Settings\All Users\Application Data\TEMP
    2011-04-23 12:20:57 . 2011-04-23 13:14:53 -------- d-----w- C:\Documents and Settings\All Users\Application Data\PC Tools
    2011-04-23 02:56:20 . 2011-04-23 02:56:20 -------- d-----w- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
    2011-04-23 02:53:29 . 2011-04-23 02:54:38 -------- dc-h--w- C:\WINDOWS\ie8
    2011-04-23 02:53:18 . 2011-04-23 02:53:18 -------- d-----w- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
    2011-04-23 02:53:13 . 2011-04-23 02:57:35 -------- d-----w- C:\Documents and Settings\User\Local Settings\Application Data\Google
    2011-04-23 02:52:47 . 2011-04-23 02:53:13 -------- d-----w- C:\Program Files\Google
    2011-04-23 00:58:53 . 2011-04-23 16:06:34 -------- d-----w- C:\WINDOWS\system32\NtmsData
    2011-04-23 00:57:01 . 2011-04-23 00:57:01 -------- d-----w- C:\Documents and Settings\User\Application Data\Avira
    2011-04-23 00:55:54 . 2011-03-04 15:11:12 137656 ----a-w- C:\WINDOWS\system32\drivers\avipbb.sys
    2011-04-23 00:55:54 . 2011-03-04 13:37:13 61960 ----a-w- C:\WINDOWS\system32\drivers\avgntflt.sys
    2011-04-23 00:55:54 . 2010-06-17 13:27:24 45416 ----a-w- C:\WINDOWS\system32\drivers\avgntdd.sys
    2011-04-23 00:55:54 . 2010-06-17 13:27:24 22360 ----a-w- C:\WINDOWS\system32\drivers\avgntmgr.sys
    2011-04-23 00:55:53 . 2011-04-23 00:55:53 -------- d-----w- C:\Program Files\Avira
    2011-04-23 00:55:53 . 2011-04-23 00:55:53 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Avira
    2011-04-22 21:31:00 . 2011-04-22 21:31:00 -------- d-----w- C:\Program Files\khwsfwle
    2011-04-22 21:30:59 . 2011-04-23 00:48:09 166768 ----a-w- C:\Program Files\Common Files\InstallShield\UpdateService\isuspmmgr.exe
    2011-04-22 21:30:59 . 2011-04-23 00:48:09 166768 ----a-w- C:\Program Files\Common Files\InstallShield\UpdateService\agentmgr.exe
    2011-04-22 21:23:14 . 2011-04-22 21:23:14 -------- d-----w- C:\Program Files\VS Revo Group
    2011-04-22 21:18:02 . 2011-04-22 21:18:15 -------- d-----w- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
    2011-04-15 17:17:32 . 2011-04-15 17:17:32 -------- d-----w- C:\Documents and Settings\User\Local Settings\Application Data\Trusteer
    2011-04-14 22:04:15 . 2011-04-14 22:04:16 -------- d-----w- C:\Program Files\Spotify
    2011-04-06 11:23:51 . 2011-04-06 11:23:51 -------- d-----w- C:\found.000
    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2011-03-07 05:33:50 . 2010-10-08 10:55:46 692736 ----a-w- C:\WINDOWS\system32\inetcomm.dll
    2011-03-04 06:37:06 . 2006-02-28 12:00:00 420864 ----a-w- C:\WINDOWS\system32\vbscript.dll
    2011-03-03 13:21:11 . 2006-02-28 12:00:00 1857920 ----a-w- C:\WINDOWS\system32\win32k.sys
    2011-02-22 23:06:29 . 2006-02-28 12:00:00 916480 ----a-w- C:\WINDOWS\system32\wininet.dll
    2011-02-22 23:06:29 . 2006-02-28 12:00:00 43520 ----a-w- C:\WINDOWS\system32\licmgr10.dll
    2011-02-22 23:06:29 . 2006-02-28 12:00:00 1469440 ----a-w- C:\WINDOWS\system32\inetcpl.cpl
    2011-02-22 11:41:59 . 2006-02-28 12:00:00 385024 ----a-w- C:\WINDOWS\system32\html.iec
    2011-02-17 13:18:24 . 2006-02-28 12:00:00 455936 ----a-w- C:\WINDOWS\system32\drivers\mrxsmb.sys
    2011-02-17 13:18:03 . 2006-02-28 12:00:00 357888 ----a-w- C:\WINDOWS\system32\drivers\srv.sys
    2011-02-17 12:32:12 . 2010-10-08 11:31:35 5120 ----a-w- C:\WINDOWS\system32\xpsp4res.dll
    2011-02-15 12:56:39 . 2006-02-28 12:00:00 290432 ----a-w- C:\WINDOWS\system32\atmfd.dll
    2011-02-09 13:53:52 . 2006-02-28 12:00:00 270848 ----a-w- C:\WINDOWS\system32\sbe.dll
    2011-02-09 13:53:52 . 2006-02-28 12:00:00 186880 ----a-w- C:\WINDOWS\system32\encdec.dll
    2011-02-08 13:33:55 . 2006-02-28 12:00:00 978944 ----a-w- C:\WINDOWS\system32\mfc42.dll
    2011-02-08 13:33:55 . 2006-02-28 12:00:00 974848 ----a-w- C:\WINDOWS\system32\mfc42u.dll
    2011-02-02 07:58:35 . 2010-10-08 10:52:49 2067456 ----a-w- C:\WINDOWS\system32\mstscax.dll
    2011-01-27 11:57:06 . 2010-10-08 10:52:49 677888 ----a-w- C:\WINDOWS\system32\mstsc.exe


