TechSpot

Redirect rootkit need help

By rubbersoul
Feb 18, 2011
  1. Hello

    I'm having troubles browsing. Every now and then my pages are getting redirect to a bogus site. It's been happening to both IE and Firefox. It seems to have only just started i.e it's not happening too frequently yet though it's definetely noticeable.

    Thanks for the help
     
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Welcome to Techspot!

    If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

    Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
     
  3. rubbersoul

    rubbersoul TS Rookie Topic Starter Posts: 17

    Hi Bobbeye

    Thanks a lot for your reply.

    I have followed your instructions and the requested logs are as follows ;



    MALWAREBYTE'S LOG

    ------------------------------------------------------------------------------------


    Malwarebytes' Anti-Malware 1.50.1.1100
    www.malwarebytes.org

    Database version: 5808

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    19/02/2011 8:01:58 PM
    mbam-log-2011-02-19 (20-01-58).txt

    Scan type: Quick scan
    Objects scanned: 135352
    Time elapsed: 3 minute(s), 16 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)


    --------------------------------------------------------------------------------------

    GMER LOG

    ---------------

    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2011-02-19 20:43:36
    Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 TOSHIBA_ rev.LV01
    Running: ng8ji9r5.exe; Driver: C:\DOCUME~1\Bob\LOCALS~1\Temp\afgyyfob.sys


    ---- Disk sectors - GMER 1.0.15 ----

    Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 29: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 39: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 49: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
    Disk \Device\Harddisk0\DR0 sectors 488396912 (+255): rootkit-like behavior;

    ---- Devices - GMER 1.0.15 ----

    Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
    Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskTOSHIBA_MK2552GSX_______________________LV010M__#4&4835c41&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

    ---- EOF - GMER 1.0.15 ----



    -------------------------------------------------------------------------------------------


    DDS LOGS

    ----------------


    DDS.txt

    --------------------


    DDS (Ver_10-12-12.02) - NTFSx86
    Run by Bob at 20:51:40.82 on Sat 19/02/2011
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2940.2435 [GMT 11:00]

    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    svchost.exe
    C:\WINDOWS\system32\agrsmsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\System32\svchost.exe -k HPZ12
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\WINDOWS\system32\wscntfy.exe
    C:\Documents and Settings\Bob\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.scroogle.org/cgi-bin/scraper.htm
    uInternet Settings,ProxyOverride = *.local
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
    uRun: [Steam] "c:\program files\steam\steam.exe" -silent
    mRun: [LClock] c:\program files\lclock\LClock.exe
    mRun: [RTHDCPL] RTHDCPL.EXE
    mRun: [Alcmtr] ALCMTR.EXE
    mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
    mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
    mRun: [TPSMain] TPSMain.exe
    mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
    mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
    mRun: [Persistence] c:\windows\system32\igfxpers.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
    mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
    mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
    mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
    dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
    StartupFolder: c:\docume~1\bob\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bitmet~1.lnk - c:\program files\codebox\bitmeter\BitMeter2.exe
    dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
    IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
    DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
    DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.3.16.0.cab
    DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.3.1.0.cab
    Notify: igfxcui - igfxdev.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    SecurityProviders: schannel.dll, digest.dll

    ================= FIREFOX ===================

    FF - ProfilePath - c:\docume~1\bob\applic~1\mozilla\firefox\profiles\ysxhsgrc.default\
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: foof: foof@foofme.com - %profile%\extensions\foof@foofme.com
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Boost for Facebook: {47624dda-b77e-4feb-820a-e4f077d5d4ca} - %profile%\extensions\{47624dda-b77e-4feb-820a-e4f077d5d4ca}
    FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
    FF - Ext: Update Notifier: {95f24680-9e31-11da-a746-0800200c9a66} - %profile%\extensions\{95f24680-9e31-11da-a746-0800200c9a66}
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - %profile%\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: ImTranslator: {9AA46F4F-4DC7-4c06-97AF-5035170634FE} - %profile%\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170634FE}
    FF - Ext: Fasterfox: {c36177c0-224a-11da-8cd6-0800200c9a91} - %profile%\extensions\{c36177c0-224a-11da-8cd6-0800200c9a91}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - %profile%\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

    ============= SERVICES / DRIVERS ===============

    R0 iastor86;iastor86;c:\windows\system32\drivers\iastor86.sys [2010-4-4 327192]
    R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
    R1 MpKsl43f042e4;MpKsl43f042e4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{49316f14-479b-4abb-9e3e-f79c07eac0c1}\mpksl43f042e4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{49316f14-479b-4abb-9e3e-f79c07eac0c1}\MpKsl43f042e4.sys [?]
    R1 MpKsl872891a4;MpKsl872891a4;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fc8f4265-4f68-4380-8cc0-7394b6cc0db7}\MpKsl872891a4.sys [2011-2-19 28752]
    R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-2-19 18816]
    S1 MpKsl4d9aa61d;MpKsl4d9aa61d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d4df6549-b41a-4cd7-adba-e8ba4d215354}\mpksl4d9aa61d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d4df6549-b41a-4cd7-adba-e8ba4d215354}\MpKsl4d9aa61d.sys [?]
    S1 MpKsl7d192544;MpKsl7d192544;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7081df1e-4dba-486b-834b-a6ad0f3367da}\mpksl7d192544.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7081df1e-4dba-486b-834b-a6ad0f3367da}\MpKsl7d192544.sys [?]
    S1 MpKsl85a0f85d;MpKsl85a0f85d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d4df6549-b41a-4cd7-adba-e8ba4d215354}\mpksl85a0f85d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d4df6549-b41a-4cd7-adba-e8ba4d215354}\MpKsl85a0f85d.sys [?]
    S1 MpKsl88c7a7ac;MpKsl88c7a7ac;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d4df6549-b41a-4cd7-adba-e8ba4d215354}\mpksl88c7a7ac.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d4df6549-b41a-4cd7-adba-e8ba4d215354}\MpKsl88c7a7ac.sys [?]
    S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6f.tmp --> c:\windows\system32\6F.tmp [?]

    =============== Created Last 30 ================

    2011-02-19 09:44:06 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{fc8f4265-4f68-4380-8cc0-7394b6cc0db7}\MpKsl872891a4.sys
    2011-02-19 09:43:58 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{fc8f4265-4f68-4380-8cc0-7394b6cc0db7}\mpengine.dll
    2011-02-19 08:33:47 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
    2011-02-19 00:29:09 -------- d-----w- c:\program files\Sophos
    2011-02-18 13:07:01 553696 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
    2011-02-18 03:00:36 -------- d-----w- c:\windows\system32\appmgmt
    2011-02-13 02:21:11 -------- d-----w- c:\program files\WarZone
    2011-02-13 02:18:42 -------- d-----w- c:\program files\Microprose
    2011-02-04 10:32:37 -------- d-----w- c:\docume~1\bob\applic~1\Rovio
    2011-02-04 10:31:04 761152 ----a-w- c:\windows\system32\msvcr100.dll
    2011-01-30 11:12:37 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
    2011-01-30 11:12:30 -------- d-----w- c:\program files\Microsoft Security Client
    2011-01-30 03:57:00 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

    ==================== Find3M ====================

    2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59:19 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-14 13:34:30 315392 ----a-w- c:\windows\HideWin.exe
    2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-11-29 06:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 06:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

