TechSpot

Win32/Mebroot, tombirdswithhair.com and Whistler / Black Internet help needed

By dbuerkle
Aug 25, 2010
  1. I use Eset smart security 4 and it informed me I had a Win32/Mebroot Trojan virus in memory and it could not clean the virus.
    I tried several AV Programs to get rid of it and Microsoft security essentials did the trick.

    Now i keep getting a Eset warning that an address "www.tombirdswithhair.com/banner2" 178.17.162.242 is being blocked and the PC freezes for minutes at a time.
    I redirected www.tombirdswithhair.com to 127.0.0.1 using the hosts file and that stops the block warning but my system is still freezing up.

    I ran the MBR Check and it said I have "Whistler / Black Internet" in the MBR of both hard drives.

    Thanks in advance for your assistance.

    Some logs attached due to size limits

    ##########################################################################
    Step 1: Antivirus scanning
    I ran eset, superantispywear and Microsoft security essentials and cleaned all problerms.
    ##########################################################################
    Step 2: Temporary File Cleaner - I ran this.
    ##########################################################################
    Step 3: Malwarebytes Anti-Malware
    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4466

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    8/23/2010 7:16:41 PM
    mbam-log-2010-08-23 (19-16-41).txt

    Scan type: Quick scan
    Objects scanned: 164883
    Time elapsed: 38 minute(s), 20 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 3
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\All Users\Application Data\sysReserve.ini (Malware.Trace) -> Quarantined and deleted successfully.

    ##########################################################################

    Step 4: GMER Log

    Attached

    ##########################################################################

    Step 5: DDS - DDS.txt

    Attached
    ##########################################################################

    Step 5: DDS - Attach.txt

    Attached
    ##########################################################################

    Additional Step MRBCheck scan log

    MBRCheck, version 1.2.3
    (c) 2010, AD

    Command-line:
    Windows Version: Windows XP Professional
    Windows Information: Service Pack 3 (build 2600)
    Logical Drives Mask: 0x0000003d