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="C:\Program Files\Steam\steam.exe" [2011-01-12 20:46:45 1242448]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-23 02:53:11 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2010-07-09 15:24:16 13923432]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30:30 81920]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 15:45:14 35736]
    "Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 12:49:34 932288]
    "DivXUpdate"="C:\Program Files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 21:10:00 1230704]
    "avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 13:36:51 281768]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 04:42:18 15360]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [N/A]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=C:\WINDOWS\pss\Windows Search.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
    path=C:\Documents and Settings\User\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
    backup=C:\WINDOWS\pss\OpenOffice.org 3.2.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    2005-05-03 17:43:28 69632 ----a-w- C:\WINDOWS\Alcmtr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 04:42:18 15360 ----a-w- C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    2005-12-20 10:27:57 155648 ----a-w- C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2010-07-09 15:24:16 13923432 ----a-w- C:\WINDOWS\system32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2010-07-09 15:24:18 110696 ----a-w- C:\WINDOWS\system32\nvmctray.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2010-07-07 22:52:40 1753192 ----a-w- C:\Program Files\NVIDIA Corporation\nView\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2006-12-19 10:12:24 16062464 ----a-w- C:\WINDOWS\RTHDCPL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
    2006-05-16 17:04:26 2879488 ----a-w- C:\WINDOWS\SkyTel.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-02-18 10:43:18 248040 ----a-w- C:\Program Files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "C:\\Program Files\\Steam\\Steam.exe"=
    "C:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
    "C:\\Documents and Settings\\User\\My Documents\\Age Of Empires II\\Age Of Empires II The Conquerors\\age2_x1.exe"=
    "C:\\Program Files\\Steam\\SteamApps\\common\\football manager 2011\\fm.exe"=
    "C:\\Program Files\\Spotify\\spotify.exe"=

    R0 RapportKELL;RapportKELL;C:\WINDOWS\system32\drivers\RapportKELL.sys [03/10/2010 23:43:44 59240]
    R1 Avgldx86;AVG AVI Loader Driver;C:\WINDOWS\system32\drivers\avgldx86.sys [07/09/2010 04:48:54 251728]
    R1 RapportCerberus_25973;RapportCerberus_25973;C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [13/04/2011 12:17:06 57144]
    R1 RapportPG;RapportPG;C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 23:43:44 169320]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files\Avira\AntiVir Desktop\sched.exe [23/04/2011 01:55:54 135336]
    R2 FsUsbExService;FsUsbExService;C:\WINDOWS\system32\FsUsbExService.Exe [27/01/2011 19:03:01 233472]
    R3 FsUsbExDisk;FsUsbExDisk;C:\WINDOWS\system32\FsUsbExDisk.Sys [27/01/2011 19:03:01 36608]
    S2 AVGIDSAgent;AVGIDSAgent;"C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" --> C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [?]
    S2 avgwd;AVG WatchDog;"C:\Program Files\AVG\AVG10\avgwdsvc.exe" --> C:\Program Files\AVG\AVG10\avgwdsvc.exe [?]
    S2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [23/04/2011 03:53:14 135664]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe --> C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe [?]
    S3 jatmlano;jatmlano;\??\C:\DOCUME~1\User\LOCALS~1\Temp\jatmlano.sys --> C:\DOCUME~1\User\LOCALS~1\Temp\jatmlano.sys [?]
    S3 W35UND;IS89C35 802.11bg WLAN USB Adapter Driver;C:\WINDOWS\system32\drivers\W35UND.SYS [08/10/2010 12:18:03 117632]
    S4 AVGIDSDriver;AVGIDSDriver;C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys --> C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys [?]
    S4 AVGIDSEH;AVGIDSEH;C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys --> C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys [?]
    S4 AVGIDSFilter;AVGIDSFilter;C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys --> C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys [?]
    S4 AVGIDSShim;AVGIDSShim;C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys --> C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys [?]
    S4 Avgrkx86;AVG Anti-Rootkit Driver;C:\WINDOWS\system32\DRIVERS\avgrkx86.sys --> C:\WINDOWS\system32\DRIVERS\avgrkx86.sys [?]
    S4 Avgtdix;AVG TDI Driver;C:\WINDOWS\system32\DRIVERS\avgtdix.sys --> C:\WINDOWS\system32\DRIVERS\avgtdix.sys [?]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - KLMD25
    *Deregistered* - klmd25

    Contents of the 'Scheduled Tasks' folder

    2011-04-23 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
    - C:\Program Files\Google\Update\GoogleUpdate.exe [2011-04-23 02:53:14 . 2011-04-23 02:53:12]

    2011-04-23 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
    - C:\Program Files\Google\Update\GoogleUpdate.exe [2011-04-23 02:53:14 . 2011-04-23 02:53:12]


    ------- Supplementary Scan -------

    uStart Page = hxxp://www.google.co.uk/
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

    - - - - ORPHANS REMOVED - - - -

    URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    HKLM-Run-ISUSPM Startup - C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe
    HKLM-Run-NPSStartup - (no file)
    ShellExecuteHooks-{56F9679E-7826-4C84-81F3-532071A8BCC5} - C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll
    AddRemove-Adobe SVG Viewer - C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe
    AddRemove-Football Manager 2010 - C:\Program Files\Sports Interactive\Football Manager 2010\Uninstall_Football Manager 2010\Uninstall Football Manager 2010.exe
    AddRemove-InstallShield_{8E1CCF20-9E12-4824-BD59-7AD9E0486DD8} - C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe
    AddRemove-Nero - Burning Rom!UninstallKey - C:\Program Files\Ahead\nero\uninstall\UNNERO.exe
    AddRemove-Windows Media Format Runtime - C:\Program Files\Windows Media Player\wmsetsdk.exe
    AddRemove-WinRAR archiver - C:\Program Files\WinRAR\uninstall.exe
    AddRemove-{412033BC-44CF-48D9-B813-4B835101F4D3} - C:\Program Files\InstallShield Installation Information\{412033BC-44CF-48D9-B813-4B835101F4D3}\setup.exe
     
  11. Broni

    Broni Malware Annihilator Posts: 47,664   +267

    The log is incomplete.
    Look in C:\combofix.txt
    If it looks same as you just posted, re-run Combofix.
    If you find more text there, post it.
     
     
  12. Sixx1402

    Sixx1402 TS Rookie Topic Starter Posts: 60

    Ok i did it again because there was no more txt there but i think it is incomplete again. When it is compiling the log at the end it says something on the blue screen very briefly so i can't read it and then the computer restarts itself?