    =================== ROOTKIT ====================

    Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
    Windows 5.1.2600 Disk: TOSHIBA_ rev.LV01 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

    device: opened successfully
    user: MBR read successfully

    Disk trace:
    called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89A235DC]<<
    _asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89a297b8]; MOV EAX, [0x89a29834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
    1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A3D9030]
    3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A3EF428]
    \Driver\iaStor[0x8A3F5338] -> IRP_MJ_CREATE -> 0x89A235DC
    kernel: MBR read successfully
    _asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
    detected disk devices:
    \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskTOSHIBA_MK2552GSX_______________________LV010M__#4&4835c41&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
    detected hooks:
    user != kernel MBR !!!
    sectors 488397166 (+255): user != kernel
    Warning: possible TDL4 rootkit infection !
    TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

    ============= FINISH: 20:53:22.50 ===============


    ---------------------------------------------------------------


    ATTACH.txt


    --------------------------------------


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-12-12.02)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 14/12/2010 7:49:42 AM
    System Uptime: 19/02/2011 7:53:48 PM (1 hours ago)

    Motherboard: TOSHIBA | | Portable PC
    Processor: Intel(R) Pentium(R) Dual CPU T3200 @ 2.00GHz | CPU | 1995/667mhz

    ==== Disk Partitions =========================

    C: is FIXED (NTFS) - 216 GiB total, 90.11 GiB free.
    D: is Removable
    F: is FIXED (NTFS) - 8 GiB total, 3.508 GiB free.

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description:
    Device ID: ACPI\TOS1901\2&DABA3FF&0
    Manufacturer:
    Name:
    PNP Device ID: ACPI\TOS1901\2&DABA3FF&0
    Service:

    ==== System Restore Points ===================

    RP72: 30/01/2011 2:12:46 AM - System Checkpoint
    RP73: 30/01/2011 1:34:24 PM - Software Distribution Service 3.0
    RP74: 30/01/2011 10:12:16 PM - Software Distribution Service 3.0
    RP75: 31/01/2011 9:58:33 PM - Software Distribution Service 3.0
    RP76: 2/02/2011 2:10:51 PM - Software Distribution Service 3.0
    RP77: 3/02/2011 2:25:53 PM - Software Distribution Service 3.0
    RP78: 4/02/2011 4:55:14 PM - Software Distribution Service 3.0
    RP79: 5/02/2011 10:03:55 PM - Software Distribution Service 3.0
    RP80: 7/02/2011 4:21:46 AM - Software Distribution Service 3.0
    RP81: 8/02/2011 9:59:55 AM - Software Distribution Service 3.0
    RP82: 9/02/2011 11:50:29 AM - Software Distribution Service 3.0
    RP83: 10/02/2011 3:00:13 AM - Software Distribution Service 3.0
    RP84: 10/02/2011 4:14:41 PM - Software Distribution Service 3.0
    RP85: 11/02/2011 4:39:34 PM - System Checkpoint
    RP86: 12/02/2011 8:03:34 PM - System Checkpoint
    RP87: 13/02/2011 3:25:11 AM - Software Distribution Service 3.0
    RP88: 14/02/2011 12:28:35 PM - System Checkpoint
    RP89: 14/02/2011 1:17:08 PM - Software Distribution Service 3.0
    RP90: 15/02/2011 10:28:46 PM - Software Distribution Service 3.0
    RP91: 16/02/2011 11:26:41 PM - Software Distribution Service 3.0
    RP92: 17/02/2011 3:00:13 AM - Software Distribution Service 3.0
    RP93: 17/02/2011 3:24:43 AM - Software Distribution Service 3.0
    RP94: 18/02/2011 1:37:12 PM - System Checkpoint
    RP95: 18/02/2011 2:00:26 PM - Removed Apple Mobile Device Support
    RP96: 18/02/2011 2:02:41 PM - Removed iTunes
    RP97: 19/02/2011 8:22:38 PM - System Checkpoint

    ==== Installed Programs ======================

    32 Bit HP CIO Components Installer
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Reader 9.4.2
    Adobe Shockwave Player 11.5
    Apple Application Support
    Apple Software Update
    Atheros Driver Installation Program
    ĀµTorrent
    BitMeter
    Bonjour
    Camera Assistant Software for Toshiba
    Counter-Strike: Source
    Counter-Strike: Source Beta
    DJ_SF_06_D1600_SW_Min
    GoldenEye: Source - HalfLife 2 Mod
    Half-Life 2: Deathmatch
    Hotfix for Windows XP (KB2158563)
    Hotfix for Windows XP (KB2443685)
    Hotfix for Windows XP (KB971276-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB979306)
    HP Deskjet D1600 Printer Driver 14.0 Rel. 6
    HP Product Detection
    Intel(R) Graphics Media Accelerator Driver
    Java Auto Updater
    Java(TM) 6 Update 20
    Java(TM) 6 Update 23
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB2416447)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Antimalware
    Microsoft Application Error Reporting
    Microsoft Security Client
    Microsoft Security Essentials
    Microsoft Silverlight
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
    mIRC
    Mozilla Firefox (3.6.13)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    OpenOffice.org 3.2
    QuickTime
    Realtek AC'97 Audio
    REALTEK GbE & FE Ethernet PCI-E NIC Driver
    Realtek High Definition Audio Driver
    REALTEK RTL8187B Wireless LAN Driver
    Realtek WLAN Driver
    Risk WarZone Client
    Royal AIO Theme
    Security Update for Windows Internet Explorer 8 (KB2360131)
    Security Update for Windows Internet Explorer 8 (KB2416400)
    Security Update for Windows Internet Explorer 8 (KB2482017)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Media Player (KB2378111)
    Security Update for Windows Media Player (KB975558)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows XP (KB2079403)
    Security Update for Windows XP (KB2115168)
    Security Update for Windows XP (KB2121546)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB2259922)
    Security Update for Windows XP (KB2279986)
    Security Update for Windows XP (KB2286198)
    Security Update for Windows XP (KB2296011)
    Security Update for Windows XP (KB2296199)
    Security Update for Windows XP (KB2347290)
    Security Update for Windows XP (KB2360937)
    Security Update for Windows XP (KB2387149)
    Security Update for Windows XP (KB2393802)
    Security Update for Windows XP (KB2419632)
    Security Update for Windows XP (KB2423089)
    Security Update for Windows XP (KB2436673)
    Security Update for Windows XP (KB2440591)
    Security Update for Windows XP (KB2443105)
    Security Update for Windows XP (KB2476687)
    Security Update for Windows XP (KB2478960)
    Security Update for Windows XP (KB2478971)
    Security Update for Windows XP (KB2479628)
    Security Update for Windows XP (KB2483185)
    Security Update for Windows XP (KB2485376)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979687)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB980436)
    Security Update for Windows XP (KB981852)
    Security Update for Windows XP (KB981957)
    Security Update for Windows XP (KB981997)
    Security Update for Windows XP (KB982132)
    Security Update for Windows XP (KB982214)
    Security Update for Windows XP (KB982665)
    Sophos Anti-Rootkit 1.5.4
    Source SDK Base 2007
    Steam
    System Requirements Lab CYRI
    System Requirements Lab for Intel
    Toolbox
    TOSHIBA PC Diagnostic Tool
    TOSHIBA Power Saver
    TOSHIBA Software Modem
    Update for Windows XP (KB2141007)
    Update for Windows XP (KB2345886)
    Update for Windows XP (KB2467659)
    VLC media player 1.0.5
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    WinRAR archiver
    Xvid 1.2.2 final uninstall
    YouTube Downloader 2.6.5

