Inactive Win32/Mebroot, tombirdswithhair.com and Whistler / Black Internet help needed

Status
Not open for further replies.
D

dbuerkle

Posts: 6   +0
I use Eset smart security 4 and it informed me I had a Win32/Mebroot Trojan virus in memory and it could not clean the virus.
I tried several AV Programs to get rid of it and Microsoft security essentials did the trick.

Now I keep getting a Eset warning that an address "www.tombirdswithhair.com/banner2" 178.17.162.242 is being blocked and the PC freezes for minutes at a time.
I redirected www.tombirdswithhair.com to 127.0.0.1 using the hosts file and that stops the block warning but my system is still freezing up.

I ran the MBR Check and it said I have "Whistler / Black Internet" in the MBR of both hard drives.

Thanks in advance for your assistance.

Some logs attached due to size limits

##########################################################################
Step 1: Antivirus scanning
I ran eset, superantispywear and Microsoft security essentials and cleaned all problerms.
##########################################################################
Step 2: Temporary File Cleaner - I ran this.
##########################################################################
Step 3: Malwarebytes Anti-Malware
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4466

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

8/23/2010 7:16:41 PM
mbam-log-2010-08-23 (19-16-41).txt

Scan type: Quick scan
Objects scanned: 164883
Time elapsed: 38 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Application Data\sysReserve.ini (Malware.Trace) -> Quarantined and deleted successfully.

##########################################################################

Step 4: GMER Log

Attached

##########################################################################

Step 5: DDS - DDS.txt

Attached
##########################################################################

Step 5: DDS - Attach.txt

Attached
##########################################################################