    Kernel Drivers (total 205):
    0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
    0x806E4000 \WINDOWS\system32\hal.dll
    0xF7B12000 \WINDOWS\system32\KDCOM.DLL
    0xF7A22000 \WINDOWS\system32\BOOTVID.dll
    0xF7612000 ekmeqyw.sys
    0xF74E3000 ACPI.sys
    0xF7B14000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
    0xF74D2000 pci.sys
    0xF7622000 isapnp.sys
    0xF7BDA000 pciide.sys
    0xF7892000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
    0xF7B16000 aliide.sys
    0xF7B18000 cmdide.sys
    0xF7B1A000 toside.sys
    0xF7B1C000 viaide.sys
    0xF7B1E000 intelide.sys
    0xF7632000 MountMgr.sys
    0xF74B3000 ftdisk.sys
    0xF7B20000 dmload.sys
    0xF748D000 dmio.sys
    0xF789A000 PartMgr.sys
    0xF7642000 VolSnap.sys
    0xF7A26000 cpqarray.sys
    0xF7475000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
    0xF73B7000 iaStor.sys
    0xF739F000 atapi.sys
    0xF7A2A000 aha154x.sys
    0xF78A2000 sparrow.sys
    0xF7A2E000 symc810.sys
    0xF7652000 aic78xx.sys
    0xF7A32000 dac960nt.sys
    0xF7662000 ql10wnt.sys
    0xF7A36000 amsint.sys
    0xF78AA000 asc.sys
    0xF7A3A000 asc3550.sys
    0xF78B2000 mraid35x.sys
    0xF78BA000 i2omp.sys
    0xF7A3E000 ini910u.sys
    0xF7672000 ql1240.sys
    0xF7682000 aic78u2.sys
    0xF78C2000 symc8xx.sys
    0xF78CA000 sym_hi.sys
    0xF78D2000 sym_u3.sys
    0xF78DA000 ABP480N5.SYS
    0xF78E2000 asc3350p.sys
    0xF7B22000 cd20xrnt.sys
    0xF7692000 ultra.sys
    0xF7386000 adpu160m.sys
    0xF78EA000 dpti2o.sys
    0xF76A2000 ql1080.sys
    0xF76B2000 ql1280.sys
    0xF76C2000 ql12160.sys
    0xF78F2000 perc2.sys
    0xF7B24000 perc2hib.sys
    0xF78FA000 hpn.sys
    0xF7A42000 cbidf2k.sys
    0xF735A000 dac2w2k.sys
    0xF76D2000 disk.sys
    0xF76E2000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
    0xF733A000 fltmgr.sys
    0xF7325000 drvmcdb.sys
    0xF76F2000 PxHelp20.sys
    0xF730E000 KSecDD.sys
    0xF7281000 Ntfs.sys
    0xF7254000 NDIS.sys
    0xF7702000 sisagp.sys
    0xF7712000 viaagp.sys
    0xF7722000 ohci1394.sys
    0xF7732000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
    0xF723A000 Mup.sys
    0xF7742000 agp440.sys
    0xF7752000 alim1541.sys
    0xF7762000 amdagp.sys
    0xF7772000 agpCPQ.sys
    0xF7792000 \SystemRoot\system32\DRIVERS\nic1394.sys
    0xF6C43000 \SystemRoot\system32\DRIVERS\intelppm.sys
    0xF5C4B000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
    0xF5C37000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
    0xF5C09000 \SystemRoot\system32\DRIVERS\b57xp32.sys
    0xF79FA000 \SystemRoot\system32\DRIVERS\usbuhci.sys
    0xF5BE5000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
    0xF7A02000 \SystemRoot\system32\DRIVERS\usbehci.sys
    0xF796A000 \SystemRoot\system32\DRIVERS\usbohci.sys
    0xF5BBA000 \SystemRoot\system32\drivers\aticxcap.sys
    0xF6C33000 \SystemRoot\system32\drivers\STREAM.SYS
    0xF5B97000 \SystemRoot\system32\drivers\ks.sys
    0xF5B1D000 \SystemRoot\system32\drivers\ctaud2k.sys
    0xF5AF9000 \SystemRoot\system32\drivers\portcls.sys
    0xF6C23000 \SystemRoot\system32\drivers\drmk.sys
    0xF5AC6000 \SystemRoot\system32\drivers\ctoss2k.sys
    0xF7A0A000 \SystemRoot\System32\drivers\ctprxy2k.sys
    0xF7090000 \SystemRoot\system32\DRIVERS\gameenum.sys
    0xF7A12000 \SystemRoot\system32\DRIVERS\fdc.sys
    0xF5AB2000 \SystemRoot\system32\DRIVERS\parport.sys
    0xF6C13000 \SystemRoot\system32\DRIVERS\serial.sys
    0xF708C000 \SystemRoot\system32\DRIVERS\serenum.sys
    0xF7A1A000 \SystemRoot\system32\drivers\Afc.sys
    0xF7B66000 \SystemRoot\system32\drivers\sscdbhk5.sys
    0xF6569000 \SystemRoot\system32\DRIVERS\cdrom.sys
    0xF7902000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
    0xF7CCB000 \SystemRoot\system32\DRIVERS\lmimirr.sys
    0xF5A97000 \SystemRoot\system32\DRIVERS\dne2000.sys
    0xF6559000 \SystemRoot\system32\DRIVERS\Epfwndis.sys
    0xF7CCC000 \SystemRoot\system32\DRIVERS\audstub.sys
    0xF6549000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
    0xF7088000 \SystemRoot\system32\DRIVERS\ndistapi.sys
    0xF5A80000 \SystemRoot\system32\DRIVERS\ndiswan.sys
    0xF6539000 \SystemRoot\system32\DRIVERS\raspppoe.sys
    0xF6529000 \SystemRoot\system32\DRIVERS\raspptp.sys
    0xF7912000 \SystemRoot\system32\DRIVERS\TDI.SYS
    0xF5A6F000 \SystemRoot\system32\DRIVERS\psched.sys
    0xF6519000 \SystemRoot\system32\DRIVERS\msgpc.sys
    0xF791A000 \SystemRoot\system32\DRIVERS\ptilink.sys
    0xF7922000 \SystemRoot\system32\DRIVERS\raspti.sys
    0xF5A3F000 \SystemRoot\system32\DRIVERS\rdpdr.sys
    0xF77D2000 \SystemRoot\system32\DRIVERS\termdd.sys
    0xF79C2000 \SystemRoot\system32\DRIVERS\kbdclass.sys
    0xF79CA000 \SystemRoot\system32\DRIVERS\mouclass.sys
    0xF7BCE000 \SystemRoot\system32\DRIVERS\swenum.sys
    0xF33CD000 \SystemRoot\system32\DRIVERS\update.sys
    0xF70A8000 \SystemRoot\system32\DRIVERS\mssmbios.sys
    0xF79D2000 \SystemRoot\system32\DRIVERS\omci.sys
    0xF77E2000 \SystemRoot\System32\Drivers\NDProxy.SYS
    0xF7802000 \SystemRoot\system32\DRIVERS\usbhub.sys
    0xF7BD0000 \SystemRoot\system32\DRIVERS\USBD.SYS
    0xEE293000 \SystemRoot\system32\drivers\aticxtun.sys
    0xEEF06000 \SystemRoot\system32\drivers\aticxxbr.sys
    0xEC2E3000 \SystemRoot\System32\drivers\hap16v2k.sys
    0xEC1DF000 \SystemRoot\System32\drivers\ha10kx2k.sys
    0xEC1B2000 \SystemRoot\System32\drivers\emupia2k.sys
    0xEC18B000 \SystemRoot\System32\drivers\ctsfm2k.sys
    0xEC0EF000 \SystemRoot\System32\drivers\ctac32k.sys
    0xEE28B000 \SystemRoot\system32\DRIVERS\flpydisk.sys
    0xEE11D000 \SystemRoot\System32\Drivers\i2omgmt.SYS
    0xEC0A4000 \SystemRoot\system32\DRIVERS\MpFilter.sys
    0xEEBB5000 \SystemRoot\system32\DRIVERS\usbccgp.sys
    0xEEF22000 \SystemRoot\System32\Drivers\cdrbsvsd.SYS
    0xF7BC6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
    0xEF9CB000 \SystemRoot\System32\Drivers\Null.SYS
    0xF7BC8000 \SystemRoot\System32\Drivers\Beep.SYS
    0xEEBA5000 \SystemRoot\system32\drivers\ssrtln.sys
    0xF0EEF000 \SystemRoot\system32\DRIVERS\ehdrv.sys
    0xEEB9D000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
    0xEEB95000 \SystemRoot\System32\drivers\vga.sys
    0xF7BCA000 \SystemRoot\System32\Drivers\mnmdd.SYS
    0xF7BCC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
    0xEEB8D000 \SystemRoot\System32\Drivers\Msfs.SYS
    0xEE2AB000 \SystemRoot\System32\Drivers\Npfs.SYS
    0xEEF16000 \SystemRoot\system32\DRIVERS\rasacd.sys
    0xF0E1C000 \SystemRoot\system32\DRIVERS\ipsec.sys
    0xF0DC3000 \SystemRoot\system32\DRIVERS\tcpip.sys
    0xF0DB0000 \SystemRoot\system32\DRIVERS\epfwtdi.sys
    0xF0D88000 \SystemRoot\system32\DRIVERS\netbt.sys
    0xEEF12000 \SystemRoot\System32\drivers\ws2ifsl.sys
    0xF0D42000 \SystemRoot\System32\drivers\afd.sys
    0xEFA53000 \SystemRoot\system32\DRIVERS\netbios.sys
    0xF0D20000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
    0xEE2A3000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
    0xF0CF5000 \SystemRoot\system32\DRIVERS\rdbss.sys
    0xF0C85000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
    0xEFA23000 \SystemRoot\System32\Drivers\Fips.SYS
    0xEFA13000 \SystemRoot\system32\DRIVERS\wanarp.sys
    0xEFA03000 \SystemRoot\system32\DRIVERS\arp1394.sys
    0xEDD6A000 \SystemRoot\system32\DRIVERS\usbscan.sys
    0xEDD66000 \SystemRoot\system32\DRIVERS\hidusb.sys
    0xEF9E3000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
    0xEFF12000 \SystemRoot\system32\DRIVERS\kbdhid.sys
    0xEFF0E000 \SystemRoot\system32\DRIVERS\mouhid.sys
    0xEF477000 \SystemRoot\system32\DRIVERS\usbprint.sys
    0xEF3F1000 \SystemRoot\System32\Drivers\Cdfs.SYS
    0xEBFE6000 \SystemRoot\System32\Drivers\dump_iaStor.sys
    0xBF800000 \SystemRoot\System32\win32k.sys
    0xEF7F2000 \SystemRoot\System32\drivers\Dxapi.sys
    0xEF45F000 \SystemRoot\System32\watchdog.sys
    0xBF000000 \SystemRoot\System32\drivers\dxg.sys
    0xF7C84000 \SystemRoot\System32\drivers\dxgthk.sys
    0xBF012000 \SystemRoot\System32\nv4_disp.dll
    0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
    0xB96E3000 \SystemRoot\system32\DRIVERS\eamon.sys
    0xF6027000 \SystemRoot\system32\drivers\drvnddm.sys
    0xF7D48000 \SystemRoot\system32\dla\tfsndres.sys
    0xB96CD000 \SystemRoot\system32\dla\tfsnifs.sys
    0xF7AEE000 \SystemRoot\system32\dla\tfsnopio.sys
    0xF4E9B000 \SystemRoot\system32\dla\tfsnpool.sys
    0xEEF37000 \SystemRoot\system32\dla\tfsnboio.sys
    0xF6017000 \SystemRoot\system32\dla\tfsncofs.sys
    0xF7C51000 \SystemRoot\system32\dla\tfsndrct.sys
    0xB96B4000 \SystemRoot\system32\dla\tfsnudf.sys
    0xB969B000 \SystemRoot\system32\dla\tfsnudfa.sys
    0xB9678000 \SystemRoot\system32\DRIVERS\epfw.sys
    0xB8E23000 \SystemRoot\system32\DRIVERS\mrxdav.sys
    0xF623D000 \SystemRoot\System32\drivers\BrPar.sys
    0xEF7E2000 \SystemRoot\System32\Drivers\ASPI32.SYS
    0xB8CD6000 \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
    0xB8C6D000 \SystemRoot\System32\Drivers\HTTP.sys
    0xF7B3C000 \??\C:\Program Files\LogMeIn\x86\RaInfo.sys
    0xB8B6E000 \SystemRoot\system32\DRIVERS\srv.sys
    0xB8A91000 \SystemRoot\system32\drivers\wdmaud.sys
    0xF7872000 \SystemRoot\system32\drivers\sysaudio.sys
    0xB884A000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
    0xB8807000 \??\C:\WINDOWS\system32\drivers\PfModNT.sys
    0xF7B88000 \??\C:\WINDOWS\system32\Drivers\Vcs.sys
    0xB770E000 \SystemRoot\System32\Drivers\Fastfat.SYS
    0xB630B000 \SystemRoot\system32\drivers\kmixer.sys
    0x7C900000 \WINDOWS\SYSTEM32\ntdll.dll