    ==== Event Viewer Messages From Past Week ========

    19/02/2011 7:45:14 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
    19/02/2011 7:45:14 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
    19/02/2011 7:45:14 PM, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
    19/02/2011 11:24:53 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.97.1877.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6502.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
    19/02/2011 11:17:33 AM, error: Service Control Manager [7034] - The Agere Modem Call Progress Audio service terminated unexpectedly. It has done this 1 time(s).
    18/02/2011 9:37:56 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.97.1877.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6502.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
    18/02/2011 1:58:19 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
    17/02/2011 5:45:23 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
    15/02/2011 10:12:33 PM, error: Dhcp [1002] - The IP address lease 192.168.2.3 for the Network Card with network address 002163868050 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
    13/02/2011 12:37:39 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.97.1582.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6502.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
    12/02/2011 7:50:29 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.97.1355.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6502.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
    12/02/2011 7:46:28 PM, error: PlugPlayManager [12] - The device 'HL-DT-ST DVDRAM GSA-T50N' (IDE\CdRomHL-DT-ST_DVDRAM_GSA-T50N________________RR07____\4&4835c41&0&0.1.0) disappeared from the system without first being prepared for removal.
    12/02/2011 7:46:28 PM, error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.

    ==== End Of File ===========================
     
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Please download MBRCheck.exe to your desktop.
    • Be sure to disable your security programs
    • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
    • A small window should open on your desktop
    • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
    • If nothing unusual is found just press Enter
    • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.
     
  5. rubbersoul

    rubbersoul TS Rookie Topic Starter Posts: 17

    MBRCheck log as follows ;

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x00000024

    Kernel Drivers (total 113):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E5000 \WINDOWS\system32\hal.dll
    0x899CE000 \WINDOWS\system32\KDCOM.DLL
    0xBA4BC000 \WINDOWS\system32\BOOTVID.dll
    0xB9F79000 ACPI.sys
    0xBA5A8000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xB9F68000 pci.sys
    0xBA0A8000 isapnp.sys
    0xBA4C0000 compbatt.sys
    0xBA4C4000 \WINDOWS\system32\DRIVERS\BATTC.SYS
    0xBA0B8000 MountMgr.sys
    0xB9F49000 ftdisk.sys
    0xBA5AA000 dmload.sys
    0xB9F23000 dmio.sys
    0xBA328000 PartMgr.sys
    0xBA4C8000 ACPIEC.sys
    0xBA670000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
    0xBA0C8000 VolSnap.sys
    0xB9E49000 iaStor.sys
    0xB9D6F000 iastor86.sys
    0xBA0D8000 disk.sys
    0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xB9D4F000 fltMgr.sys
    0xB9D3D000 sr.sys
    0xB9D26000 KSecDD.sys
    0xB9C99000 Ntfs.sys
    0xB9C6C000 NDIS.sys
    0xB9C52000 Mup.sys
    0xBA2A8000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xB9C0E000 \SystemRoot\system32\DRIVERS\CmBatt.sys
    0xB816E000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
    0xB815A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xBA4B0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xB8136000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xBA338000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xB810E000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
    0xB80D6000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
    0xB7F52000 \SystemRoot\system32\DRIVERS\athw.sys
    0xBA2D8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
    0xBA340000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xBA348000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xB7F2F000 \SystemRoot\system32\DRIVERS\ks.sys
    0xBA7C0000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xBA318000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xB9BF1000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xB7F18000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xBA118000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xBA128000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xBA350000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xB7F07000 \SystemRoot\system32\DRIVERS\psched.sys
    0xBA138000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xBA358000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xBA360000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xB7ED7000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xBA148000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xBA5C8000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xB7E79000 \SystemRoot\system32\DRIVERS\update.sys
    0xB9BD5000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xBA158000 \SystemRoot\system32\DRIVERS\wsimd.sys
    0xAF5A3000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xAF583000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xBA5D4000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0x9DC7D000 \SystemRoot\system32\drivers\RtkHDAud.sys
    0x9DC59000 \SystemRoot\system32\drivers\portcls.sys
    0xAF573000 \SystemRoot\system32\drivers\drmk.sys
    0x9DB3D000 \SystemRoot\system32\DRIVERS\AGRSM.sys
    0xBA440000 \SystemRoot\System32\Drivers\Modem.SYS
    0x9DB16000 \SystemRoot\system32\DRIVERS\MpFilter.sys
    0xAF31F000 \??\C:\WINDOWS\system32\SAVRKBootTasks.sys
    0xBA612000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xBA6A2000 \SystemRoot\System32\Drivers\Null.SYS
    0xBA61A000 \SystemRoot\System32\Drivers\Beep.SYS
    0xAF317000 \SystemRoot\System32\drivers\vga.sys
    0xBA61C000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xBA614000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xAEBEB000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xAEBE3000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xB7CE1000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0x9DAE3000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0x9DA8A000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0x9DA62000 \SystemRoot\system32\DRIVERS\netbt.sys
    0x9DA3C000 \SystemRoot\system32\DRIVERS\ipnat.sys
    0x9DA1A000 \SystemRoot\System32\drivers\afd.sys
    0xAEFC0000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xAEFB0000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0x9D9EF000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0x9D97F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xAEBD3000 \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{08C467CF-F80B-4637-83E3-1293B0A120D3}\MpKsld83c4411.sys
    0xAEFA0000 \SystemRoot\System32\Drivers\Fips.SYS
    0xAEBC3000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xAEF60000 \SystemRoot\System32\Drivers\UVCFTR_S.SYS
    0x9D961000 \SystemRoot\System32\Drivers\usbvideo.sys
    0xAECD7000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0x9D887000 \SystemRoot\System32\Drivers\dump_iaStor.sys
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xB1B71000 \SystemRoot\System32\drivers\Dxapi.sys
    0xAEBB3000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xB3776000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF024000 \SystemRoot\System32\igxpgd32.dll
    0xBF012000 \SystemRoot\System32\igxprd32.dll
    0xBF04F000 \SystemRoot\System32\igxpdv32.DLL
    0xBF25B000 \SystemRoot\System32\igxpdx32.DLL
    0xBF562000 \SystemRoot\System32\ATMFD.DLL
    0x9D84B000 \SystemRoot\system32\DRIVERS\ndisuio.sys
    0x9D6E2000 \SystemRoot\system32\drivers\wdmaud.sys
    0xB3FB4000 \SystemRoot\system32\drivers\sysaudio.sys
    0x9D323000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0x9C78B000 \SystemRoot\system32\DRIVERS\srv.sys
    0x9C452000 \SystemRoot\System32\Drivers\HTTP.sys
    0xBA370000 \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{08C467CF-F80B-4637-83E3-1293B0A120D3}\MpKsld74c8460.sys
    0x9C076000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\system32\ntdll.dll