Additional Step MRBCheck scan log

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000003d

Kernel Drivers (total 205):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E4000 \WINDOWS\system32\hal.dll
0xF7B12000 \WINDOWS\system32\KDCOM.DLL
0xF7A22000 \WINDOWS\system32\BOOTVID.dll
0xF7612000 ekmeqyw.sys
0xF74E3000 ACPI.sys
0xF7B14000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF74D2000 pci.sys
0xF7622000 isapnp.sys
0xF7BDA000 pciide.sys
0xF7892000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF7B16000 aliide.sys
0xF7B18000 cmdide.sys
0xF7B1A000 toside.sys
0xF7B1C000 viaide.sys
0xF7B1E000 intelide.sys
0xF7632000 MountMgr.sys
0xF74B3000 ftdisk.sys
0xF7B20000 dmload.sys
0xF748D000 dmio.sys
0xF789A000 PartMgr.sys
0xF7642000 VolSnap.sys
0xF7A26000 cpqarray.sys
0xF7475000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF73B7000 iaStor.sys
0xF739F000 atapi.sys
0xF7A2A000 aha154x.sys
0xF78A2000 sparrow.sys
0xF7A2E000 symc810.sys
0xF7652000 aic78xx.sys
0xF7A32000 dac960nt.sys
0xF7662000 ql10wnt.sys
0xF7A36000 amsint.sys
0xF78AA000 asc.sys
0xF7A3A000 asc3550.sys
0xF78B2000 mraid35x.sys
0xF78BA000 i2omp.sys
0xF7A3E000 ini910u.sys
0xF7672000 ql1240.sys
0xF7682000 aic78u2.sys
0xF78C2000 symc8xx.sys
0xF78CA000 sym_hi.sys
0xF78D2000 sym_u3.sys
0xF78DA000 ABP480N5.SYS
0xF78E2000 asc3350p.sys
0xF7B22000 cd20xrnt.sys
0xF7692000 ultra.sys
0xF7386000 adpu160m.sys
0xF78EA000 dpti2o.sys
0xF76A2000 ql1080.sys
0xF76B2000 ql1280.sys
0xF76C2000 ql12160.sys
0xF78F2000 perc2.sys
0xF7B24000 perc2hib.sys
0xF78FA000 hpn.sys
0xF7A42000 cbidf2k.sys
0xF735A000 dac2w2k.sys
0xF76D2000 disk.sys
0xF76E2000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF733A000 fltmgr.sys
0xF7325000 drvmcdb.sys
0xF76F2000 PxHelp20.sys
0xF730E000 KSecDD.sys
0xF7281000 Ntfs.sys
0xF7254000 NDIS.sys
0xF7702000 sisagp.sys
0xF7712000 viaagp.sys
0xF7722000 ohci1394.sys
0xF7732000 \WINDOWS\system32\DRIVERS\1394BUS.SYS
0xF723A000 Mup.sys
0xF7742000 agp440.sys
0xF7752000 alim1541.sys
0xF7762000 amdagp.sys
0xF7772000 agpCPQ.sys
0xF7792000 \SystemRoot\system32\DRIVERS\nic1394.sys
0xF6C43000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF5C4B000 \SystemRoot\system32\DRIVERS\nv4_mini.sys
0xF5C37000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF5C09000 \SystemRoot\system32\DRIVERS\b57xp32.sys
0xF79FA000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF5BE5000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF7A02000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF796A000 \SystemRoot\system32\DRIVERS\usbohci.sys
0xF5BBA000 \SystemRoot\system32\drivers\aticxcap.sys
0xF6C33000 \SystemRoot\system32\drivers\STREAM.SYS
0xF5B97000 \SystemRoot\system32\drivers\ks.sys
0xF5B1D000 \SystemRoot\system32\drivers\ctaud2k.sys
0xF5AF9000 \SystemRoot\system32\drivers\portcls.sys
0xF6C23000 \SystemRoot\system32\drivers\drmk.sys
0xF5AC6000 \SystemRoot\system32\drivers\ctoss2k.sys
0xF7A0A000 \SystemRoot\System32\drivers\ctprxy2k.sys
0xF7090000 \SystemRoot\system32\DRIVERS\gameenum.sys
0xF7A12000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF5AB2000 \SystemRoot\system32\DRIVERS\parport.sys
0xF6C13000 \SystemRoot\system32\DRIVERS\serial.sys
0xF708C000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF7A1A000 \SystemRoot\system32\drivers\Afc.sys
0xF7B66000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xF6569000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF7902000 \SystemRoot\System32\Drivers\GEARAspiWDM.sys
0xF7CCB000 \SystemRoot\system32\DRIVERS\lmimirr.sys
0xF5A97000 \SystemRoot\system32\DRIVERS\dne2000.sys
0xF6559000 \SystemRoot\system32\DRIVERS\Epfwndis.sys
0xF7CCC000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF6549000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF7088000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF5A80000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF6539000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF6529000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF7912000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF5A6F000 \SystemRoot\system32\DRIVERS\psched.sys
0xF6519000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF791A000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF7922000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF5A3F000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xF77D2000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF79C2000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF79CA000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF7BCE000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF33CD000 \SystemRoot\system32\DRIVERS\update.sys
0xF70A8000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF79D2000 \SystemRoot\system32\DRIVERS\omci.sys
0xF77E2000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7802000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF7BD0000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xEE293000 \SystemRoot\system32\drivers\aticxtun.sys
0xEEF06000 \SystemRoot\system32\drivers\aticxxbr.sys
0xEC2E3000 \SystemRoot\System32\drivers\hap16v2k.sys
0xEC1DF000 \SystemRoot\System32\drivers\ha10kx2k.sys
0xEC1B2000 \SystemRoot\System32\drivers\emupia2k.sys
0xEC18B000 \SystemRoot\System32\drivers\ctsfm2k.sys
0xEC0EF000 \SystemRoot\System32\drivers\ctac32k.sys
0xEE28B000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xEE11D000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xEC0A4000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0xEEBB5000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xEEF22000 \SystemRoot\System32\Drivers\cdrbsvsd.SYS
0xF7BC6000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xEF9CB000 \SystemRoot\System32\Drivers\Null.SYS
0xF7BC8000 \SystemRoot\System32\Drivers\Beep.SYS
0xEEBA5000 \SystemRoot\system32\drivers\ssrtln.sys
0xF0EEF000 \SystemRoot\system32\DRIVERS\ehdrv.sys
0xEEB9D000 \SystemRoot\system32\DRIVERS\HIDPARSE.SYS
0xEEB95000 \SystemRoot\System32\drivers\vga.sys
0xF7BCA000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF7BCC000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xEEB8D000 \SystemRoot\System32\Drivers\Msfs.SYS
0xEE2AB000 \SystemRoot\System32\Drivers\Npfs.SYS
0xEEF16000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xF0E1C000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xF0DC3000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xF0DB0000 \SystemRoot\system32\DRIVERS\epfwtdi.sys
0xF0D88000 \SystemRoot\system32\DRIVERS\netbt.sys
0xEEF12000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xF0D42000 \SystemRoot\System32\drivers\afd.sys
0xEFA53000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF0D20000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
0xEE2A3000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
0xF0CF5000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xF0C85000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xEFA23000 \SystemRoot\System32\Drivers\Fips.SYS
0xEFA13000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xEFA03000 \SystemRoot\system32\DRIVERS\arp1394.sys
0xEDD6A000 \SystemRoot\system32\DRIVERS\usbscan.sys
0xEDD66000 \SystemRoot\system32\DRIVERS\hidusb.sys
0xEF9E3000 \SystemRoot\system32\DRIVERS\HIDCLASS.SYS
0xEFF12000 \SystemRoot\system32\DRIVERS\kbdhid.sys
0xEFF0E000 \SystemRoot\system32\DRIVERS\mouhid.sys
0xEF477000 \SystemRoot\system32\DRIVERS\usbprint.sys
0xEF3F1000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEBFE6000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xEF7F2000 \SystemRoot\System32\drivers\Dxapi.sys
0xEF45F000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF7C84000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF012000 \SystemRoot\System32\nv4_disp.dll
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xB96E3000 \SystemRoot\system32\DRIVERS\eamon.sys
0xF6027000 \SystemRoot\system32\drivers\drvnddm.sys
0xF7D48000 \SystemRoot\system32\dla\tfsndres.sys
0xB96CD000 \SystemRoot\system32\dla\tfsnifs.sys
0xF7AEE000 \SystemRoot\system32\dla\tfsnopio.sys
0xF4E9B000 \SystemRoot\system32\dla\tfsnpool.sys
0xEEF37000 \SystemRoot\system32\dla\tfsnboio.sys
0xF6017000 \SystemRoot\system32\dla\tfsncofs.sys
0xF7C51000 \SystemRoot\system32\dla\tfsndrct.sys
0xB96B4000 \SystemRoot\system32\dla\tfsnudf.sys
0xB969B000 \SystemRoot\system32\dla\tfsnudfa.sys
0xB9678000 \SystemRoot\system32\DRIVERS\epfw.sys
0xB8E23000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xF623D000 \SystemRoot\System32\drivers\BrPar.sys
0xEF7E2000 \SystemRoot\System32\Drivers\ASPI32.SYS
0xB8CD6000 \??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
0xB8C6D000 \SystemRoot\System32\Drivers\HTTP.sys
0xF7B3C000 \??\C:\Program Files\LogMeIn\x86\RaInfo.sys
0xB8B6E000 \SystemRoot\system32\DRIVERS\srv.sys
0xB8A91000 \SystemRoot\system32\drivers\wdmaud.sys
0xF7872000 \SystemRoot\system32\drivers\sysaudio.sys
0xB884A000 \SystemRoot\system32\DRIVERS\mdmxsdk.sys
0xB8807000 \??\C:\WINDOWS\system32\drivers\PfModNT.sys
0xF7B88000 \??\C:\WINDOWS\system32\Drivers\Vcs.sys
0xB770E000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xB630B000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\SYSTEM32\ntdll.dll