    Here is the log:

    ComboFix 11-04-23.01 - User 23/04/2011 20:32:59.2.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1451 [GMT 1:00]
    Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}


    ((((((((((((((((((((((((( Files Created from 2011-03-23 to 2011-04-23 )))))))))))))))))))))))))))))))


    2011-04-23 12:22:34 . 2011-04-23 13:15:05 -------- d---a-w- C:\Documents and Settings\All Users\Application Data\TEMP
    2011-04-23 12:20:57 . 2011-04-23 13:14:53 -------- d-----w- C:\Documents and Settings\All Users\Application Data\PC Tools
    2011-04-23 02:56:20 . 2011-04-23 02:56:20 -------- d-----w- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
    2011-04-23 02:53:29 . 2011-04-23 02:54:38 -------- dc-h--w- C:\WINDOWS\ie8
    2011-04-23 02:53:18 . 2011-04-23 02:53:18 -------- d-----w- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
    2011-04-23 02:53:13 . 2011-04-23 02:57:35 -------- d-----w- C:\Documents and Settings\User\Local Settings\Application Data\Google
    2011-04-23 02:52:47 . 2011-04-23 02:53:13 -------- d-----w- C:\Program Files\Google
    2011-04-23 00:58:53 . 2011-04-23 18:47:40 -------- d-----w- C:\WINDOWS\system32\NtmsData
    2011-04-23 00:57:01 . 2011-04-23 00:57:01 -------- d-----w- C:\Documents and Settings\User\Application Data\Avira
    2011-04-23 00:55:54 . 2011-03-04 15:11:12 137656 ----a-w- C:\WINDOWS\system32\drivers\avipbb.sys
    2011-04-23 00:55:54 . 2011-03-04 13:37:13 61960 ----a-w- C:\WINDOWS\system32\drivers\avgntflt.sys
    2011-04-23 00:55:54 . 2010-06-17 13:27:24 45416 ----a-w- C:\WINDOWS\system32\drivers\avgntdd.sys
    2011-04-23 00:55:54 . 2010-06-17 13:27:24 22360 ----a-w- C:\WINDOWS\system32\drivers\avgntmgr.sys
    2011-04-23 00:55:53 . 2011-04-23 00:55:53 -------- d-----w- C:\Program Files\Avira
    2011-04-23 00:55:53 . 2011-04-23 00:55:53 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Avira
    2011-04-22 21:31:00 . 2011-04-23 18:28:27 -------- d-----w- C:\Program Files\khwsfwle
    2011-04-22 21:30:59 . 2011-04-23 00:48:09 166768 ----a-w- C:\Program Files\Common Files\InstallShield\UpdateService\isuspmmgr.exe
    2011-04-22 21:30:59 . 2011-04-23 00:48:09 166768 ----a-w- C:\Program Files\Common Files\InstallShield\UpdateService\agentmgr.exe
    2011-04-22 21:23:14 . 2011-04-22 21:23:14 -------- d-----w- C:\Program Files\VS Revo Group
    2011-04-22 21:18:02 . 2011-04-22 21:18:15 -------- d-----w- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
    2011-04-15 17:17:32 . 2011-04-15 17:17:32 -------- d-----w- C:\Documents and Settings\User\Local Settings\Application Data\Trusteer
    2011-04-14 22:04:15 . 2011-04-14 22:04:16 -------- d-----w- C:\Program Files\Spotify
    2011-04-06 11:23:51 . 2011-04-06 11:23:51 -------- d-----w- C:\found.000
    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2011-03-07 05:33:50 . 2010-10-08 10:55:46 692736 ----a-w- C:\WINDOWS\system32\inetcomm.dll
    2011-03-04 06:37:06 . 2006-02-28 12:00:00 420864 ----a-w- C:\WINDOWS\system32\vbscript.dll
    2011-03-03 13:21:11 . 2006-02-28 12:00:00 1857920 ----a-w- C:\WINDOWS\system32\win32k.sys
    2011-02-22 23:06:29 . 2006-02-28 12:00:00 916480 ----a-w- C:\WINDOWS\system32\wininet.dll
    2011-02-22 23:06:29 . 2006-02-28 12:00:00 43520 ----a-w- C:\WINDOWS\system32\licmgr10.dll
    2011-02-22 23:06:29 . 2006-02-28 12:00:00 1469440 ----a-w- C:\WINDOWS\system32\inetcpl.cpl
    2011-02-22 11:41:59 . 2006-02-28 12:00:00 385024 ----a-w- C:\WINDOWS\system32\html.iec
    2011-02-17 13:18:24 . 2006-02-28 12:00:00 455936 ----a-w- C:\WINDOWS\system32\drivers\mrxsmb.sys
    2011-02-17 13:18:03 . 2006-02-28 12:00:00 357888 ----a-w- C:\WINDOWS\system32\drivers\srv.sys
    2011-02-17 12:32:12 . 2010-10-08 11:31:35 5120 ----a-w- C:\WINDOWS\system32\xpsp4res.dll
    2011-02-15 12:56:39 . 2006-02-28 12:00:00 290432 ----a-w- C:\WINDOWS\system32\atmfd.dll
    2011-02-09 13:53:52 . 2006-02-28 12:00:00 270848 ----a-w- C:\WINDOWS\system32\sbe.dll
    2011-02-09 13:53:52 . 2006-02-28 12:00:00 186880 ----a-w- C:\WINDOWS\system32\encdec.dll
    2011-02-08 13:33:55 . 2006-02-28 12:00:00 978944 ----a-w- C:\WINDOWS\system32\mfc42.dll
    2011-02-08 13:33:55 . 2006-02-28 12:00:00 974848 ----a-w- C:\WINDOWS\system32\mfc42u.dll
    2011-02-02 07:58:35 . 2010-10-08 10:52:49 2067456 ----a-w- C:\WINDOWS\system32\mstscax.dll
    2011-01-27 11:57:06 . 2010-10-08 10:52:49 677888 ----a-w- C:\WINDOWS\system32\mstsc.exe


    ((((((((((((((((((((((((((((( SnapShot@2011-04-23_18.25.46 )))))))))))))))))))))))))))))))))))))))))

    + 2011-04-23 18:27:53 . 2011-04-23 18:27:53 16384 C:\WINDOWS\Temp\Perflib_Perfdata_4e4.dat

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="C:\Program Files\Steam\steam.exe" [2011-01-12 20:46:45 1242448]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-23 02:53:11 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2010-07-09 15:24:16 13923432]
    "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [BU]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30:30 81920]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 15:45:14 35736]
    "Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 12:49:34 932288]
    "NPSStartup"="" [BU]
    "DivXUpdate"="C:\Program Files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 21:10:00 1230704]
    "avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 13:36:51 281768]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 04:42:18 15360]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [N/A]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [BU]