    Processes (total 36):
    0 System Idle Process
    4 System
    836 C:\WINDOWS\system32\smss.exe
    908 csrss.exe
    932 C:\WINDOWS\system32\winlogon.exe
    980 C:\WINDOWS\system32\services.exe
    992 C:\WINDOWS\system32\lsass.exe
    1148 C:\WINDOWS\system32\svchost.exe
    1212 svchost.exe
    1256 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    1292 C:\WINDOWS\system32\svchost.exe
    1392 svchost.exe
    1544 svchost.exe
    1840 C:\WINDOWS\system32\spoolsv.exe
    496 C:\WINDOWS\explorer.exe
    768 C:\WINDOWS\RTHDCPL.exe
    792 C:\Program Files\ltmoh\ltmoh.exe
    824 C:\WINDOWS\system32\igfxtray.exe
    844 C:\WINDOWS\system32\hkcmd.exe
    852 C:\WINDOWS\system32\igfxpers.exe
    884 C:\Program Files\Common Files\Java\Java Update\jusched.exe
    900 C:\Program Files\Microsoft Security Client\msseces.exe
    956 C:\WINDOWS\system32\ctfmon.exe
    1120 C:\Program Files\Codebox\BitMeter\BitMeter2.exe
    1476 C:\WINDOWS\system32\igfxsrvc.exe
    240 svchost.exe
    1320 C:\WINDOWS\system32\agrsmsvc.exe
    1412 C:\Program Files\Bonjour\mDNSResponder.exe
    1344 C:\Program Files\Java\jre6\bin\jqs.exe
    2368 C:\WINDOWS\system32\svchost.exe
    3208 alg.exe
    1084 C:\Documents and Settings\Bob\Desktop\Angry Birds\AngryBirds.exe
    2264 C:\Program Files\Mozilla Firefox\firefox.exe
    3928 C:\Program Files\Mozilla Firefox\plugin-container.exe
    4032 C:\WINDOWS\system32\wscntfy.exe
    3820 C:\Documents and Settings\Bob\Desktop\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`5dd00000 (NTFS)
    \\.\F: --> \\.\PhysicalDrive0 at offset 0x00000036`73000000 (NTFS)

    PhysicalDrive0 Model Number: TOSHIBAMK2552GSX, Rev: LV010M

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
    SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


    Done!
     
  6. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, let see if this will get it:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
     
  7. rubbersoul

    rubbersoul TS Rookie Topic Starter Posts: 17

    Bobbye,

    That seems to have done the trick! Rootkit has been removed and I havent noticed any ridirects or strange happenings for an hour or so.

    Thanks a lot for all your help :)
     
  8. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Good> we will continue: I need to make sure there are no remaining malware entries:

    Run Eset NOD32 Online AntiVirus scan HERE
    1. Tick the box next to YES, I accept the Terms of Use.
    2. Click Start
    3. When asked, allow the Active X control to install
    4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    5. Click Start
    6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    7. Click Scan
    8. Wait for the scan to finish
    9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
    10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
    11. Re-enable your Antivirus software.
      NOTE: If you forget to copy to the cli[board, you can find the log here:
      C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
    =======================================
    Download Combofix to your desktop from one of these locations:
    Link 1
    Link 2
    • Double click combofix.exe & follow the prompts.
    • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
    • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
    • Query- Recovery Console image
      [​IMG]
    • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
      [​IMG]
    • .Click on Yes, to continue scanning for malware
    • .If Combofix asks you to update the program, allow
    • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • .Close any open browsers.
    • .Double click combofix.exe[​IMG] & follow the prompts to run.
    • When the scan completes it will open a text window. Please paste that log in your next reply.
    Re-enable your Antivirus software.
    Notes:
    1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
    2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
    3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
    4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
     
  9. rubbersoul

    rubbersoul TS Rookie Topic Starter Posts: 17

    ESET LOG




    C:\TDSSKiller_Quarantine\21.02.2011_18.34.55\boot0000\tdlfs0000\tsk0003.dta a variant of Win32/Olmarik.ADZ trojan
    C:\TDSSKiller_Quarantine\21.02.2011_18.34.55\boot0000\tdlfs0000\tsk0006.dta Win64/Olmarik.AMO trojan
    C:\TDSSKiller_Quarantine\21.02.2011_18.34.55\boot0000\tdlfs0000\tsk0007.dta Win64/Olmarik.J trojan
    C:\TDSSKiller_Quarantine\21.02.2011_18.34.55\boot0000\tdlfs0000\tsk0009.dta Win32/Olmarik.ALK trojan




    ------------------------------------------------------------------------------------------------------------------------------------------


    COMBOFIX LOG


    -----------



    ComboFix 11-02-21.02 - Bob 22/02/2011 19:44:58.1.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2940.2375 [GMT 11:00]
    Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Install.exe
    c:\windows\system32\Thumbs.db

    .
    ((((((((((((((((((((((((( Files Created from 2011-01-22 to 2011-02-22 )))))))))))))))))))))))))))))))
    .

    2011-02-22 08:38 . 2011-02-22 08:38 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BE6FEB8B-A88A-4E91-91CC-EB05896DDBF2}\MpKsl933f9698.sys
    2011-02-22 08:38 . 2011-01-13 09:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BE6FEB8B-A88A-4E91-91CC-EB05896DDBF2}\mpengine.dll
    2011-02-22 01:28 . 2011-02-22 01:28 -------- d-----w- c:\program files\ESET
    2011-02-21 07:37 . 2011-02-21 07:37 -------- d-----w- C:\TDSSKiller_Quarantine
    2011-02-19 08:33 . 2010-05-25 23:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
    2011-02-19 00:29 . 2011-02-19 00:29 -------- d-----w- c:\program files\Sophos
    2011-02-18 13:07 . 2010-12-03 19:43 553696 ----a-w- c:\program files\Mozilla Firefox\uninstall\helper.exe
    2011-02-17 22:29 . 2011-02-17 22:30 -------- d-----w- c:\program files\Common Files\Adobe
    2011-02-17 01:04 . 2011-02-17 02:18 -------- d-----w- c:\documents and settings\Bob\Application Data\dvdcss
    2011-02-13 02:21 . 2011-02-13 02:22 -------- d-----w- c:\program files\WarZone
    2011-02-13 02:18 . 2011-02-13 02:18 -------- d-----w- c:\program files\Microprose
    2011-02-04 10:32 . 2011-02-04 10:32 -------- d-----w- c:\documents and settings\Bob\Application Data\Rovio
    2011-02-04 10:31 . 2009-08-23 23:15 761152 ----a-w- c:\windows\system32\msvcr100.dll
    2011-01-30 11:12 . 2011-01-13 09:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
    2011-01-30 11:12 . 2011-01-30 11:13 -------- d-----w- c:\program files\Microsoft Security Client
    2011-01-30 03:57 . 2011-01-30 03:57 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-01-21 14:44 . 2008-04-14 03:42 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-13 09:41 . 2010-12-16 04:11 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-01-07 14:09 . 2008-04-14 03:39 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2010-04-03 15:47 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2010-04-03 15:45 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59 . 2010-04-03 15:50 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59 . 2010-04-03 15:50 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59 . 2010-04-03 15:50 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26 . 2010-04-03 15:46 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55 . 2010-04-03 15:50 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-20 07:09 . 2010-12-16 05:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 07:08 . 2010-12-16 05:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-14 13:34 . 2010-12-14 13:34 315392 ----a-w- c:\windows\HideWin.exe
    2010-12-09 15:15 . 2009-02-09 12:10 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30 . 2010-04-03 15:45 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:42 . 2010-04-03 15:46 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07 . 2009-12-08 18:43 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-11-29 06:38 . 2010-11-29 06:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 06:38 . 2010-11-29 06:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    .