    Processes (total 48):
    0 System Idle Process
    4 System
    1268 C:\WINDOWS\SYSTEM32\smss.exe
    1320 csrss.exe
    1348 C:\WINDOWS\SYSTEM32\winlogon.exe
    1392 C:\WINDOWS\SYSTEM32\services.exe
    1404 C:\WINDOWS\SYSTEM32\lsass.exe
    1596 C:\WINDOWS\SYSTEM32\svchost.exe
    1716 svchost.exe
    1868 C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
    1904 C:\WINDOWS\SYSTEM32\svchost.exe
    2032 svchost.exe
    476 C:\WINDOWS\SYSTEM32\spoolsv.exe
    632 C:\WINDOWS\SYSTEM32\svchost.exe
    644 svchost.exe
    684 C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
    912 C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
    944 C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    1048 C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    1064 C:\WINDOWS\SYSTEM32\svchost.exe
    1140 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
    1204 C:\WINDOWS\SYSTEM32\imapi.exe
    1236 C:\Program Files\LogMeIn\x86\ramaint.exe
    1620 C:\Program Files\LogMeIn\x86\LogMeIn.exe
    576 C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    588 C:\WINDOWS\explorer.exe
    1552 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    2144 C:\WINDOWS\SYSTEM32\nvsvc32.exe
    2448 C:\WINDOWS\SYSTEM32\svchost.exe
    2728 C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
    2844 C:\Program Files\Canon\CAL\CALMAIN.exe
    3304 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
    3424 C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe
    3600 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    3616 C:\Program Files\Dell\Media Experience\DMXLauncher.exe
    3688 C:\PROGRA~1\MICROS~4\GAMECO~1\Common\SWTrayV4.EXE
    3740 C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
    3760 C:\WINDOWS\CTHELPER.EXE
    3872 C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
    3880 C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
    3976 C:\Program Files\ESET\ESET Smart Security\egui.exe
    4080 C:\Program Files\Microsoft Security Essentials\msseces.exe
    2380 C:\Program Files\LogMeIn\x86\LMIGuardian.exe
    3500 C:\WINDOWS\SYSTEM32\ctfmon.exe
    3576 C:\Program Files\ATI Multimedia\main\atidtct.exe
    3716 C:\WINDOWS\SYSTEM32\svchost.exe
    340 C:\Program Files\Mozilla Firefox\firefox.exe
    4064 C:\Temp\Virus\MBRCheck.exe