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=C:\WINDOWS\pss\Windows Search.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
    path=C:\Documents and Settings\User\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
    backup=C:\WINDOWS\pss\OpenOffice.org 3.2.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    2005-05-03 17:43:28 69632 ----a-w- C:\WINDOWS\Alcmtr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 04:42:18 15360 ----a-w- C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    2005-12-20 10:27:57 155648 ----a-w- C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2010-07-09 15:24:16 13923432 ----a-w- C:\WINDOWS\system32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2010-07-09 15:24:18 110696 ----a-w- C:\WINDOWS\system32\nvmctray.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2010-07-07 22:52:40 1753192 ----a-w- C:\Program Files\NVIDIA Corporation\nView\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2006-12-19 10:12:24 16062464 ----a-w- C:\WINDOWS\RTHDCPL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
    2006-05-16 17:04:26 2879488 ----a-w- C:\WINDOWS\SkyTel.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-02-18 10:43:18 248040 ----a-w- C:\Program Files\Common Files\Java\Java Update\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "C:\\Program Files\\Steam\\Steam.exe"=
    "C:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
    "C:\\Documents and Settings\\User\\My Documents\\Age Of Empires II\\Age Of Empires II The Conquerors\\age2_x1.exe"=
    "C:\\Program Files\\Steam\\SteamApps\\common\\football manager 2011\\fm.exe"=
    "C:\\Program Files\\Spotify\\spotify.exe"=

    R0 RapportKELL;RapportKELL;C:\WINDOWS\system32\drivers\RapportKELL.sys [03/10/2010 23:43:44 59240]
    R1 Avgldx86;AVG AVI Loader Driver;C:\WINDOWS\system32\drivers\avgldx86.sys [07/09/2010 04:48:54 251728]
    R1 RapportCerberus_25973;RapportCerberus_25973;C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [13/04/2011 12:17:06 57144]
    R1 RapportPG;RapportPG;C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 23:43:44 169320]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files\Avira\AntiVir Desktop\sched.exe [23/04/2011 01:55:54 135336]
    R2 FsUsbExService;FsUsbExService;C:\WINDOWS\system32\FsUsbExService.Exe [27/01/2011 19:03:01 233472]
    R3 FsUsbExDisk;FsUsbExDisk;C:\WINDOWS\system32\FsUsbExDisk.Sys [27/01/2011 19:03:01 36608]
    S2 AVGIDSAgent;AVGIDSAgent;"C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" --> C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [?]
    S2 avgwd;AVG WatchDog;"C:\Program Files\AVG\AVG10\avgwdsvc.exe" --> C:\Program Files\AVG\AVG10\avgwdsvc.exe [?]
    S2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [23/04/2011 03:53:14 135664]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe --> C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe [?]
    S3 jatmlano;jatmlano;\??\C:\DOCUME~1\User\LOCALS~1\Temp\jatmlano.sys --> C:\DOCUME~1\User\LOCALS~1\Temp\jatmlano.sys [?]
    S3 W35UND;IS89C35 802.11bg WLAN USB Adapter Driver;C:\WINDOWS\system32\drivers\W35UND.SYS [08/10/2010 12:18:03 117632]
    S4 AVGIDSDriver;AVGIDSDriver;C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys --> C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys [?]
    S4 AVGIDSEH;AVGIDSEH;C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys --> C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys [?]
    S4 AVGIDSFilter;AVGIDSFilter;C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys --> C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys [?]
    S4 AVGIDSShim;AVGIDSShim;C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys --> C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys [?]
    S4 Avgrkx86;AVG Anti-Rootkit Driver;C:\WINDOWS\system32\DRIVERS\avgrkx86.sys --> C:\WINDOWS\system32\DRIVERS\avgrkx86.sys [?]
    S4 Avgtdix;AVG TDI Driver;C:\WINDOWS\system32\DRIVERS\avgtdix.sys --> C:\WINDOWS\system32\DRIVERS\avgtdix.sys [?]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - FSUSBEXDISK

    Contents of the 'Scheduled Tasks' folder

    2011-04-23 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
    - C:\Program Files\Google\Update\GoogleUpdate.exe [2011-04-23 02:53:14 . 2011-04-23 02:53:12]

    2011-04-23 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
    - C:\Program Files\Google\Update\GoogleUpdate.exe [2011-04-23 02:53:14 . 2011-04-23 02:53:12]


    ------- Supplementary Scan -------

    uStart Page = hxxp://www.google.co.uk/
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

    - - - - ORPHANS REMOVED - - - -

    URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
     
  13. Sixx1402

    Sixx1402 TS Rookie Topic Starter Posts: 60

    It says something about 'computer is being shut down to prevent damage'?
     
  14. Broni

    Broni Malware Annihilator Posts: 47,664   +267

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    C:\DOCUME~1\User\LOCALS~1\Temp\jatmlano.sys
    
    
    Folder::
    C:\Program Files\khwsfwle
    
    
    Driver::
    jatmlano
    
    Registry::
    [-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusOverride"=dword:00000000
    
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  15. Sixx1402

    Sixx1402 TS Rookie Topic Starter Posts: 60

    Ok, here is the latest Combofix Log:

    ComboFix 11-04-23.01 - User 23/04/2011 22:53:01.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1435 [GMT 1:00]
    Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    FILE ::
    "C:\DOCUME~1\User\LOCALS~1\Temp\jatmlano.sys"


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\Program Files\khwsfwle


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_JATMLANO
    -------\Service_jatmlano


    ((((((((((((((((((((((((( Files Created from 2011-03-23 to 2011-04-23 )))))))))))))))))))))))))))))))