    ------- Sigcheck -------

    [-] 2010-04-03 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

    [-] 2010-04-03 . 5A8E28037289FCCBF7AD3FC57DF7048F . 502272 . . [1.0626.6002.18005] . . c:\windows\system32\usp10.dll

    [-] 2010-04-03 . F2DF0FDBD41B34112EE05ED04258F052 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="c:\program files\Steam\steam.exe" [2010-12-21 1242448]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2008-04-06 16860672]
    "LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]
    "Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-28 417792]
    "TPSMain"="TPSMain.exe" [2008-07-30 266240]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-28 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-28 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-28 141848]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_3"="advpack.dll" [2010-04-03 128512]

    c:\documents and settings\Bob\Start Menu\Programs\Startup\
    OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bitmeter2.lnk - c:\program files\Codebox\BitMeter\BitMeter2.exe [2010-8-28 1462272]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "ForceClassicControlPanel"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders schannel.dll, digest.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Steam\\Steam.exe"=
    "c:\\Program Files\\Steam\\steamapps\\latexdemon\\half-life 2 deathmatch\\hl2.exe"=
    "c:\\Program Files\\Steam\\steamapps\\latexdemon\\source sdk base 2007\\hl2.exe"=
    "c:\\Program Files\\Steam\\steamapps\\latexdemon\\source sdk base\\hl2.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\mIRC\\mirc.exe"=
    "c:\\Program Files\\Steam\\steamapps\\latexdemon\\counter-strike source\\hl2.exe"=

    R0 iastor86;iastor86;c:\windows\system32\drivers\iastor86.sys [4/04/2010 4:03 AM 327192]
    R1 MpKsl933f9698;MpKsl933f9698;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BE6FEB8B-A88A-4E91-91CC-EB05896DDBF2}\MpKsl933f9698.sys [22/02/2011 7:38 PM 28752]
    R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [19/02/2011 7:33 PM 18816]
    S1 MpKsl43f042e4;MpKsl43f042e4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49316F14-479B-4ABB-9E3E-F79C07EAC0C1}\MpKsl43f042e4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49316F14-479B-4ABB-9E3E-F79C07EAC0C1}\MpKsl43f042e4.sys [?]
    S1 MpKsl4d9aa61d;MpKsl4d9aa61d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl4d9aa61d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl4d9aa61d.sys [?]
    S1 MpKsl7d192544;MpKsl7d192544;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7081DF1E-4DBA-486B-834B-A6AD0F3367DA}\MpKsl7d192544.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7081DF1E-4DBA-486B-834B-A6AD0F3367DA}\MpKsl7d192544.sys [?]
    S1 MpKsl85a0f85d;MpKsl85a0f85d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl85a0f85d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl85a0f85d.sys [?]
    S1 MpKsl88c7a7ac;MpKsl88c7a7ac;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl88c7a7ac.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl88c7a7ac.sys [?]
    S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 10:58 AM 11336]
    S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6F.tmp --> c:\windows\system32\6F.tmp [?]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - MPKSL933F9698
    *Deregistered* - klmd25

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder

    2011-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 00:50]

    2011-02-21 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 01:26]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.scroogle.org/cgi-bin/scraper.htm
    uInternet Settings,ProxyOverride = *.local
    FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\ysxhsgrc.default\
    FF - prefs.js: browser.search.selectedEngine - Scroogle SSL search
    FF - prefs.js: browser.startup.homepage - hxxp://www.scroogle.org/cgi-bin/scraper.htm
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: foof: foof@foofme.com - %profile%\extensions\foof@foofme.com
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Boost for Facebook: {47624dda-b77e-4feb-820a-e4f077d5d4ca} - %profile%\extensions\{47624dda-b77e-4feb-820a-e4f077d5d4ca}
    FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
    FF - Ext: Update Notifier: {95f24680-9e31-11da-a746-0800200c9a66} - %profile%\extensions\{95f24680-9e31-11da-a746-0800200c9a66}
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - %profile%\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: ImTranslator: {9AA46F4F-4DC7-4c06-97AF-5035170634FE} - %profile%\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170634FE}
    FF - Ext: Fasterfox: {c36177c0-224a-11da-8cd6-0800200c9a91} - %profile%\extensions\{c36177c0-224a-11da-8cd6-0800200c9a91}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - %profile%\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .
    - - - - ORPHANS REMOVED - - - -

    HKLM-Run-LClock - c:\program files\LClock\LClock.exe
    AddRemove-GoldenEye: Source - c:\program files\Steam\SteamApps\sourcemods\GoldenEye: Source_Uninstall.exe



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-22 19:48
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
    "ImagePath"="\??\c:\windows\system32\6F.tmp"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(932)
    c:\windows\system32\igfxdev.dll
    .
    Completion time: 2011-02-22 19:50:00
    ComboFix-quarantined-files.txt 2011-02-22 08:49

    Pre-Run: 89,443,737,600 bytes free
    Post-Run: 89,502,990,336 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    UnsupportedDebug="do not select this" /debug
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - EAF2FAB4E6AA07BD1CF9C41DFF9259F2
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Believe it or not, I started on this 2 nights ago- was almost finished and **** internet went down. It's an intermittent problem I've been having with ISP!

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
    Code:
    File::
    c:\windows\system32\6F.tmp
    Folder::
    C:\TDSSKiller_Quarantine
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\mIRC\\mirc.exe"=-
    Driver::
    MEMSWEEP2
    
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
    ====================
    I would also like to ask about these files:
    S1 MpKsl43f042e4;MpKsl43f042e4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49316F14-479B-4ABB-9E3E-F79C07EAC0C1}\MpKsl43f042e4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49316F14-479B-4ABB-9E3E-F79C07EAC0C1}\MpKsl43f042e4.sys [?]

    There are 5 of these same kind of files in the Service/Driver section of the log. I have not seen this before. All have the same question mark in Combofix- I didn't put that in. When I try to identify the name such as MpKsl43f042e4, this thread is the only entry that comes up on the internet.

    Please check the configuration of the program- there is an error somewhere in it, regarding the updates. Possibly doing a manual update, followed by a reboot will handle it. If it does not, I will remove all of them with script.
     
  11. rubbersoul

    rubbersoul TS Rookie Topic Starter Posts: 17

    Bobbye,

    I have completed the combofix tasks and the log is as follows. In regards to the " 5 of these same kind of files in the Service/Driver section of the log " I assume that's associated with Microsoft Security Essentials? I have tried updating definitions and rebooting. I'm not certain if that has removed them.

    Combofix log as follows ;

    ComboFix 11-02-24.01 - Bob 25/02/2011 10:27:16.3.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2940.2479 [GMT 11:00]
    Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Bob\Desktop\CFScript.exe.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
    .

    ((((((((((((((((((((((((( Files Created from 2011-01-24 to 2011-02-24 )))))))))))))))))))))))))))))))
    .