Processes (total 48):
0 System Idle Process
4 System
1268 C:\WINDOWS\SYSTEM32\smss.exe
1320 csrss.exe
1348 C:\WINDOWS\SYSTEM32\winlogon.exe
1392 C:\WINDOWS\SYSTEM32\services.exe
1404 C:\WINDOWS\SYSTEM32\lsass.exe
1596 C:\WINDOWS\SYSTEM32\svchost.exe
1716 svchost.exe
1868 C:\Program Files\Microsoft Security Essentials\MsMpEng.exe
1904 C:\WINDOWS\SYSTEM32\svchost.exe
2032 svchost.exe
476 C:\WINDOWS\SYSTEM32\spoolsv.exe
632 C:\WINDOWS\SYSTEM32\svchost.exe
644 svchost.exe
684 C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
912 C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
944 C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
1048 C:\Program Files\ESET\ESET Smart Security\ekrn.exe
1064 C:\WINDOWS\SYSTEM32\svchost.exe
1140 C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
1204 C:\WINDOWS\SYSTEM32\imapi.exe
1236 C:\Program Files\LogMeIn\x86\ramaint.exe
1620 C:\Program Files\LogMeIn\x86\LogMeIn.exe
576 C:\Program Files\LogMeIn\x86\LMIGuardian.exe
588 C:\WINDOWS\explorer.exe
1552 C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
2144 C:\WINDOWS\SYSTEM32\nvsvc32.exe
2448 C:\WINDOWS\SYSTEM32\svchost.exe
2728 C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
2844 C:\Program Files\Canon\CAL\CALMAIN.exe
3304 C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
3424 C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe
3600 C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
3616 C:\Program Files\Dell\Media Experience\DMXLauncher.exe
3688 C:\PROGRA~1\MICROS~4\GAMECO~1\Common\SWTrayV4.EXE
3740 C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
3760 C:\WINDOWS\CTHELPER.EXE
3872 C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
3880 C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
3976 C:\Program Files\ESET\ESET Smart Security\egui.exe
4080 C:\Program Files\Microsoft Security Essentials\msseces.exe
2380 C:\Program Files\LogMeIn\x86\LMIGuardian.exe
3500 C:\WINDOWS\SYSTEM32\ctfmon.exe
3576 C:\Program Files\ATI Multimedia\main\atidtct.exe
3716 C:\WINDOWS\SYSTEM32\svchost.exe
340 C:\Program Files\Mozilla Firefox\firefox.exe
4064 C:\Temp\Virus\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`03ec1000 (NTFS)
\\.\D: --> \\.\PhysicalDrive1 at offset 0x00000000`00007e00 (NTFS)

PhysicalDrive0 Model Number: WDCWD2500JD-75HBB0, Rev: 08.02D08
PhysicalDrive1 Model Number: WDCWD1001FALS-00J7B0, Rev: 05.00K05

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 610C151EA6600B4828D09565D95688B3829C12B2
931 GB \\.\PhysicalDrive1 Known-bad MBR code detected (Whistler / Black Internet)!
SHA1: 610C151EA6600B4828D09565D95688B3829C12B2


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:
 

Attachments

  • gmer.log
    8 KB · Views: 0
  • DDS.txt
    18.5 KB · Views: 1
  • Attach.txt
    15.9 KB · Views: 0
  • MBRCheck_08.23.10_20.56.23.txt
    12.2 KB · Views: 0
Hi and welcome to TechSpot forums :).

====

Please download ComboFix by sUBs from HERE or HERE
  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply.
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!
 