    \\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`03ec1000 (NTFS)
    \\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

    PhysicalDrive0 Model Number: WDCWD2500JD-75HBB0, Rev: 08.02D08
    PhysicalDrive1 Model Number: WDCWD1001FALS-00J7B0, Rev: 05.00K05

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
    SHA1: 610C151EA6600B4828D09565D95688B3829C12B2
    931 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black Internet)!
    SHA1: 610C151EA6600B4828D09565D95688B3829C12B2


    Found non-standard or infected MBR.
    Enter 'Y' and hit ENTER for more options, or 'N' to exit:
     

    Attached Files:

  2. crunchie

    crunchie Malware Helper Posts: 728

    Hi and welcome to TechSpot forums :).

    ====

    Please download ComboFix by sUBs from HERE or HERE
    • You must download it to and run it from your Desktop
    • Physically disconnect from the internet.
    • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
    • Double click combofix.exe & follow the prompts.
    • When finished, it will produce a log. Please save that log to post in your next reply.
    • Re-enable all the programs that were disabled during the running of ComboFix..

    Note:
    Do not mouse-click combofix's window while it is running. That may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Run Combofix ONCE only!!
     
  3. dbuerkle

    dbuerkle TS Rookie Topic Starter

    Combofix results

    ComboFix 10-08-24.0B - Doug 08/25/2010 18:16:46.1.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.678 [GMT -4:00]
    Running from: c:\documents and settings\Doug\Desktop\ComboFix.exe
    AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
    AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
    * Resident AV is active

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Doug\Local Settings\Application Data\{7C8A121C-08AB-4D6A-B8E4-C5DECA20C4D2}
    c:\documents and settings\Doug\Local Settings\Application Data\{7C8A121C-08AB-4D6A-B8E4-C5DECA20C4D2}\chrome.manifest
    c:\documents and settings\Doug\Local Settings\Application Data\{7C8A121C-08AB-4D6A-B8E4-C5DECA20C4D2}\chrome\content\_cfg.js
    c:\documents and settings\Doug\Local Settings\Application Data\{7C8A121C-08AB-4D6A-B8E4-C5DECA20C4D2}\chrome\content\c.js
    c:\documents and settings\Doug\Local Settings\Application Data\{7C8A121C-08AB-4D6A-B8E4-C5DECA20C4D2}\chrome\content\overlay.xul
    c:\documents and settings\Doug\Local Settings\Application Data\{7C8A121C-08AB-4D6A-B8E4-C5DECA20C4D2}\install.rdf
    c:\windows\system32\gotomon.log

    .
    \\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
    \\.\PhysicalDrive1 - Bootkit Whistler was found and disinfected
    .
    \\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
    \\.\PhysicalDrive1 - Bootkit Whistler was found and disinfected
    .
    ((((((((((((((((((((((((( Files Created from 2010-07-25 to 2010-08-25 )))))))))))))))))))))))))))))))
    .