    2011-02-24 22:56 . 2011-02-24 22:56 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7A4A95BF-EBD2-4F97-8150-1C57A6AAF96A}\MpKsl68c2520a.sys
    2011-02-24 22:56 . 2011-02-11 06:54 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7A4A95BF-EBD2-4F97-8150-1C57A6AAF96A}\mpengine.dll
    2011-02-22 01:28 . 2011-02-22 01:28 -------- d-----w- c:\program files\ESET
    2011-02-19 08:33 . 2010-05-25 23:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
    2011-02-19 00:29 . 2011-02-19 00:29 -------- d-----w- c:\program files\Sophos
    2011-02-18 13:07 . 2010-12-03 19:43 553696 ----a-w- c:\program files\Mozilla Firefox\uninstall\helper.exe
    2011-02-17 22:29 . 2011-02-17 22:30 -------- d-----w- c:\program files\Common Files\Adobe
    2011-02-17 01:04 . 2011-02-17 02:18 -------- d-----w- c:\documents and settings\Bob\Application Data\dvdcss
    2011-02-13 02:21 . 2011-02-13 02:22 -------- d-----w- c:\program files\WarZone
    2011-02-13 02:18 . 2011-02-13 02:18 -------- d-----w- c:\program files\Microprose
    2011-02-04 10:32 . 2011-02-04 10:32 -------- d-----w- c:\documents and settings\Bob\Application Data\Rovio
    2011-02-04 10:31 . 2009-08-23 23:15 761152 ----a-w- c:\windows\system32\msvcr100.dll
    2011-01-30 11:12 . 2011-01-13 09:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
    2011-01-30 11:12 . 2011-01-30 11:13 -------- d-----w- c:\program files\Microsoft Security Client
    2011-01-30 03:57 . 2011-01-30 03:57 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-11 06:54 . 2010-12-16 04:11 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-01-21 14:44 . 2008-04-14 03:42 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-07 14:09 . 2008-04-14 03:39 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2010-04-03 15:47 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2010-04-03 15:45 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59 . 2010-04-03 15:50 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59 . 2010-04-03 15:50 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59 . 2010-04-03 15:50 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26 . 2010-04-03 15:46 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55 . 2010-04-03 15:50 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-20 07:09 . 2010-12-16 05:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 07:08 . 2010-12-16 05:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-14 13:34 . 2010-12-14 13:34 315392 ----a-w- c:\windows\HideWin.exe
    2010-12-09 15:15 . 2009-02-09 12:10 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30 . 2010-04-03 15:45 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:42 . 2010-04-03 15:46 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07 . 2009-12-08 18:43 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    2010-11-29 06:38 . 2010-11-29 06:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
    2010-11-29 06:38 . 2010-11-29 06:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
    .

    ------- Sigcheck -------

    [-] 2010-04-03 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

    [-] 2010-04-03 . 5A8E28037289FCCBF7AD3FC57DF7048F . 502272 . . [1.0626.6002.18005] . . c:\windows\system32\usp10.dll

    [-] 2010-04-03 . F2DF0FDBD41B34112EE05ED04258F052 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-02-22_08.48.42 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-02-24 22:49 . 2011-02-24 22:49 16384 c:\windows\Temp\Perflib_Perfdata_568.dat
    - 2010-12-13 20:42 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll
    + 2010-12-13 20:42 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
    + 2008-04-14 03:42 . 2009-07-27 23:17 135168 c:\windows\system32\shsvcs.dll
    - 2008-04-14 03:42 . 2008-04-14 03:42 135168 c:\windows\system32\shsvcs.dll
    + 2008-04-14 03:42 . 2009-07-27 23:17 135168 c:\windows\system32\dllcache\shsvcs.dll
    - 2008-04-14 03:42 . 2008-04-14 03:42 135168 c:\windows\system32\dllcache\shsvcs.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="c:\program files\Steam\steam.exe" [2010-12-21 1242448]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2008-04-06 16860672]
    "LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]
    "Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-28 417792]
    "TPSMain"="TPSMain.exe" [2008-07-30 266240]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-28 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-28 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-28 141848]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_3"="advpack.dll" [2010-04-03 128512]

    c:\documents and settings\Bob\Start Menu\Programs\Startup\
    OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bitmeter2.lnk - c:\program files\Codebox\BitMeter\BitMeter2.exe [2010-8-28 1462272]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "ForceClassicControlPanel"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders schannel.dll, digest.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Steam\\Steam.exe"=
    "c:\\Program Files\\Steam\\steamapps\\latexdemon\\half-life 2 deathmatch\\hl2.exe"=
    "c:\\Program Files\\Steam\\steamapps\\latexdemon\\source sdk base 2007\\hl2.exe"=
    "c:\\Program Files\\Steam\\steamapps\\latexdemon\\source sdk base\\hl2.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\mIRC\\mirc.exe"=
    "c:\\Program Files\\Steam\\steamapps\\latexdemon\\counter-strike source\\hl2.exe"=

    R0 iastor86;iastor86;c:\windows\system32\drivers\iastor86.sys [4/04/2010 4:03 AM 327192]
    R1 MpKsl68c2520a;MpKsl68c2520a;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7A4A95BF-EBD2-4F97-8150-1C57A6AAF96A}\MpKsl68c2520a.sys [25/02/2011 9:56 AM 28752]
    R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [19/02/2011 7:33 PM 18816]
    S1 MpKsl08ae13cb;MpKsl08ae13cb;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F624763D-9851-4317-8895-6A931C4BA3B2}\MpKsl08ae13cb.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F624763D-9851-4317-8895-6A931C4BA3B2}\MpKsl08ae13cb.sys [?]
    S1 MpKsl43f042e4;MpKsl43f042e4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49316F14-479B-4ABB-9E3E-F79C07EAC0C1}\MpKsl43f042e4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49316F14-479B-4ABB-9E3E-F79C07EAC0C1}\MpKsl43f042e4.sys [?]
    S1 MpKsl4d9aa61d;MpKsl4d9aa61d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl4d9aa61d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl4d9aa61d.sys [?]
    S1 MpKsl7d192544;MpKsl7d192544;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7081DF1E-4DBA-486B-834B-A6AD0F3367DA}\MpKsl7d192544.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7081DF1E-4DBA-486B-834B-A6AD0F3367DA}\MpKsl7d192544.sys [?]
    S1 MpKsl85a0f85d;MpKsl85a0f85d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl85a0f85d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl85a0f85d.sys [?]
    S1 MpKsl88c7a7ac;MpKsl88c7a7ac;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl88c7a7ac.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl88c7a7ac.sys [?]
    S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 10:58 AM 11336]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - MPKSL68C2520A
    *NewlyCreated* - MPKSLC4D5D859
    *Deregistered* - MpKslc4d5d859

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder

    2011-02-22 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 00:50]

    2011-02-24 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 01:26]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.scroogle.org/cgi-bin/scraper.htm
    uInternet Settings,ProxyOverride = *.local
    FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\ysxhsgrc.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.scroogle.org/cgi-bin/scraper.htm
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: foof: foof@foofme.com - %profile%\extensions\foof@foofme.com
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Boost for Facebook: {47624dda-b77e-4feb-820a-e4f077d5d4ca} - %profile%\extensions\{47624dda-b77e-4feb-820a-e4f077d5d4ca}
    FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
    FF - Ext: Update Notifier: {95f24680-9e31-11da-a746-0800200c9a66} - %profile%\extensions\{95f24680-9e31-11da-a746-0800200c9a66}
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - %profile%\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: ImTranslator: {9AA46F4F-4DC7-4c06-97AF-5035170634FE} - %profile%\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170634FE}
    FF - Ext: Fasterfox: {c36177c0-224a-11da-8cd6-0800200c9a91} - %profile%\extensions\{c36177c0-224a-11da-8cd6-0800200c9a91}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - %profile%\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-02-25 10:30
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(904)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\program files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
    c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
    c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2011-02-25 10:31:39
    ComboFix-quarantined-files.txt 2011-02-24 23:31
    ComboFix2.txt 2011-02-24 22:52
    ComboFix3.txt 2011-02-22 08:50