    2011-04-23 12:22:34 . 2011-04-23 13:15:05 -------- d---a-w- C:\Documents and Settings\All Users\Application Data\TEMP
    2011-04-23 12:20:57 . 2011-04-23 13:14:53 -------- d-----w- C:\Documents and Settings\All Users\Application Data\PC Tools
    2011-04-23 02:56:20 . 2011-04-23 02:56:20 -------- d-----w- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
    2011-04-23 02:53:29 . 2011-04-23 02:54:38 -------- dc-h--w- C:\WINDOWS\ie8
    2011-04-23 02:53:18 . 2011-04-23 02:53:18 -------- d-----w- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
    2011-04-23 02:53:13 . 2011-04-23 02:57:35 -------- d-----w- C:\Documents and Settings\User\Local Settings\Application Data\Google
    2011-04-23 02:52:47 . 2011-04-23 02:53:13 -------- d-----w- C:\Program Files\Google
    2011-04-23 00:58:53 . 2011-04-23 20:17:29 -------- d-----w- C:\WINDOWS\system32\NtmsData
    2011-04-23 00:57:01 . 2011-04-23 00:57:01 -------- d-----w- C:\Documents and Settings\User\Application Data\Avira
    2011-04-23 00:55:54 . 2011-03-04 15:11:12 137656 ----a-w- C:\WINDOWS\system32\drivers\avipbb.sys
    2011-04-23 00:55:54 . 2011-03-04 13:37:13 61960 ----a-w- C:\WINDOWS\system32\drivers\avgntflt.sys
    2011-04-23 00:55:54 . 2010-06-17 13:27:24 45416 ----a-w- C:\WINDOWS\system32\drivers\avgntdd.sys
    2011-04-23 00:55:54 . 2010-06-17 13:27:24 22360 ----a-w- C:\WINDOWS\system32\drivers\avgntmgr.sys
    2011-04-23 00:55:53 . 2011-04-23 00:55:53 -------- d-----w- C:\Program Files\Avira
    2011-04-23 00:55:53 . 2011-04-23 00:55:53 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Avira
    2011-04-22 21:30:59 . 2011-04-23 00:48:09 166768 ----a-w- C:\Program Files\Common Files\InstallShield\UpdateService\isuspmmgr.exe
    2011-04-22 21:30:59 . 2011-04-23 00:48:09 166768 ----a-w- C:\Program Files\Common Files\InstallShield\UpdateService\agentmgr.exe
    2011-04-22 21:23:14 . 2011-04-22 21:23:14 -------- d-----w- C:\Program Files\VS Revo Group
    2011-04-22 21:18:02 . 2011-04-22 21:18:15 -------- d-----w- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
    2011-04-15 17:17:32 . 2011-04-15 17:17:32 -------- d-----w- C:\Documents and Settings\User\Local Settings\Application Data\Trusteer
    2011-04-14 22:04:15 . 2011-04-14 22:04:16 -------- d-----w- C:\Program Files\Spotify
    2011-04-06 11:23:51 . 2011-04-06 11:23:51 -------- d-----w- C:\found.000
    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2011-03-07 05:33:50 . 2010-10-08 10:55:46 692736 ----a-w- C:\WINDOWS\system32\inetcomm.dll
    2011-03-04 06:37:06 . 2006-02-28 12:00:00 420864 ----a-w- C:\WINDOWS\system32\vbscript.dll
    2011-03-03 13:21:11 . 2006-02-28 12:00:00 1857920 ----a-w- C:\WINDOWS\system32\win32k.sys
    2011-02-22 23:06:29 . 2006-02-28 12:00:00 916480 ----a-w- C:\WINDOWS\system32\wininet.dll
    2011-02-22 23:06:29 . 2006-02-28 12:00:00 43520 ----a-w- C:\WINDOWS\system32\licmgr10.dll
    2011-02-22 23:06:29 . 2006-02-28 12:00:00 1469440 ----a-w- C:\WINDOWS\system32\inetcpl.cpl
    2011-02-22 11:41:59 . 2006-02-28 12:00:00 385024 ----a-w- C:\WINDOWS\system32\html.iec
    2011-02-17 13:18:24 . 2006-02-28 12:00:00 455936 ----a-w- C:\WINDOWS\system32\drivers\mrxsmb.sys
    2011-02-17 13:18:03 . 2006-02-28 12:00:00 357888 ----a-w- C:\WINDOWS\system32\drivers\srv.sys
    2011-02-17 12:32:12 . 2010-10-08 11:31:35 5120 ----a-w- C:\WINDOWS\system32\xpsp4res.dll
    2011-02-15 12:56:39 . 2006-02-28 12:00:00 290432 ----a-w- C:\WINDOWS\system32\atmfd.dll
    2011-02-09 13:53:52 . 2006-02-28 12:00:00 270848 ----a-w- C:\WINDOWS\system32\sbe.dll
    2011-02-09 13:53:52 . 2006-02-28 12:00:00 186880 ----a-w- C:\WINDOWS\system32\encdec.dll
    2011-02-08 13:33:55 . 2006-02-28 12:00:00 978944 ----a-w- C:\WINDOWS\system32\mfc42.dll
    2011-02-08 13:33:55 . 2006-02-28 12:00:00 974848 ----a-w- C:\WINDOWS\system32\mfc42u.dll
    2011-02-02 07:58:35 . 2010-10-08 10:52:49 2067456 ----a-w- C:\WINDOWS\system32\mstscax.dll
    2011-01-27 11:57:06 . 2010-10-08 10:52:49 677888 ----a-w- C:\WINDOWS\system32\mstsc.exe


    ((((((((((((((((((((((((((((( SnapShot@2011-04-23_18.25.46 )))))))))))))))))))))))))))))))))))))))))

    + 2011-04-23 21:59:43 . 2011-04-23 21:59:43 16384 C:\WINDOWS\Temp\Perflib_Perfdata_744.dat
    + 2011-04-23 21:19:45 . 2011-04-23 21:19:45 16384 C:\WINDOWS\Temp\Perflib_Perfdata_64c.dat
    + 2010-10-08 10:56:04 . 2010-06-18 13:36:12 3558912 C:\WINDOWS\system32\dllcache\moviemk.exe
    - 2010-10-08 10:56:04 . 2008-04-14 04:42:28 3558912 C:\WINDOWS\system32\dllcache\moviemk.exe