Combofix results

ComboFix 10-08-24.0B - Doug 08/25/2010 18:16:46.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.678 [GMT -4:00]
Running from: c:\documents and settings\Doug\Desktop\ComboFix.exe
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Doug\Local Settings\Application Data\{7C8A121C-08AB-4D6A-B8E4-C5DECA20C4D2}
c:\documents and settings\Doug\Local Settings\Application Data\{7C8A121C-08AB-4D6A-B8E4-C5DECA20C4D2}\chrome.manifest
c:\documents and settings\Doug\Local Settings\Application Data\{7C8A121C-08AB-4D6A-B8E4-C5DECA20C4D2}\chrome\content\_cfg.js
c:\documents and settings\Doug\Local Settings\Application Data\{7C8A121C-08AB-4D6A-B8E4-C5DECA20C4D2}\chrome\content\c.js
c:\documents and settings\Doug\Local Settings\Application Data\{7C8A121C-08AB-4D6A-B8E4-C5DECA20C4D2}\chrome\content\overlay.xul
c:\documents and settings\Doug\Local Settings\Application Data\{7C8A121C-08AB-4D6A-B8E4-C5DECA20C4D2}\install.rdf
c:\windows\system32\gotomon.log

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive1 - Bootkit Whistler was found and disinfected
.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive1 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-07-25 to 2010-08-25 )))))))))))))))))))))))))))))))
.

2010-08-24 00:30 . 2010-08-24 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-08-23 17:51 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-23 17:51 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-23 17:51 . 2010-08-23 17:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-20 04:00 . 2010-08-20 04:00 -------- d-----w- C:\found.001
2010-08-18 02:54 . 2010-08-18 02:54 -------- d-----w- c:\windows\Internet Logs
2010-08-17 18:21 . 2010-08-17 18:21 -------- d-----w- c:\documents and settings\Doug\Application Data\CheckPoint
2010-08-17 18:21 . 2010-08-17 18:21 -------- d-----w- c:\program files\CheckPoint
2010-08-17 18:21 . 2010-08-17 18:21 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-08-11 22:36 . 2010-08-11 22:36 -------- d-----w- C:\found.000
2010-08-10 20:18 . 2010-08-10 20:18 -------- d-----w- c:\windows\system32\DRM
2010-07-31 12:47 . 2010-06-01 17:37 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-31 12:41 . 2010-07-31 12:42 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-07-31 12:41 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-07-28 02:00 . 2010-07-28 02:00 -------- d-sh--w- c:\documents and settings\Doug\IECompatCache
2010-07-27 02:01 . 2010-08-12 19:19 63488 ----a-w- c:\documents and settings\Doug\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-07-27 02:01 . 2010-07-27 02:01 52224 ----a-w- c:\documents and settings\Doug\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-27 02:01 . 2010-08-12 19:19 117760 ----a-w- c:\documents and settings\Doug\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-07-27 01:20 . 2010-07-27 01:19 1129120 ----a-w- c:\documents and settings\All Users\Application Data\STOPzilla!\vdb\vbcorent.dll
2010-07-27 01:17 . 2010-07-27 01:46 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-25 04:21 . 2010-03-30 04:41 -------- d-----w- c:\program files\LogMeIn
2010-08-24 01:07 . 2007-12-24 15:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-21 00:24 . 2005-02-22 01:26 -------- d-----w- c:\program files\Visio
2010-08-19 03:19 . 2009-08-06 05:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-08-18 13:43 . 2005-02-09 17:53 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-18 12:08 . 2007-03-03 06:04 -------- d-----w- c:\program files\Yahoo!
2010-08-16 21:58 . 2005-02-09 18:48 -------- d-----w- c:\documents and settings\Doug\Application Data\AdobeUM
2010-08-12 04:24 . 2005-12-25 16:53 -------- d-----w- c:\program files\SpywareBlaster
2010-08-11 01:58 . 2009-01-09 06:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-03 15:29 . 2005-02-15 02:49 -------- d-----w- c:\program files\Microsoft.NET
2010-07-27 02:01 . 2009-01-09 06:57 -------- d-----w- c:\documents and settings\Doug\Application Data\SUPERAntiSpyware.com
2010-07-27 01:29 . 2010-07-27 01:25 600 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg.old
2010-07-11 12:50 . 2004-10-11 16:19 -------- d-----w- c:\program files\Common Files\Logishrd
2010-07-11 12:49 . 2004-10-11 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2010-07-11 12:45 . 2007-05-20 02:20 34 ----a-w- c:\windows\system32\BD5250DN.DAT
2010-06-30 12:31 . 2004-08-04 11:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 11:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 11:00 354304 ------w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 11:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2004-08-04 11:00 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 11:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-02 20:06 . 2010-03-30 04:42 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-06-02 20:06 . 2010-03-30 04:41 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-06-02 01:45 . 2005-02-14 00:23 1080 ----a-w- c:\windows\AUTOLNCH.REG
2010-06-01 15:44 . 2010-06-22 02:31 3907584 ----a-w- c:\documents and settings\Doug\Application Data\Mozilla\Firefox\Profiles\fuqy6uyf.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
2008-11-18 15:12 . 2005-09-21 16:50 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-11-18 15:12 . 2005-09-21 16:51 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-09-22 17:09 . 2008-09-22 17:09 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2008-09-22 17:09 . 2008-09-22 17:09 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2006-05-03 10:06 . 2008-02-05 22:04 163328 --sh--r- c:\windows\SYSTEM32\flvDX.dll
2007-12-24 16:17 . 2005-05-27 01:47 10856 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
2007-02-21 11:47 . 2008-02-05 22:04 31232 --sh--r- c:\windows\SYSTEM32\msfDX.dll
2007-12-17 13:43 . 2008-02-05 22:04 27648 --sh--w- c:\windows\SYSTEM32\Smab0.dll
2008-02-04 19:26 . 2008-02-05 22:04 151040 --sh--w- c:\windows\SYSTEM32\VistaUltm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2005-12-23 57344]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-19 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016]
"SideWinderTrayV4"="c:\progra~1\MICROS~4\GAMECO~1\Common\SWTrayV4.exe" [2000-06-03 24650]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"PDF4 Registry Controller"="c:\program files\ScanSoft\PDF Professional 4.0\RegistryController.exe" [2006-10-05 46664]
"CTHelper"="CTHELPER.EXE" [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-01-27 63048]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-01 5562368]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-02 20:06 87424 ----a-w- c:\windows\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009