    Pre-Run: 83,417,186,304 bytes free
    Post-Run: 83,406,413,824 bytes free

    - - End Of File - - FB11D6F485ACFE854FDD86DAB7D13E55
     
  12. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, we'll clean up some of the excess update processes:

    Please run this Custom CFScript:

    • [1]. Close any open browsers.
      [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
    Code:
    File::
    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F624763D-9851-4317-8895-6A931C4BA3B2}\MpKsl08ae13cb.sys
    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49316F14-479B-4ABB-9E3E-F79C07EAC0C1}\MpKsl43f042e4.sys
    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl4d9aa61d.sys
    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7081DF1E-4DBA-486B-834B-A6AD0F3367DA}\MpKsl7d192544.sys
    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl85a0f85d.sys
    c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl88c7a7ac.sys 
    
    Driver::
    MpKsl08ae13cb
    MpKsl43f042e4
    MpKsl4d9aa61d
    MpKsl7d192544
    MpKsl85a0f85d
    MpKsl88c7a7ac
    
    Save this as CFScript.txt, in the same location as ComboFix.exe
    [​IMG]

    Referring to the picture above, drag CFScript into ComboFix.exe

    When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
    ====================
    One more check to make sure there are no bad entries left:
    Download HijackThis and save to your desktop.
    • Extract it to a directory on your hard drive called c:\HijackThis.
    • Then navigate to that directory and double-click on the hijackthis.exe file.
    • When started click on the Scan button and then the Save Log button to create a log of your information.
    • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

    NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
     
  13. rubbersoul

    rubbersoul TS Rookie Topic Starter Posts: 17

    Hey Bobbye

    Combofix and hijackthis logs are as follows:

    ComboFix 11-02-24.01 - Bob 02/03/2011 0:00.4.2 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2940.2466 [GMT 11:00]
    Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Bob\Desktop\CFScript.txt.txt
    AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

    FILE ::
    "c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49316F14-479B-4ABB-9E3E-F79C07EAC0C1}\MpKsl43f042e4.sys"
    "c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7081DF1E-4DBA-486B-834B-A6AD0F3367DA}\MpKsl7d192544.sys"
    "c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl4d9aa61d.sys"
    "c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl85a0f85d.sys"
    "c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl88c7a7ac.sys"
    "c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F624763D-9851-4317-8895-6A931C4BA3B2}\MpKsl08ae13cb.sys"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_MPKSL08AE13CB
    -------\Legacy_MPKSL43F042E4
    -------\Legacy_MPKSL4D9AA61D
    -------\Legacy_MPKSL7D192544
    -------\Legacy_MPKSL85A0F85D
    -------\Legacy_MPKSL88C7A7AC
    -------\Service_MpKsl08ae13cb
    -------\Service_MpKsl43f042e4
    -------\Service_MpKsl4d9aa61d
    -------\Service_MpKsl7d192544
    -------\Service_MpKsl85a0f85d
    -------\Service_MpKsl88c7a7ac


    ((((((((((((((((((((((((( Files Created from 2011-02-01 to 2011-03-01 )))))))))))))))))))))))))))))))
    .

    2011-02-28 08:11 . 2011-02-11 06:54 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DC2088C0-A466-49C4-9992-D0466A390C05}\mpengine.dll
    2011-02-25 00:24 . 2011-02-25 00:24 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\Identities
    2011-02-22 01:28 . 2011-02-22 01:28 -------- d-----w- c:\program files\ESET
    2011-02-19 08:33 . 2010-05-25 23:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
    2011-02-19 00:29 . 2011-02-19 00:29 -------- d-----w- c:\program files\Sophos
    2011-02-18 13:07 . 2010-12-03 19:43 553696 ----a-w- c:\program files\Mozilla Firefox\uninstall\helper.exe
    2011-02-17 22:29 . 2011-02-17 22:30 -------- d-----w- c:\program files\Common Files\Adobe
    2011-02-17 01:04 . 2011-02-17 02:18 -------- d-----w- c:\documents and settings\Bob\Application Data\dvdcss
    2011-02-13 02:21 . 2011-02-13 02:22 -------- d-----w- c:\program files\WarZone
    2011-02-13 02:18 . 2011-02-13 02:18 -------- d-----w- c:\program files\Microprose
    2011-02-04 10:32 . 2011-02-04 10:32 -------- d-----w- c:\documents and settings\Bob\Application Data\Rovio
    2011-02-04 10:31 . 2009-08-23 23:15 761152 ----a-w- c:\windows\system32\msvcr100.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2011-02-11 06:54 . 2010-12-16 04:11 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
    2011-01-21 14:44 . 2008-04-14 03:42 439296 ----a-w- c:\windows\system32\shimgvw.dll
    2011-01-13 09:41 . 2011-01-30 11:12 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
    2011-01-07 14:09 . 2008-04-14 03:39 290048 ----a-w- c:\windows\system32\atmfd.dll
    2010-12-31 13:10 . 2010-04-03 15:47 1854976 ----a-w- c:\windows\system32\win32k.sys
    2010-12-22 12:34 . 2010-04-03 15:45 301568 ----a-w- c:\windows\system32\kerberos.dll
    2010-12-20 23:59 . 2010-04-03 15:50 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-12-20 23:59 . 2010-04-03 15:50 43520 ----a-w- c:\windows\system32\licmgr10.dll
    2010-12-20 23:59 . 2010-04-03 15:50 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
    2010-12-20 17:26 . 2010-04-03 15:46 730112 ----a-w- c:\windows\system32\lsasrv.dll
    2010-12-20 12:55 . 2010-04-03 15:50 385024 ----a-w- c:\windows\system32\html.iec
    2010-12-20 07:09 . 2010-12-16 05:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-12-20 07:08 . 2010-12-16 05:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-12-14 13:34 . 2010-12-14 13:34 315392 ----a-w- c:\windows\HideWin.exe
    2010-12-09 15:15 . 2009-02-09 12:10 718336 ----a-w- c:\windows\system32\ntdll.dll
    2010-12-09 14:30 . 2010-04-03 15:45 33280 ----a-w- c:\windows\system32\csrsrv.dll
    2010-12-09 13:42 . 2010-04-03 15:46 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
    2010-12-09 13:07 . 2009-12-08 18:43 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
    .