    2010-08-24 00:30 . 2010-08-24 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
    2010-08-23 17:51 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-23 17:51 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-23 17:51 . 2010-08-23 17:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-20 04:00 . 2010-08-20 04:00 -------- d-----w- C:\found.001
    2010-08-18 02:54 . 2010-08-18 02:54 -------- d-----w- c:\windows\Internet Logs
    2010-08-17 18:21 . 2010-08-17 18:21 -------- d-----w- c:\documents and settings\Doug\Application Data\CheckPoint
    2010-08-17 18:21 . 2010-08-17 18:21 -------- d-----w- c:\program files\CheckPoint
    2010-08-17 18:21 . 2010-08-17 18:21 4212 ---ha-w- c:\windows\system32\zllictbl.dat
    2010-08-11 22:36 . 2010-08-11 22:36 -------- d-----w- C:\found.000
    2010-08-10 20:18 . 2010-08-10 20:18 -------- d-----w- c:\windows\system32\DRM
    2010-07-31 12:47 . 2010-06-01 17:37 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-07-31 12:41 . 2010-07-31 12:42 -------- d-----w- c:\program files\Microsoft Security Essentials
    2010-07-31 12:41 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
    2010-07-28 02:00 . 2010-07-28 02:00 -------- d-sh--w- c:\documents and settings\Doug\IECompatCache
    2010-07-27 02:01 . 2010-08-12 19:19 63488 ----a-w- c:\documents and settings\Doug\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    2010-07-27 02:01 . 2010-07-27 02:01 52224 ----a-w- c:\documents and settings\Doug\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-07-27 02:01 . 2010-08-12 19:19 117760 ----a-w- c:\documents and settings\Doug\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-07-27 01:20 . 2010-07-27 01:19 1129120 ----a-w- c:\documents and settings\All Users\Application Data\STOPzilla!\vdb\vbcorent.dll
    2010-07-27 01:17 . 2010-07-27 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-25 04:21 . 2010-03-30 04:41 -------- d-----w- c:\program files\LogMeIn
    2010-08-24 01:07 . 2007-12-24 15:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-08-21 00:24 . 2005-02-22 01:26 -------- d-----w- c:\program files\Visio
    2010-08-19 03:19 . 2009-08-06 05:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-08-18 13:43 . 2005-02-09 17:53 -------- d-----w- c:\program files\Common Files\Adobe
    2010-08-18 12:08 . 2007-03-03 06:04 -------- d-----w- c:\program files\Yahoo!
    2010-08-16 21:58 . 2005-02-09 18:48 -------- d-----w- c:\documents and settings\Doug\Application Data\AdobeUM
    2010-08-12 04:24 . 2005-12-25 16:53 -------- d-----w- c:\program files\SpywareBlaster
    2010-08-11 01:58 . 2009-01-09 06:57 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-08-03 15:29 . 2005-02-15 02:49 -------- d-----w- c:\program files\Microsoft.NET
    2010-07-27 02:01 . 2009-01-09 06:57 -------- d-----w- c:\documents and settings\Doug\Application Data\SUPERAntiSpyware.com
    2010-07-27 01:29 . 2010-07-27 01:25 600 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg.old
    2010-07-11 12:50 . 2004-10-11 16:19 -------- d-----w- c:\program files\Common Files\Logishrd
    2010-07-11 12:49 . 2004-10-11 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
    2010-07-11 12:45 . 2007-05-20 02:20 34 ----a-w- c:\windows\system32\BD5250DN.DAT
    2010-06-30 12:31 . 2004-08-04 11:00 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44 . 2004-08-04 11:00 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-21 15:27 . 2004-08-04 11:00 354304 ------w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03 . 2004-08-04 11:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31 . 2004-08-04 11:00 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe
    2010-06-14 07:41 . 2004-08-04 11:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-02 20:06 . 2010-03-30 04:42 29568 ----a-w- c:\windows\system32\LMIport.dll
    2010-06-02 20:06 . 2010-03-30 04:41 87424 ----a-w- c:\windows\system32\LMIinit.dll
    2010-06-02 01:45 . 2005-02-14 00:23 1080 ----a-w- c:\windows\AUTOLNCH.REG
    2010-06-01 15:44 . 2010-06-22 02:31 3907584 ----a-w- c:\documents and settings\Doug\Application Data\Mozilla\Firefox\Profiles\fuqy6uyf.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
    2008-11-18 15:12 . 2005-09-21 16:50 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2008-11-18 15:12 . 2005-09-21 16:51 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2008-09-22 17:09 . 2008-09-22 17:09 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
    2008-09-22 17:09 . 2008-09-22 17:09 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    2006-05-03 10:06 . 2008-02-05 22:04 163328 --sh--r- c:\windows\SYSTEM32\flvDX.dll
    2007-12-24 16:17 . 2005-05-27 01:47 10856 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
    2007-02-21 11:47 . 2008-02-05 22:04 31232 --sh--r- c:\windows\SYSTEM32\msfDX.dll
    2007-12-17 13:43 . 2008-02-05 22:04 27648 --sh--w- c:\windows\SYSTEM32\Smab0.dll
    2008-02-04 19:26 . 2008-02-05 22:04 151040 --sh--w- c:\windows\SYSTEM32\VistaUltm.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2005-12-23 57344]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-19 2403568]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
    "CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
    "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016]
    "SideWinderTrayV4"="c:\progra~1\MICROS~4\GAMECO~1\Common\SWTrayV4.exe" [2000-06-03 24650]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
    "PDF4 Registry Controller"="c:\program files\ScanSoft\PDF Professional 4.0\RegistryController.exe" [2006-10-05 46664]
    "CTHelper"="CTHELPER.EXE" [2006-08-11 17920]
    "CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]
    "basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
    "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-01-27 63048]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-01 5562368]
    "egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2010-06-02 20:06 87424 ----a-w- c:\windows\SYSTEM32\LMIinit.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009

    R1 ehdrv;ehdrv;c:\windows\SYSTEM32\DRIVERS\ehdrv.sys [5/14/2009 3:47 PM 107256]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
    R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [5/14/2009 3:47 PM 731840]
    R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/27/2010 12:22 PM 12856]
    R2 Vcs;Vcs support;c:\windows\SYSTEM32\DRIVERS\Vcs.sys [9/21/2005 10:02 PM 6852]
    R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\SYSTEM32\DRIVERS\aticxcap.sys [4/30/2005 7:51 PM 173824]
    R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\SYSTEM32\DRIVERS\aticxtun.sys [4/30/2005 7:51 PM 29184]
    R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\SYSTEM32\DRIVERS\aticxxbr.sys [4/30/2005 7:51 PM 9088]
    S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" --> c:\program files\McAfee\SiteAdvisor\McSACore.exe [?]
    S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\Doug\LOCALS~1\Temp\DMSKSSRh.sys --> c:\docume~1\Doug\LOCALS~1\Temp\DMSKSSRh.sys [?]
    S3 Gupta SQLBase Resource Manager Server2;Gupta SQLBase Resource Manager Server2;c:\sqlbase\SQLBrm.exe [6/20/2006 9:43 AM 98304]
    S3 Gupta SQLBase Server2;Gupta SQLBase Server2;c:\sqlbase\dbntsrv.exe [6/20/2006 9:43 AM 1138688]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-09-27 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
    - c:\program files\Microsoft IntelliType Pro\itype.exe [2007-08-31 19:13]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    IE: Open with ScanSoft PDF Converter 4.0 - c:\program files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
    IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    IE: {{C30A71CA-D397-4B9A-BE24-C38E4216A562} - c:\program files\Bytescout SWF To Video Scout\flashextract.exe
    FF - ProfilePath - c:\documents and settings\Doug\Application Data\Mozilla\Firefox\Profiles\fuqy6uyf.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
    FF - plugin: c:\documents and settings\Doug\Application Data\Mozilla\Firefox\Profiles\fuqy6uyf.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    .
    - - - - ORPHANS REMOVED - - - -