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="C:\Program Files\Steam\steam.exe" [2011-01-12 20:46:45 1242448]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-23 02:53:11 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2010-07-09 15:24:16 13923432]
    "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [BU]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30:30 81920]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 15:45:14 35736]
    "Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 12:49:34 932288]
    "NPSStartup"="" [BU]
    "DivXUpdate"="C:\Program Files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 21:10:00 1230704]
    "avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 13:36:51 281768]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 04:42:18 15360]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [N/A]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="C:\WINDOWS\system32\userinit.exe,,C:\Program Files\khwsfwle\skofparu.exe"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=C:\WINDOWS\pss\Windows Search.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
    path=C:\Documents and Settings\User\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
    backup=C:\WINDOWS\pss\OpenOffice.org 3.2.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 04:42:18 15360 ----a-w- C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    2005-12-20 10:27:57 155648 ----a-w- C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2010-07-09 15:24:16 13923432 ----a-w- C:\WINDOWS\system32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2010-07-09 15:24:18 110696 ----a-w- C:\WINDOWS\system32\nvmctray.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2010-07-07 22:52:40 1753192 ----a-w- C:\Program Files\NVIDIA Corporation\nView\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2006-12-19 10:12:24 16062464 ----a-w- C:\WINDOWS\RTHDCPL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
    2006-05-16 17:04:26 2879488 ----a-w- C:\WINDOWS\SkyTel.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-02-18 10:43:18 248040 ----a-w- C:\Program Files\Common Files\Java\Java Update\jusched.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "C:\\Program Files\\Steam\\Steam.exe"=
    "C:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
    "C:\\Documents and Settings\\User\\My Documents\\Age Of Empires II\\Age Of Empires II The Conquerors\\age2_x1.exe"=
    "C:\\Program Files\\Steam\\SteamApps\\common\\football manager 2011\\fm.exe"=
    "C:\\Program Files\\Spotify\\spotify.exe"=
    "C:\\Program Files\\Internet Explorer\\iexplore.exe"=

    R0 RapportKELL;RapportKELL;C:\WINDOWS\system32\drivers\RapportKELL.sys [03/10/2010 23:43:44 59240]
    R1 Avgldx86;AVG AVI Loader Driver;C:\WINDOWS\system32\drivers\avgldx86.sys [07/09/2010 04:48:54 251728]
    R1 RapportCerberus_25973;RapportCerberus_25973;C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [13/04/2011 12:17:06 57144]
    R1 RapportPG;RapportPG;C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 23:43:44 169320]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files\Avira\AntiVir Desktop\sched.exe [23/04/2011 01:55:54 135336]
    R2 FsUsbExService;FsUsbExService;C:\WINDOWS\system32\FsUsbExService.Exe [27/01/2011 19:03:01 233472]
    R3 FsUsbExDisk;FsUsbExDisk;C:\WINDOWS\system32\FsUsbExDisk.Sys [27/01/2011 19:03:01 36608]
    S2 AVGIDSAgent;AVGIDSAgent;"C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe" --> C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe [?]
    S2 avgwd;AVG WatchDog;"C:\Program Files\AVG\AVG10\avgwdsvc.exe" --> C:\Program Files\AVG\AVG10\avgwdsvc.exe [?]
    S2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [23/04/2011 03:53:14 135664]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe --> C:\Program Files\AVG\AVG10\Toolbar\ToolbarBroker.exe [?]
    S3 W35UND;IS89C35 802.11bg WLAN USB Adapter Driver;C:\WINDOWS\system32\drivers\W35UND.SYS [08/10/2010 12:18:03 117632]
    S4 AVGIDSDriver;AVGIDSDriver;C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys --> C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys [?]
    S4 AVGIDSEH;AVGIDSEH;C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys --> C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys [?]
    S4 AVGIDSFilter;AVGIDSFilter;C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys --> C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys [?]
    S4 AVGIDSShim;AVGIDSShim;C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys --> C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys [?]
    S4 Avgrkx86;AVG Anti-Rootkit Driver;C:\WINDOWS\system32\DRIVERS\avgrkx86.sys --> C:\WINDOWS\system32\DRIVERS\avgrkx86.sys [?]
    S4 Avgtdix;AVG TDI Driver;C:\WINDOWS\system32\DRIVERS\avgtdix.sys --> C:\WINDOWS\system32\DRIVERS\avgtdix.sys [?]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - FSUSBEXDISK

    Contents of the 'Scheduled Tasks' folder

    2011-04-23 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
    - C:\Program Files\Google\Update\GoogleUpdate.exe [2011-04-23 02:53:14 . 2011-04-23 02:53:12]

    2011-04-23 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
    - C:\Program Files\Google\Update\GoogleUpdate.exe [2011-04-23 02:53:14 . 2011-04-23 02:53:12]


    ------- Supplementary Scan -------

    uStart Page = hxxp://www.google.co.uk/
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html

    - - - - ORPHANS REMOVED - - - -

    URLSearchHooks-{A3BC75A2-1F87-4686-AA43-5347D756017C} - (no file)
    Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
    WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)



    **************************************************************************
     
  16. Broni

    Broni Malware Annihilator Posts: 47,664   +267

    We still can't get complete log...

    I can see two AV programs listed there, Avira and AVG.
    Did you uninstall AVG before running Combofix?
     
  17. Sixx1402

    Sixx1402 TS Rookie Topic Starter Posts: 60

    I don't have AVG installed anymore, i tried to uninstall it when i put Avira on but there was a problem with the process and i don't think it got rid of everything, its not functioning though, its not on the taskbar at the bottom and doesn't have a folder in program files.
     
  18. Broni

    Broni Malware Annihilator Posts: 47,664   +267

  19. Sixx1402

    Sixx1402 TS Rookie Topic Starter Posts: 60

    Ok i did the AVG remover and then re ran Combofix, it looks like AVG is still there though? The remover seemed to run fine.
    Here is the Combofix log:

    ComboFix 11-04-23.01 - User 23/04/2011 23:39:25.5.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1546 [GMT 1:00]
    Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
    AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
    AV: AVG Anti-Virus Free Edition 2011 *Disabled/Updated* {17DDD097-36FF-435F-9E1B-52D74245D6BF}


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_JATMLANO
    -------\Service_jatmlano


    ((((((((((((((((((((((((( Files Created from 2011-03-23 to 2011-04-23 )))))))))))))))))))))))))))))))