    ------- Sigcheck -------

    [-] 2010-04-03 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

    [-] 2010-04-03 . 5A8E28037289FCCBF7AD3FC57DF7048F . 502272 . . [1.0626.6002.18005] . . c:\windows\system32\usp10.dll

    [-] 2010-04-03 . F2DF0FDBD41B34112EE05ED04258F052 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
    .
    ((((((((((((((((((((((((((((( SnapShot@2011-02-22_08.48.42 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2011-03-01 13:07 . 2011-03-01 13:07 16384 c:\windows\Temp\Perflib_Perfdata_24c.dat
    - 2010-12-13 20:42 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll
    + 2010-12-13 20:42 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
    + 2008-04-14 03:42 . 2009-07-27 23:17 135168 c:\windows\system32\shsvcs.dll
    - 2008-04-14 03:42 . 2008-04-14 03:42 135168 c:\windows\system32\shsvcs.dll
    + 2008-04-14 03:42 . 2009-07-27 23:17 135168 c:\windows\system32\dllcache\shsvcs.dll
    - 2008-04-14 03:42 . 2008-04-14 03:42 135168 c:\windows\system32\dllcache\shsvcs.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Steam"="c:\program files\Steam\steam.exe" [2010-12-21 1242448]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RTHDCPL"="RTHDCPL.EXE" [2008-04-06 16860672]
    "LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]
    "Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-28 417792]
    "TPSMain"="TPSMain.exe" [2008-07-30 266240]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-28 150040]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-28 170520]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-28 141848]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
    "MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
    "DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "_nltide_3"="advpack.dll" [2010-04-03 128512]

    c:\documents and settings\Bob\Start Menu\Programs\Startup\
    OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Bitmeter2.lnk - c:\program files\Codebox\BitMeter\BitMeter2.exe [2010-8-28 1462272]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "ForceClassicControlPanel"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders schannel.dll, digest.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\Steam\\Steam.exe"=
    "c:\\Program Files\\Steam\\steamapps\\latexdemon\\half-life 2 deathmatch\\hl2.exe"=
    "c:\\Program Files\\Steam\\steamapps\\latexdemon\\source sdk base 2007\\hl2.exe"=
    "c:\\Program Files\\Steam\\steamapps\\latexdemon\\source sdk base\\hl2.exe"=
    "c:\\WINDOWS\\system32\\dpvsetup.exe"=
    "c:\\Program Files\\mIRC\\mirc.exe"=
    "c:\\Program Files\\Steam\\steamapps\\latexdemon\\counter-strike source\\hl2.exe"=

    R0 iastor86;iastor86;c:\windows\system32\drivers\iastor86.sys [4/04/2010 4:03 AM 327192]
    R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [19/02/2011 7:33 PM 18816]
    S1 MpKsl020a3e57;MpKsl020a3e57;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DC2088C0-A466-49C4-9992-D0466A390C05}\MpKsl020a3e57.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DC2088C0-A466-49C4-9992-D0466A390C05}\MpKsl020a3e57.sys [?]
    S1 MpKsl0888d258;MpKsl0888d258;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DC2088C0-A466-49C4-9992-D0466A390C05}\MpKsl0888d258.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DC2088C0-A466-49C4-9992-D0466A390C05}\MpKsl0888d258.sys [?]
    S1 MpKsl554f5fb5;MpKsl554f5fb5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{41431C93-F47D-4BA2-80C5-6540E10CB41E}\MpKsl554f5fb5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{41431C93-F47D-4BA2-80C5-6540E10CB41E}\MpKsl554f5fb5.sys [?]
    S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 10:58 AM 11336]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
    .
    Contents of the 'Scheduled Tasks' folder

    2011-03-01 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 00:50]

    2011-03-01 c:\windows\Tasks\MP Scheduled Scan.job
    - c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 01:26]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.scroogle.org/cgi-bin/scraper.htm
    uInternet Settings,ProxyOverride = *.local
    FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\ysxhsgrc.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.scroogle.org/cgi-bin/scraper.htm
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: foof: foof@foofme.com - %profile%\extensions\foof@foofme.com
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
    FF - Ext: Boost for Facebook: {47624dda-b77e-4feb-820a-e4f077d5d4ca} - %profile%\extensions\{47624dda-b77e-4feb-820a-e4f077d5d4ca}
    FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
    FF - Ext: Update Notifier: {95f24680-9e31-11da-a746-0800200c9a66} - %profile%\extensions\{95f24680-9e31-11da-a746-0800200c9a66}
    FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - %profile%\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
    FF - Ext: ImTranslator: {9AA46F4F-4DC7-4c06-97AF-5035170634FE} - %profile%\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170634FE}
    FF - Ext: Fasterfox: {c36177c0-224a-11da-8cd6-0800200c9a91} - %profile%\extensions\{c36177c0-224a-11da-8cd6-0800200c9a91}
    FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - %profile%\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
    FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
    FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
    FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2011-03-02 00:16
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'explorer.exe'(2576)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
    c:\windows\system32\agrsmsvc.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\windows\system32\wscntfy.exe
    c:\windows\RTHDCPL.EXE
    c:\windows\system32\igfxsrvc.exe
    .
    **************************************************************************
    .
    Completion time: 2011-03-02 00:19:46 - machine was rebooted
    ComboFix-quarantined-files.txt 2011-03-01 13:19
    ComboFix2.txt 2011-02-24 23:31
    ComboFix3.txt 2011-02-24 22:52
    ComboFix4.txt 2011-02-22 08:50

    Pre-Run: 83,000,569,856 bytes free
    Post-Run: 83,032,801,280 bytes free

    - - End Of File - - 7CDEE1AD65F8D4C05E9F6348CEB6BB1E




    --------------------------------------------------------------------------------------------


    HijackThis Log


    ------------------------------


    Logfile of Trend Micro HijackThis v2.0.4
    Scan saved at 12:30:54 AM, on 2/03/2011
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 SP3 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\agrsmsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\ltmoh\Ltmoh.exe
    C:\WINDOWS\system32\igfxtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Microsoft Security Client\msseces.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\Codebox\BitMeter\BitMeter2.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle.org/cgi-bin/scraper.htm
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
    O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
    O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\steam.exe" -silent
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
    O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
    O4 - Global Startup: Bitmeter2.lnk = C:\Program Files\Codebox\BitMeter\BitMeter2.exe
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
    O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.3.16.0.cab
    O16 - DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.3.1.0.cab
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
    O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

    --
    End of file - 5524 bytes
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I recommend that you uninstall, then reinstall Microsoft Antimalware It should be having the drivers or Services in multiple and being questioned in Combofix. Although I remove some, others are back.
    =================================================
    Please reopen HijackThis to 'do system scan only'. Check each of the following, if present:

    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Common Files\Java\Java Update\jucheck.exe
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe



    Close all Windows except HijackThis and click on "Fix Checked."

    Control Panel> Java> Uncheck the auto-update line. Confirm Yes when asked.
    Java updates don't overwrite earlier versions. If you occasionally check for updates yourself, it will remind you that you must uninstall the earlier version in Add/Remove Programs found in the Control Panel

    The Java Quick Starter does not need to run. It makes little difference, but uses resources:
    Start> Run> type in services.msc> double click on Java Quick Starter> Change Startup Type to Disabled> Stop the Service

    Use the msconfig utility to uncheck processes for the following on the Startup menu:
    Any Java related processes
    Adobe reader processes (Reader_sl.exe, AdobeARM.exe
    Camera Assistant by Toshia (trybar.exe) can be started when needed
    QuickTime Task> auto-updater


    To remove entries from Startup using the msconfig utility:
    • Click on Start> Run> type in msconfig> enter>
    • Click on Selective Startup
    • Choose the Startup tab:
      This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted.
    • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
    • Click on Apply> OK when finished.

    NOTE:
    When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.'
    Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.
    ======================================
    How is the system running now?
     
  15. rubbersoul

    rubbersoul TS Rookie Topic Starter Posts: 17

    Sorry for the very late reply.. My system seems to be running great! Thanks for all your help
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    You're welcome! As you can see, I'm running late also so no problem. Stay safe!
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...