    HKCU-Run-ATI Launchpad - (no file)
    AddRemove-Pop-a-BMP-to-ICO_is1 - c:\program files\Pop-a-BMP-to-ICO\unins000.exe
    AddRemove-Centura Team Developer Runtime 1.5 - c:\visual\Current\Runtime\tduninst.isu
    AddRemove-VISUAL Financials - c:\visual\current\vmfg\vfuninst.isu
    AddRemove-VISUAL HR - c:\visual\current\payroll\hruninst.isu
    AddRemove-VISUAL Manufacturing - c:\visual\current\VMFG\vmuninst.isu
    AddRemove-VISUAL Payroll - c:\visual\current\Payroll\vpuninst.isu



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-25 18:29
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,64,b6,bc,8b,fb,0f,4c,8b,1f,74,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,64,b6,bc,8b,fb,0f,4c,8b,1f,74,\

    [HKEY_USERS\S-1-5-21-417677365-355344319-2244582239-1005\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1336)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\LMIinit.dll
    .
    Completion time: 2010-08-25 18:36:06
    ComboFix-quarantined-files.txt 2010-08-25 22:36

    Pre-Run: 10,483,838,976 bytes free
    Post-Run: 10,795,704,320 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

    - - End Of File - - E2B323A55493BD21E7278C31A41ED02B
     
  4. crunchie

    crunchie Malware Helper Posts: 728

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad.exe in the Run Box.
    2. Now copy/paste the entire content of the codebox below into the Notepad window:
    Code:
    
    DDS::
    uDefault_Page_URL = hxxp://www.dell4me.com/myway
    uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywa
    TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - 
    TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File
    
    Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

    3. Save the above as CFScript.txt

    4. Physically disconnect from the internet.

    5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

    6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
    • Combofix.txt
    Please take note:

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    ==================

    Please download JavaRa

    If you get this message:
    Problems with the download? Please use this direct link or try another mirror.

    Select the Direct link download unzip it to your Desktop.

    Double click JavaRa.exe then click Remove Older Versions.

    Follow any prompts; a log will popup (JavaRa.log)-- please post the contents of this log.

    Next, open JavaRa.exe again, and select Search For Updates.

    Select Update Using Sun Java's Website --> Search, and continue the instructions for downloading and installing the latest Java version. Look for JDK 6 Update 21 (JDK or JRE). On the right select this one Download JRE..

    In Vista and Windows 7 run the tool as Administrator.

    ===========

    Let me know how the pc is now.
     
  5. dbuerkle

    dbuerkle TS Rookie Topic Starter

    PC is running a bit faster.
    Here is the first log file.

    ##############################################

    ComboFix 10-08-24.0B - Doug 08/25/2010 23:14:08.2.1 - x86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.655 [GMT -4:00]
    Running from: c:\documents and settings\Doug\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Doug\Desktop\CFScript.txt
    AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
    AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
    FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    .
    \\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
    \\.\PhysicalDrive1 - Bootkit Whistler was found and disinfected
    .
    ((((((((((((((((((((((((( Files Created from 2010-07-26 to 2010-08-26 )))))))))))))))))))))))))))))))
    .

    2010-08-24 00:30 . 2010-08-24 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
    2010-08-23 17:51 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
    2010-08-23 17:51 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
    2010-08-23 17:51 . 2010-08-23 17:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2010-08-20 04:00 . 2010-08-20 04:00 -------- d-----w- C:\found.001
    2010-08-18 02:54 . 2010-08-18 02:54 -------- d-----w- c:\windows\Internet Logs
    2010-08-17 18:21 . 2010-08-17 18:21 -------- d-----w- c:\documents and settings\Doug\Application Data\CheckPoint
    2010-08-17 18:21 . 2010-08-17 18:21 -------- d-----w- c:\program files\CheckPoint
    2010-08-17 18:21 . 2010-08-17 18:21 4212 ---ha-w- c:\windows\system32\zllictbl.dat
    2010-08-11 22:36 . 2010-08-11 22:36 -------- d-----w- C:\found.000
    2010-08-10 20:18 . 2010-08-10 20:18 -------- d-----w- c:\windows\system32\DRM
    2010-07-31 12:47 . 2010-06-01 17:37 221568 ------w- c:\windows\system32\MpSigStub.exe
    2010-07-31 12:41 . 2010-07-31 12:42 -------- d-----w- c:\program files\Microsoft Security Essentials
    2010-07-31 12:41 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
    2010-07-28 02:00 . 2010-07-28 02:00 -------- d-sh--w- c:\documents and settings\Doug\IECompatCache