R1 ehdrv;ehdrv;c:\windows\SYSTEM32\DRIVERS\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [5/14/2009 3:47 PM 731840]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/27/2010 12:22 PM 12856]
R2 Vcs;Vcs support;c:\windows\SYSTEM32\DRIVERS\Vcs.sys [9/21/2005 10:02 PM 6852]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\SYSTEM32\DRIVERS\aticxcap.sys [4/30/2005 7:51 PM 173824]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\SYSTEM32\DRIVERS\aticxtun.sys [4/30/2005 7:51 PM 29184]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\SYSTEM32\DRIVERS\aticxxbr.sys [4/30/2005 7:51 PM 9088]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" --> c:\program files\McAfee\SiteAdvisor\McSACore.exe [?]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\Doug\LOCALS~1\Temp\DMSKSSRh.sys --> c:\docume~1\Doug\LOCALS~1\Temp\DMSKSSRh.sys [?]
S3 Gupta SQLBase Resource Manager Server2;Gupta SQLBase Resource Manager Server2;c:\sqlbase\SQLBrm.exe [6/20/2006 9:43 AM 98304]
S3 Gupta SQLBase Server2;Gupta SQLBase Server2;c:\sqlbase\dbntsrv.exe [6/20/2006 9:43 AM 1138688]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder

2009-09-27 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2007-08-31 19:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Open with ScanSoft PDF Converter 4.0 - c:\program files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
IE: {{C30A71CA-D397-4B9A-BE24-C38E4216A562} - c:\program files\Bytescout SWF To Video Scout\flashextract.exe
FF - ProfilePath - c:\documents and settings\Doug\Application Data\Mozilla\Firefox\Profiles\fuqy6uyf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - plugin: c:\documents and settings\Doug\Application Data\Mozilla\Firefox\Profiles\fuqy6uyf.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-ATI Launchpad - (no file)
AddRemove-Pop-a-BMP-to-ICO_is1 - c:\program files\Pop-a-BMP-to-ICO\unins000.exe
AddRemove-Centura Team Developer Runtime 1.5 - c:\visual\Current\Runtime\tduninst.isu
AddRemove-VISUAL Financials - c:\visual\current\vmfg\vfuninst.isu
AddRemove-VISUAL HR - c:\visual\current\payroll\hruninst.isu
AddRemove-VISUAL Manufacturing - c:\visual\current\VMFG\vmuninst.isu
AddRemove-VISUAL Payroll - c:\visual\current\Payroll\vpuninst.isu



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-25 18:29
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,64,b6,bc,8b,fb,0f,4c,8b,1f,74,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,64,b6,bc,8b,fb,0f,4c,8b,1f,74,\

[HKEY_USERS\S-1-5-21-417677365-355344319-2244582239-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1336)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll
.
Completion time: 2010-08-25 18:36:06
ComboFix-quarantined-files.txt 2010-08-25 22:36

Pre-Run: 10,483,838,976 bytes free
Post-Run: 10,795,704,320 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - E2B323A55493BD21E7278C31A41ED02B
 
1. Please open Notepad
  • Click Start , then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
Code: 
DDS::
uDefault_Page_URL = hxxp://www.dell4me.com/myway
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/mywa
TB: &Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - 
TB: {EE2AC4E5-B0B0-4EC6-88A9-BCA1A32AB107} - No File

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:
  • Combofix.txt
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

==================

Please download JavaRa

If you get this message:
Problems with the download? Please use this direct link or try another mirror.

Select the Direct link download unzip it to your Desktop.

Double click JavaRa.exe then click Remove Older Versions.

Follow any prompts; a log will popup (JavaRa.log)-- please post the contents of this log.

Next, open JavaRa.exe again, and select Search For Updates.

Select Update Using Sun Java's Website --> Search, and continue the instructions for downloading and installing the latest Java version. Look for JDK 6 Update 21 (JDK or JRE). On the right select this one Download JRE..