    2011-04-23 22:00:58 . 2011-04-23 22:00:58 -------- d-----w- C:\Program Files\khwsfwle
    2011-04-23 12:22:34 . 2011-04-23 13:15:05 -------- d---a-w- C:\Documents and Settings\All Users\Application Data\TEMP
    2011-04-23 12:20:57 . 2011-04-23 13:14:53 -------- d-----w- C:\Documents and Settings\All Users\Application Data\PC Tools
    2011-04-23 02:56:20 . 2011-04-23 02:56:20 -------- d-----w- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Google
    2011-04-23 02:53:29 . 2011-04-23 02:54:38 -------- dc-h--w- C:\WINDOWS\ie8
    2011-04-23 02:53:18 . 2011-04-23 02:53:18 -------- d-----w- C:\Documents and Settings\LocalService\Local Settings\Application Data\Google
    2011-04-23 02:53:13 . 2011-04-23 02:57:35 -------- d-----w- C:\Documents and Settings\User\Local Settings\Application Data\Google
    2011-04-23 02:52:47 . 2011-04-23 02:53:13 -------- d-----w- C:\Program Files\Google
    2011-04-23 00:58:53 . 2011-04-23 22:23:55 -------- d-----w- C:\WINDOWS\system32\NtmsData
    2011-04-23 00:57:01 . 2011-04-23 00:57:01 -------- d-----w- C:\Documents and Settings\User\Application Data\Avira
    2011-04-23 00:55:54 . 2011-03-04 15:11:12 137656 ----a-w- C:\WINDOWS\system32\drivers\avipbb.sys
    2011-04-23 00:55:54 . 2011-03-04 13:37:13 61960 ----a-w- C:\WINDOWS\system32\drivers\avgntflt.sys
    2011-04-23 00:55:54 . 2010-06-17 13:27:24 45416 ----a-w- C:\WINDOWS\system32\drivers\avgntdd.sys
    2011-04-23 00:55:54 . 2010-06-17 13:27:24 22360 ----a-w- C:\WINDOWS\system32\drivers\avgntmgr.sys
    2011-04-23 00:55:53 . 2011-04-23 00:55:53 -------- d-----w- C:\Program Files\Avira
    2011-04-23 00:55:53 . 2011-04-23 00:55:53 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Avira
    2011-04-22 21:30:59 . 2011-04-23 00:48:09 166768 ----a-w- C:\Program Files\Common Files\InstallShield\UpdateService\isuspmmgr.exe
    2011-04-22 21:30:59 . 2011-04-23 00:48:09 166768 ----a-w- C:\Program Files\Common Files\InstallShield\UpdateService\agentmgr.exe
    2011-04-22 21:23:14 . 2011-04-22 21:23:14 -------- d-----w- C:\Program Files\VS Revo Group
    2011-04-22 21:18:02 . 2011-04-23 22:37:33 -------- d-----w- C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
    2011-04-15 17:17:32 . 2011-04-15 17:17:32 -------- d-----w- C:\Documents and Settings\User\Local Settings\Application Data\Trusteer
    2011-04-14 22:04:15 . 2011-04-14 22:04:16 -------- d-----w- C:\Program Files\Spotify
    2011-04-06 11:23:51 . 2011-04-06 11:23:51 -------- d-----w- C:\found.000
    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2011-03-07 05:33:50 . 2010-10-08 10:55:46 692736 ----a-w- C:\WINDOWS\system32\inetcomm.dll
    2011-03-04 06:37:06 . 2006-02-28 12:00:00 420864 ----a-w- C:\WINDOWS\system32\vbscript.dll
    2011-03-03 13:21:11 . 2006-02-28 12:00:00 1857920 ----a-w- C:\WINDOWS\system32\win32k.sys
    2011-02-22 23:06:29 . 2006-02-28 12:00:00 916480 ----a-w- C:\WINDOWS\system32\wininet.dll
    2011-02-22 23:06:29 . 2006-02-28 12:00:00 43520 ----a-w- C:\WINDOWS\system32\licmgr10.dll
    2011-02-22 23:06:29 . 2006-02-28 12:00:00 1469440 ----a-w- C:\WINDOWS\system32\inetcpl.cpl
    2011-02-22 11:41:59 . 2006-02-28 12:00:00 385024 ----a-w- C:\WINDOWS\system32\html.iec
    2011-02-17 13:18:24 . 2006-02-28 12:00:00 455936 ----a-w- C:\WINDOWS\system32\drivers\mrxsmb.sys
    2011-02-17 13:18:03 . 2006-02-28 12:00:00 357888 ----a-w- C:\WINDOWS\system32\drivers\srv.sys
    2011-02-17 12:32:12 . 2010-10-08 11:31:35 5120 ----a-w- C:\WINDOWS\system32\xpsp4res.dll
    2011-02-15 12:56:39 . 2006-02-28 12:00:00 290432 ----a-w- C:\WINDOWS\system32\atmfd.dll
    2011-02-09 13:53:52 . 2006-02-28 12:00:00 270848 ----a-w- C:\WINDOWS\system32\sbe.dll
    2011-02-09 13:53:52 . 2006-02-28 12:00:00 186880 ----a-w- C:\WINDOWS\system32\encdec.dll
    2011-02-08 13:33:55 . 2006-02-28 12:00:00 978944 ----a-w- C:\WINDOWS\system32\mfc42.dll
    2011-02-08 13:33:55 . 2006-02-28 12:00:00 974848 ----a-w- C:\WINDOWS\system32\mfc42u.dll
    2011-02-02 07:58:35 . 2010-10-08 10:52:49 2067456 ----a-w- C:\WINDOWS\system32\mstscax.dll
    2011-01-27 11:57:06 . 2010-10-08 10:52:49 677888 ----a-w- C:\WINDOWS\system32\mstsc.exe


    ((((((((((((((((((((((((((((( SnapShot@2011-04-23_18.25.46 )))))))))))))))))))))))))))))))))))))))))

    + 2011-04-23 22:44:50 . 2011-04-23 22:44:50 16384 C:\WINDOWS\Temp\Perflib_Perfdata_72c.dat
    + 2011-04-23 22:04:26 . 2011-04-23 22:04:26 16384 C:\WINDOWS\Temp\Perflib_Perfdata_5a0.dat
    + 2010-10-08 10:56:04 . 2010-06-18 13:36:12 3558912 C:\WINDOWS\system32\dllcache\moviemk.exe
    - 2010-10-08 10:56:04 . 2008-04-14 04:42:28 3558912 C:\WINDOWS\system32\dllcache\moviemk.exe

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="C:\Program Files\Steam\steam.exe" [2011-01-12 20:46:45 1242448]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-04-23 02:53:11 39408]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2010-07-09 15:24:16 13923432]
    "ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [BU]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 15:30:30 81920]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 10.0\Reader\Reader_sl.exe" [2011-01-30 15:45:14 35736]
    "Adobe ARM"="C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-11-10 12:49:34 932288]
    "NPSStartup"="" [BU]
    "DivXUpdate"="C:\Program Files\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 21:10:00 1230704]
    "avgnt"="C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" [2011-03-04 13:36:51 281768]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 04:42:18 15360]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [N/A]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [BU]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="C:\WINDOWS\system32\userinit.exe,,C:\Program Files\khwsfwle\skofparu.exe"