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-08-25 04:21 . 2010-03-30 04:41 -------- d-----w- c:\program files\LogMeIn
    2010-08-24 01:07 . 2007-12-24 15:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
    2010-08-21 00:24 . 2005-02-22 01:26 -------- d-----w- c:\program files\Visio
    2010-08-19 03:19 . 2009-08-06 05:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
    2010-08-18 13:43 . 2005-02-09 17:53 -------- d-----w- c:\program files\Common Files\Adobe
    2010-08-18 12:08 . 2007-03-03 06:04 -------- d-----w- c:\program files\Yahoo!
    2010-08-16 21:58 . 2005-02-09 18:48 -------- d-----w- c:\documents and settings\Doug\Application Data\AdobeUM
    2010-08-12 19:19 . 2010-07-27 02:01 63488 ----a-w- c:\documents and settings\Doug\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
    2010-08-12 19:19 . 2010-07-27 02:01 117760 ----a-w- c:\documents and settings\Doug\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
    2010-08-12 04:24 . 2005-12-25 16:53 -------- d-----w- c:\program files\SpywareBlaster
    2010-08-11 01:58 . 2009-01-09 06:57 -------- d-----w- c:\program files\SUPERAntiSpyware
    2010-08-03 15:29 . 2005-02-15 02:49 -------- d-----w- c:\program files\Microsoft.NET
    2010-07-27 02:01 . 2010-07-27 02:01 52224 ----a-w- c:\documents and settings\Doug\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
    2010-07-27 02:01 . 2009-01-09 06:57 -------- d-----w- c:\documents and settings\Doug\Application Data\SUPERAntiSpyware.com
    2010-07-27 01:46 . 2010-07-27 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
    2010-07-27 01:29 . 2010-07-27 01:25 600 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg.old
    2010-07-27 01:19 . 2010-07-27 01:20 1129120 ----a-w- c:\documents and settings\All Users\Application Data\STOPzilla!\vdb\vbcorent.dll
    2010-07-11 12:50 . 2004-10-11 16:19 -------- d-----w- c:\program files\Common Files\Logishrd
    2010-07-11 12:49 . 2004-10-11 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
    2010-07-11 12:45 . 2007-05-20 02:20 34 ----a-w- c:\windows\system32\BD5250DN.DAT
    2010-06-30 12:31 . 2004-08-04 11:00 149504 ----a-w- c:\windows\system32\schannel.dll
    2010-06-24 12:22 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
    2010-06-23 13:44 . 2004-08-04 11:00 1851904 ----a-w- c:\windows\system32\win32k.sys
    2010-06-21 15:27 . 2004-08-04 11:00 354304 ------w- c:\windows\system32\drivers\srv.sys
    2010-06-17 14:03 . 2004-08-04 11:00 80384 ----a-w- c:\windows\system32\iccvid.dll
    2010-06-14 14:31 . 2004-08-04 11:00 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe
    2010-06-14 07:41 . 2004-08-04 11:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
    2010-06-02 20:06 . 2010-03-30 04:42 29568 ----a-w- c:\windows\system32\LMIport.dll
    2010-06-02 20:06 . 2010-03-30 04:41 87424 ----a-w- c:\windows\system32\LMIinit.dll
    2010-06-02 01:45 . 2005-02-14 00:23 1080 ----a-w- c:\windows\AUTOLNCH.REG
    2010-06-01 15:44 . 2010-06-22 02:31 3907584 ----a-w- c:\documents and settings\Doug\Application Data\Mozilla\Firefox\Profiles\fuqy6uyf.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
    2008-11-18 15:12 . 2005-09-21 16:50 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
    2008-11-18 15:12 . 2005-09-21 16:51 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
    2008-09-22 17:09 . 2008-09-22 17:09 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
    2008-09-22 17:09 . 2008-09-22 17:09 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
    2006-05-03 10:06 . 2008-02-05 22:04 163328 --sh--r- c:\windows\SYSTEM32\flvDX.dll
    2007-12-24 16:17 . 2005-05-27 01:47 10856 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
    2007-02-21 11:47 . 2008-02-05 22:04 31232 --sh--r- c:\windows\SYSTEM32\msfDX.dll
    2007-12-17 13:43 . 2008-02-05 22:04 27648 --sh--w- c:\windows\SYSTEM32\Smab0.dll
    2008-02-04 19:26 . 2008-02-05 22:04 151040 --sh--w- c:\windows\SYSTEM32\VistaUltm.dll
    .

    ((((((((((((((((((((((((((((( SnapShot@2010-08-25_22.29.56 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2005-02-05 17:00 . 2010-08-25 23:38 88406 c:\windows\SYSTEM32\PERFC009.DAT
    + 2005-02-05 17:00 . 2010-08-25 23:38 503548 c:\windows\SYSTEM32\PERFH009.DAT
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2005-12-23 57344]
    "SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-19 2403568]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
    "CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
    "DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
    "DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016]
    "SideWinderTrayV4"="c:\progra~1\MICROS~4\GAMECO~1\Common\SWTrayV4.exe" [2000-06-03 24650]
    "dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
    "PDF4 Registry Controller"="c:\program files\ScanSoft\PDF Professional 4.0\RegistryController.exe" [2006-10-05 46664]
    "CTHelper"="CTHELPER.EXE" [2006-08-11 17920]
    "CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]
    "basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
    "LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-01-27 63048]
    "SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-01 5562368]
    "egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
    2010-06-02 20:06 87424 ----a-w- c:\windows\SYSTEM32\LMIinit.dll

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
    @="Service"

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications"= 1 (0x1)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009