In Vista and Windows 7 run the tool as Administrator.

===========

Let me know how the pc is now.
 
PC is running a bit faster.
Here is the first log file.

##############################################

ComboFix 10-08-24.0B - Doug 08/25/2010 23:14:08.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.655 [GMT -4:00]
Running from: c:\documents and settings\Doug\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Doug\Desktop\CFScript.txt
AV: ESET Smart Security 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
AV: Microsoft Security Essentials *On-access scanning disabled* (Updated) {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
\\.\PhysicalDrive0 - Bootkit Whistler was found and disinfected
\\.\PhysicalDrive1 - Bootkit Whistler was found and disinfected
.
((((((((((((((((((((((((( Files Created from 2010-07-26 to 2010-08-26 )))))))))))))))))))))))))))))))
.

2010-08-24 00:30 . 2010-08-24 00:30 -------- d-----w- c:\documents and settings\All Users\Application Data\F-Secure
2010-08-23 17:51 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-08-23 17:51 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-08-23 17:51 . 2010-08-23 17:51 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-08-20 04:00 . 2010-08-20 04:00 -------- d-----w- C:\found.001
2010-08-18 02:54 . 2010-08-18 02:54 -------- d-----w- c:\windows\Internet Logs
2010-08-17 18:21 . 2010-08-17 18:21 -------- d-----w- c:\documents and settings\Doug\Application Data\CheckPoint
2010-08-17 18:21 . 2010-08-17 18:21 -------- d-----w- c:\program files\CheckPoint
2010-08-17 18:21 . 2010-08-17 18:21 4212 ---ha-w- c:\windows\system32\zllictbl.dat
2010-08-11 22:36 . 2010-08-11 22:36 -------- d-----w- C:\found.000
2010-08-10 20:18 . 2010-08-10 20:18 -------- d-----w- c:\windows\system32\DRM
2010-07-31 12:47 . 2010-06-01 17:37 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-07-31 12:41 . 2010-07-31 12:42 -------- d-----w- c:\program files\Microsoft Security Essentials
2010-07-31 12:41 . 2009-08-06 23:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-07-28 02:00 . 2010-07-28 02:00 -------- d-sh--w- c:\documents and settings\Doug\IECompatCache

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-08-25 04:21 . 2010-03-30 04:41 -------- d-----w- c:\program files\LogMeIn
2010-08-24 01:07 . 2007-12-24 15:42 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2010-08-21 00:24 . 2005-02-22 01:26 -------- d-----w- c:\program files\Visio
2010-08-19 03:19 . 2009-08-06 05:00 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2010-08-18 13:43 . 2005-02-09 17:53 -------- d-----w- c:\program files\Common Files\Adobe
2010-08-18 12:08 . 2007-03-03 06:04 -------- d-----w- c:\program files\Yahoo!
2010-08-16 21:58 . 2005-02-09 18:48 -------- d-----w- c:\documents and settings\Doug\Application Data\AdobeUM
2010-08-12 19:19 . 2010-07-27 02:01 63488 ----a-w- c:\documents and settings\Doug\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10006.dll
2010-08-12 19:19 . 2010-07-27 02:01 117760 ----a-w- c:\documents and settings\Doug\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\UIREPAIR.DLL
2010-08-12 04:24 . 2005-12-25 16:53 -------- d-----w- c:\program files\SpywareBlaster
2010-08-11 01:58 . 2009-01-09 06:57 -------- d-----w- c:\program files\SUPERAntiSpyware
2010-08-03 15:29 . 2005-02-15 02:49 -------- d-----w- c:\program files\Microsoft.NET
2010-07-27 02:01 . 2010-07-27 02:01 52224 ----a-w- c:\documents and settings\Doug\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SDDLLS\SD10005.dll
2010-07-27 02:01 . 2009-01-09 06:57 -------- d-----w- c:\documents and settings\Doug\Application Data\SUPERAntiSpyware.com
2010-07-27 01:46 . 2010-07-27 01:17 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2010-07-27 01:29 . 2010-07-27 01:25 600 ----a-w- c:\windows\system32\drivers\kgpcpy.cfg.old
2010-07-27 01:19 . 2010-07-27 01:20 1129120 ----a-w- c:\documents and settings\All Users\Application Data\STOPzilla!\vdb\vbcorent.dll
2010-07-11 12:50 . 2004-10-11 16:19 -------- d-----w- c:\program files\Common Files\Logishrd
2010-07-11 12:49 . 2004-10-11 16:18 -------- d-----w- c:\documents and settings\All Users\Application Data\LogiShrd
2010-07-11 12:45 . 2007-05-20 02:20 34 ----a-w- c:\windows\system32\BD5250DN.DAT
2010-06-30 12:31 . 2004-08-04 11:00 149504 ----a-w- c:\windows\system32\schannel.dll
2010-06-24 12:22 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-23 13:44 . 2004-08-04 11:00 1851904 ----a-w- c:\windows\system32\win32k.sys
2010-06-21 15:27 . 2004-08-04 11:00 354304 ------w- c:\windows\system32\drivers\srv.sys
2010-06-17 14:03 . 2004-08-04 11:00 80384 ----a-w- c:\windows\system32\iccvid.dll
2010-06-14 14:31 . 2004-08-04 11:00 744448 ----a-w- c:\windows\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe
2010-06-14 07:41 . 2004-08-04 11:00 1172480 ----a-w- c:\windows\system32\msxml3.dll
2010-06-02 20:06 . 2010-03-30 04:42 29568 ----a-w- c:\windows\system32\LMIport.dll
2010-06-02 20:06 . 2010-03-30 04:41 87424 ----a-w- c:\windows\system32\LMIinit.dll
2010-06-02 01:45 . 2005-02-14 00:23 1080 ----a-w- c:\windows\AUTOLNCH.REG
2010-06-01 15:44 . 2010-06-22 02:31 3907584 ----a-w- c:\documents and settings\Doug\Application Data\Mozilla\Firefox\Profiles\fuqy6uyf.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
2008-11-18 15:12 . 2005-09-21 16:50 27976 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2008-11-18 15:12 . 2005-09-21 16:51 126360 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2008-09-22 17:09 . 2008-09-22 17:09 46408 ----a-w- c:\program files\mozilla firefox\plugins\atmccli.dll
2008-09-22 17:09 . 2008-09-22 17:09 98712 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2006-05-03 10:06 . 2008-02-05 22:04 163328 --sh--r- c:\windows\SYSTEM32\flvDX.dll
2007-12-24 16:17 . 2005-05-27 01:47 10856 --sha-w- c:\windows\SYSTEM32\KGyGaAvL.sys
2007-02-21 11:47 . 2008-02-05 22:04 31232 --sh--r- c:\windows\SYSTEM32\msfDX.dll
2007-12-17 13:43 . 2008-02-05 22:04 27648 --sh--w- c:\windows\SYSTEM32\Smab0.dll
2008-02-04 19:26 . 2008-02-05 22:04 151040 --sh--w- c:\windows\SYSTEM32\VistaUltm.dll
.