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Search.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Search.lnk
    backup=C:\WINDOWS\pss\Windows Search.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^OpenOffice.org 3.2.lnk]
    path=C:\Documents and Settings\User\Start Menu\Programs\Startup\OpenOffice.org 3.2.lnk
    backup=C:\WINDOWS\pss\OpenOffice.org 3.2.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    2008-04-14 04:42:18 15360 ----a-w- C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
    2005-12-20 10:27:57 155648 ----a-w- C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    2010-07-09 15:24:16 13923432 ----a-w- C:\WINDOWS\system32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    2010-07-09 15:24:18 110696 ----a-w- C:\WINDOWS\system32\nvmctray.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    2010-07-07 22:52:40 1753192 ----a-w- C:\Program Files\NVIDIA Corporation\nView\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
    2006-12-19 10:12:24 16062464 ----a-w- C:\WINDOWS\RTHDCPL.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
    2006-05-16 17:04:26 2879488 ----a-w- C:\WINDOWS\SkyTel.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    2010-02-18 10:43:18 248040 ----a-w- C:\Program Files\Common Files\Java\Java Update\jusched.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
    "C:\\Program Files\\Steam\\Steam.exe"=
    "C:\\Program Files\\Sports Interactive\\Football Manager 2010\\fm.exe"=
    "C:\\Documents and Settings\\User\\My Documents\\Age Of Empires II\\Age Of Empires II The Conquerors\\age2_x1.exe"=
    "C:\\Program Files\\Steam\\SteamApps\\common\\football manager 2011\\fm.exe"=
    "C:\\Program Files\\Spotify\\spotify.exe"=
    "C:\\Program Files\\Internet Explorer\\iexplore.exe"=

    R0 RapportKELL;RapportKELL;C:\WINDOWS\system32\drivers\RapportKELL.sys [03/10/2010 23:43:44 59240]
    R1 RapportCerberus_25973;RapportCerberus_25973;C:\Documents and Settings\All Users\Application Data\Trusteer\Rapport\store\exts\RapportCerberus\25973\RapportCerberus_25973.sys [13/04/2011 12:17:06 57144]
    R1 RapportPG;RapportPG;C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys [03/10/2010 23:43:44 169320]
    R2 AntiVirSchedulerService;Avira AntiVir Scheduler;C:\Program Files\Avira\AntiVir Desktop\sched.exe [23/04/2011 01:55:54 135336]
    R2 FsUsbExService;FsUsbExService;C:\WINDOWS\system32\FsUsbExService.Exe [27/01/2011 19:03:01 233472]
    R3 FsUsbExDisk;FsUsbExDisk;C:\WINDOWS\system32\FsUsbExDisk.Sys [27/01/2011 19:03:01 36608]
    S2 gupdate;Google Update Service (gupdate);C:\Program Files\Google\Update\GoogleUpdate.exe [23/04/2011 03:53:14 135664]
    S3 W35UND;IS89C35 802.11bg WLAN USB Adapter Driver;C:\WINDOWS\system32\drivers\W35UND.SYS [08/10/2010 12:18:03 117632]
    S4 AVGIDSShim;AVGIDSShim;C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys --> C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys [?]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - FSUSBEXDISK

    Contents of the 'Scheduled Tasks' folder

    2011-04-23 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineCore.job
    - C:\Program Files\Google\Update\GoogleUpdate.exe [2011-04-23 02:53:14 . 2011-04-23 02:53:12]

    2011-04-23 C:\WINDOWS\Tasks\GoogleUpdateTaskMachineUA.job
    - C:\Program Files\Google\Update\GoogleUpdate.exe [2011-04-23 02:53:14 . 2011-04-23 02:53:12]


    ------- Supplementary Scan -------

    uStart Page = hxxp://www.google.co.uk/
    uSearchAssistant = hxxp://www.google.com/ie
    uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
    IE: Google Sidewiki... - C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html


    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-04-23 23:45:35
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...
     
  20. Broni

    Broni Malware Annihilator Posts: 47,664   +267

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    SecCenter::
    {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    
    File::
    C:\Program Files\khwsfwle\skofparu.exe
    C:\WINDOWS\system32\drivers\avgldx86.sys
    C:\WINDOWS\system32\DRIVERS\avgtdix.sys
    C:\WINDOWS\system32\DRIVERS\avgrkx86.sys
    C:\WINDOWS\system32\DRIVERS\AVGIDSShim.Sys
    C:\WINDOWS\system32\DRIVERS\AVGIDSFilter.Sys
    C:\WINDOWS\system32\DRIVERS\AVGIDSEH.Sys
    C:\WINDOWS\system32\DRIVERS\AVGIDSDriver.Sys
    
    Folder::
    C:\Documents and Settings\All Users\Application Data\PC Tools
    C:\Documents and Settings\All Users\Application Data\AVG Security Toolbar
    C:\Program Files\AVG
    
    
    Driver::
    Avgldx86
    AVGIDSAgent
    avgwd
    AVG Security Toolbar Service
    AVGIDSDriver
    AVGIDSEH
    AVGIDSFilter
    AVGIDSShim
    Avgrkx86
    Avgtdix
    
    Registry::
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="C:\WINDOWS\system32\userinit.exe
    
    

    3. Save the above as CFScript.txt

    4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

    5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
     
  21. Sixx1402

    Sixx1402 TS Rookie Topic Starter Posts: 60

    Ok i've tried it 3 times but it won't create a log and the Combofix folder has now turned into the symbol of the 'monitor and the tower'. As soon as it gets to the 'deleting files' part in Combofix, it restarts?
     
  22. Broni

    Broni Malware Annihilator Posts: 47,664   +267

    Delete your Combofix file, download fresh one, restart computer in Safe Mode and try again.
     
  23. Sixx1402

    Sixx1402 TS Rookie Topic Starter Posts: 60

    Do i need to delete the 'Qoobox' folder aswell?
     
  24. Broni

    Broni Malware Annihilator Posts: 47,664   +267

    No.............
     
  25. Sixx1402

    Sixx1402 TS Rookie Topic Starter Posts: 60

    It has been stuck on 'Completed Stage 27' for about 10 minutes, should i leave it? Also i am a freelance designer and could do to use Coreldraw, is this a bad idea while the computer has a virus on? Thanks for your help.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.