    R1 ehdrv;ehdrv;c:\windows\SYSTEM32\DRIVERS\ehdrv.sys [5/14/2009 3:47 PM 107256]
    R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
    R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
    R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [5/14/2009 3:47 PM 731840]
    R2 Vcs;Vcs support;c:\windows\SYSTEM32\DRIVERS\Vcs.sys [9/21/2005 10:02 PM 6852]
    R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\SYSTEM32\DRIVERS\aticxcap.sys [4/30/2005 7:51 PM 173824]
    R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\SYSTEM32\DRIVERS\aticxtun.sys [4/30/2005 7:51 PM 29184]
    R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\SYSTEM32\DRIVERS\aticxxbr.sys [4/30/2005 7:51 PM 9088]
    S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
    S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/27/2010 12:22 PM 12856]
    S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" --> c:\program files\McAfee\SiteAdvisor\McSACore.exe [?]
    S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\Doug\LOCALS~1\Temp\DMSKSSRh.sys --> c:\docume~1\Doug\LOCALS~1\Temp\DMSKSSRh.sys [?]
    S3 Gupta SQLBase Resource Manager Server2;Gupta SQLBase Resource Manager Server2;c:\sqlbase\SQLBrm.exe [6/20/2006 9:43 AM 98304]
    S3 Gupta SQLBase Server2;Gupta SQLBase Server2;c:\sqlbase\dbntsrv.exe [6/20/2006 9:43 AM 1138688]
    S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
    .
    Contents of the 'Scheduled Tasks' folder

    2009-09-27 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
    - c:\program files\Microsoft IntelliType Pro\itype.exe [2007-08-31 19:13]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
    uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
    IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    IE: Open with ScanSoft PDF Converter 4.0 - c:\program files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
    IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
    IE: {{C30A71CA-D397-4B9A-BE24-C38E4216A562} - c:\program files\Bytescout SWF To Video Scout\flashextract.exe
    FF - ProfilePath - c:\documents and settings\Doug\Application Data\Mozilla\Firefox\Profiles\fuqy6uyf.default\
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
    FF - plugin: c:\documents and settings\Doug\Application Data\Mozilla\Firefox\Profiles\fuqy6uyf.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
    c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
    c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
    .

    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-08-25 23:25
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
    @Denied: (2) (LocalSystem)
    "88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,64,b6,bc,8b,fb,0f,4c,8b,1f,74,\
    "2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
    d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,64,b6,bc,8b,fb,0f,4c,8b,1f,74,\

    [HKEY_USERS\S-1-5-21-417677365-355344319-2244582239-1005\Software\Microsoft\SystemCertificates\AddressBook*]
    @Allowed: (Read) (RestrictedCode)
    @Allowed: (Read) (RestrictedCode)

    [HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
    "SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
    00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1384)
    c:\program files\SUPERAntiSpyware\SASWINLO.DLL
    c:\windows\system32\WININET.dll
    c:\windows\system32\LMIinit.dll

    - - - - - - - > 'explorer.exe'(3496)
    c:\windows\system32\WININET.dll
    c:\windows\system32\ieframe.dll
    c:\windows\system32\webcheck.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    .
    Completion time: 2010-08-25 23:31:02
    ComboFix-quarantined-files.txt 2010-08-26 03:30
    ComboFix2.txt 2010-08-25 22:36

    Pre-Run: 10,810,093,568 bytes free
    Post-Run: 10,776,109,056 bytes free

    - - End Of File - - 81490A08FCA814076D109359FBEF85F1
     
  6. dbuerkle

    dbuerkle TS Rookie Topic Starter

    Second log.

    JavaRa 1.16 Removal Log.

    Report follows after line.

    ------------------------------------

    The JavaRa removal process was started on Thu Aug 26 22:17:25 2010

    Found and removed: C:\Program Files\Java\j2re1.4.2_03

    Found and removed: C:\WINDOWS\Installer\{7148F0A8-6813-11D6-A77B-00B0D0142030}

    Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.4

    Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

    Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBB}

    Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}

    Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610003

    Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610003

    Found and removed: SOFTWARE\Classes\JavaPlugin.160_03

    Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_03

    Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_03

    Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610003

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610003

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610003

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160030}

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7148F0A8-6813-11D6-A77B-00B0D0142030}

    Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}

    Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBB}

    Found and removed: SOFTWARE\Classes\Installer\Products\8A0F841731866D117AB7000B0D410203

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F841731866D117AB7000B0D410203

    Found and removed: SOFTWARE\Classes\JavaPlugin.142_03

    Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.4.2_03

    Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.4.2_03

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.4.2_03

    Found and removed: Software\Classes\JavaPlugin.142_03

    Found and removed: Software\Classes\JavaPlugin.160_03

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\bin\

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

    Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_03

    Found and removed: Software\JavaSoft\Java2D\1.6.0_03

    Found and removed: Software\JavaSoft\Java Runtime Environment\1.6.0_03

    Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610003

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

    Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACB9B14518A96D117A58000B0D410203

    Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

    Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_03.b05\

    ------------------------------------

    Finished reporting.
     
  7. crunchie

    crunchie Malware Helper Posts: 728

    Download Bootkit Remover to your Desktop.

    • You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
    • After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  8. dbuerkle

    dbuerkle TS Rookie Topic Starter

    Bootkit remover log

    Bootkit Remover
    (c) 2009 eSage Lab
    www.esagelab.com

    Program version: 1.1.0.0
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`03ec1000
    Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

    Size Device Name MBR Status
    --------------------------------------------
    232 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  9. crunchie

    crunchie Malware Helper Posts: 728

    That looks ok.

    Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.
    • You will need to use Internet Explorer to complete this scan.
    • You will need to temporarily Disable your current Anti-virus program.
    • Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
    • When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

    NOTE: If you are unable to complete the ESET scan, please try another from the list below:

     
  10. dbuerkle

    dbuerkle TS Rookie Topic Starter

    Eset Scan Log

    I have Eset as my AV Program so i used it not the online scan.

    Full Log is attached due to size problem.

    No infected objects.
     

    Attached Files:

  11. crunchie

    crunchie Malware Helper Posts: 728

    Sorry, but no zip attachments thank you :).

    Can you update me on how the pc is please.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...