((((((((((((((((((((((((((((( SnapShot@2010-08-25_22.29.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-02-05 17:00 . 2010-08-25 23:38 88406 c:\windows\SYSTEM32\PERFC009.DAT
+ 2005-02-05 17:00 . 2010-08-25 23:38 503548 c:\windows\SYSTEM32\PERFH009.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATI DeviceDetect"="c:\program files\ATI Multimedia\main\ATIDtct.EXE" [2005-12-23 57344]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2010-07-19 2403568]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-02-12 174872]
"CTDVDDET"="c:\program files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 45056]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-10-12 57344]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2004-09-15 86016]
"SideWinderTrayV4"="c:\progra~1\MICROS~4\GAMECO~1\Common\SWTrayV4.exe" [2000-06-03 24650]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"PDF4 Registry Controller"="c:\program files\ScanSoft\PDF Professional 4.0\RegistryController.exe" [2006-10-05 46664]
"CTHelper"="CTHELPER.EXE" [2006-08-11 17920]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 18944]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-01-27 63048]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-04-01 5562368]
"egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2009-05-14 2029640]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-09-03 22:21 548352 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2010-06-02 20:06 87424 ----a-w- c:\windows\SYSTEM32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009

R1 ehdrv;ehdrv;c:\windows\SYSTEM32\DRIVERS\ehdrv.sys [5/14/2009 3:47 PM 107256]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2/17/2010 2:25 PM 12872]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [5/10/2010 2:41 PM 67656]
R2 ekrn;ESET Service;c:\program files\ESET\ESET Smart Security\ekrn.exe [5/14/2009 3:47 PM 731840]
R2 Vcs;Vcs support;c:\windows\SYSTEM32\DRIVERS\Vcs.sys [9/21/2005 10:02 PM 6852]
R3 ATICXCAP;ATI TV Wonder Pro A/V Capture;c:\windows\SYSTEM32\DRIVERS\aticxcap.sys [4/30/2005 7:51 PM 173824]
R3 ATICXTUN;ATI TV Wonder Pro Tuner (Philips 1236 MK3);c:\windows\SYSTEM32\DRIVERS\aticxtun.sys [4/30/2005 7:51 PM 29184]
R3 ATICXXBR;ATI TV Wonder Pro A/V Crossbar;c:\windows\SYSTEM32\DRIVERS\aticxxbr.sys [4/30/2005 7:51 PM 9088]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SUPERAntiSpyware\SABKUTIL.sys --> c:\program files\SUPERAntiSpyware\SABKUTIL.sys [?]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [1/27/2010 12:22 PM 12856]
S2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;"c:\program files\McAfee\SiteAdvisor\McSACore.exe" --> c:\program files\McAfee\SiteAdvisor\McSACore.exe [?]
S3 DMSKSSRh;DMSKSSRh;\??\c:\docume~1\Doug\LOCALS~1\Temp\DMSKSSRh.sys --> c:\docume~1\Doug\LOCALS~1\Temp\DMSKSSRh.sys [?]
S3 Gupta SQLBase Resource Manager Server2;Gupta SQLBase Resource Manager Server2;c:\sqlbase\SQLBrm.exe [6/20/2006 9:43 AM 98304]
S3 Gupta SQLBase Server2;Gupta SQLBase Server2;c:\sqlbase\dbntsrv.exe [6/20/2006 9:43 AM 1138688]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
.
Contents of the 'Scheduled Tasks' folder

2009-09-27 c:\windows\Tasks\Microsoft_Hardware_Launch_IType_exe.job
- c:\program files\Microsoft IntelliType Pro\itype.exe [2007-08-31 19:13]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Connection Wizard,ShellNext = hxxp://www.dell4me.com/myway
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
IE: Open with ScanSoft PDF Converter 4.0 - c:\program files\ScanSoft\PDF Professional 4.0\cnvres_eng.dll /100
IE: Sothink SWF Catcher - c:\program files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
IE: {{C30A71CA-D397-4B9A-BE24-C38E4216A562} - c:\program files\Bytescout SWF To Video Scout\flashextract.exe
FF - ProfilePath - c:\documents and settings\Doug\Application Data\Mozilla\Firefox\Profiles\fuqy6uyf.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://www.google.com/search?q=
FF - plugin: c:\documents and settings\Doug\Application Data\Mozilla\Firefox\Profiles\fuqy6uyf.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\NPMGWRAP.DLL
FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-08-25 23:25
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (LocalSystem)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,64,b6,bc,8b,fb,0f,4c,8b,1f,74,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,06,64,b6,bc,8b,fb,0f,4c,8b,1f,74,\

[HKEY_USERS\S-1-5-21-417677365-355344319-2244582239-1005\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,61,00,63,00,68,00,69,00,6e,00,65,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1384)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(3496)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2010-08-25 23:31:02
ComboFix-quarantined-files.txt 2010-08-26 03:30
ComboFix2.txt 2010-08-25 22:36

Pre-Run: 10,810,093,568 bytes free
Post-Run: 10,776,109,056 bytes free

- - End Of File - - 81490A08FCA814076D109359FBEF85F1
 
Second log.

JavaRa 1.16 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Thu Aug 26 22:17:25 2010

Found and removed: C:\Program Files\Java\j2re1.4.2_03

Found and removed: C:\WINDOWS\Installer\{7148F0A8-6813-11D6-A77B-00B0D0142030}

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.4

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBC}

Found and removed: SOFTWARE\Classes\Installer\Features\8A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Classes\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Classes\JavaPlugin.160_03

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.6.0_03

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.6.0_03

Found and removed: SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACBB9B2318A96D117A58000B0D610003

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F842331866D117AB7000B0D610003

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0160030}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7148F0A8-6813-11D6-A77B-00B0D0142030}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F841731866D117AB7000B0D410203

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\8A0F841731866D117AB7000B0D410203

Found and removed: SOFTWARE\Classes\JavaPlugin.142_03

Found and removed: SOFTWARE\JavaSoft\Java Plug-in\1.4.2_03

Found and removed: SOFTWARE\JavaSoft\Java Runtime Environment\1.4.2_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_02

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_03

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.0.1_04

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.4.2_03

Found and removed: Software\Classes\JavaPlugin.142_03

Found and removed: Software\Classes\JavaPlugin.160_03

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\\C:\Program Files\Java\jre1.6.0_03\bin\

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.2.0_01

Found and removed: SOFTWARE\JavaSoft\Java Web Start\1.6.0_03

Found and removed: Software\JavaSoft\Java2D\1.6.0_03

Found and removed: Software\JavaSoft\Java Runtime Environment\1.6.0_03

Found and removed: SOFTWARE\Classes\Installer\Products\8A0F842331866D117AB7000B0D610003

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0028-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0029-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0030-ABCDEFFEDCBB}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\ACB9B14518A96D117A58000B0D410203

Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}

Found and removed: SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Common Files\Java\Update\Base Images\jre1.6.0.b105\patch-jre1.6.0_03.b05\

------------------------------------

Finished reporting.
 
Download Bootkit Remover to your Desktop.

  • You then need to extract the remover.exe file from the RAR using a program capable of extracting RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  • After extracting remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator.
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.
 
Bootkit remover log

Bootkit Remover
(c) 2009 eSage Lab
www.esagelab.com

Program version: 1.1.0.0
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`03ec1000
Boot sector MD5 is: 6def5ffcbcdbdb4082f1015625e597bd

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...
 
That looks ok.

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.
  • You will need to use Internet Explorer to complete this scan.
  • You will need to temporarily Disable your current Anti-virus program.
  • Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
  • When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

NOTE: If you are unable to complete the ESET scan, please try another from the list below:

 
Eset Scan Log

I have Eset as my AV Program so I used it not the online scan.

Full Log is attached due to size problem.

No infected objects.
 

Attachments

  • Eset scan 9-1-10.zip
    25.8 KB · Views: 1
Status
Not open for further replies.

Similar threads

uber_beetle
Infected with fake ad pop-ups - posting FRST and Addition
Replies
12
Views
786
uber_beetle
uber_beetle
A
Infected: Antivirus says it's Trojan:Script/Wacatac.H!ml
Replies
12
Views
2K
adidaman27
A
wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni

Latest posts

Back