Solved Google redirect and now other ills

Status
Not open for further replies.
G

guyinpa

Posts: 34   +0
Hi,

(computer: Dell Dimension 3000 with Win XP SP3)

My computer was infected with "Quick Defrag" malware which Malwarebytes seemed to fix, then almost immediately it caught the Google redirect virus.

I tried to complete your "8 Step ... Removal Instructions", but ran into some difficulty. As a result, the order of the first 3 steps was wrong, but I thought I should get in touch with you first before I go through the whole process again.

1. Malwarebytes scan (below) was done first
2. Mcafee Virus Scan + run next found 2 trojans and a bunch of tracking cookies. No details
3. TFC (reminded by the cookies)

I had done the above 3 steps in the right order previously with pretty much the same results.

4. GMER ran for only about 10 seconds and the log file (below) seemed much shorter than other users' logs. This prompted me to run GMER again in safe mode but the resulting log file contained only the last 2 lines of the standard mode scan. So I thought if the program didn't auto run to completion, I ought to press the "Scan" button. The resulting blue screen of near-death suggested that I check in with you first.

5. DSS.scr will not run at all. I get a page of garbage characters except for an embedded line: "This program can not be run in DOS mode". I do not have an association listed for "scr".

Thank you,
Guy
============== MBAM LOG ===========================

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5508

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

1/12/2011 9:03:36 PM
mbam-log-2011-01-12 (21-03-36).txt

Scan type: Quick scan
Objects scanned: 169658
Time elapsed: 22 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\JP595IR86O (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NtWqIVLZEWZU (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSHNAS (Trojan.Renos) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JP595IR86O (Trojan.FakeAlert) -> Value: JP595IR86O -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\windows\system32\sshnas21.dll (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
c:\documents and settings\Guy\local settings\Temp\Dpz.exe (Trojan.FraudPack.Gen) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{62c40aa6-4406-467a-a5a5-dfdf1b559b7a}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{bbaeaeaf-1275-40e2-bd6c-bc8f88bd114a}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\Guy\local settings\Temp\Dp1.exe (Trojan.FakeAlert) -> Delete on reboot.

===================== GMER LOG =======================
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-01-13 08:45:01
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST380011A rev.8.16
Running: 28mco8f6.exe; Driver: C:\DOCUME~1\Guy\LOCALS~1\Temp\pxliapow.sys


---- System - GMER 1.0.15 ----

Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwCreateKey [0xF83A80E0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteKey [0xF83A80F4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwDeleteValueKey [0xF83A8120]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwMapViewOfSection [0xF83A8176]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenKey [0xF83A80CC]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenProcess [0xF83A80A4]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwOpenThread [0xF83A80B8]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwRenameKey [0xF83A810A]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetSecurityObject [0xF83A814C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwSetValueKey [0xF83A8136]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwTerminateProcess [0xF83A81A0]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwUnmapViewOfSection [0xF83A818C]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) ZwYieldExecution [0xF83A8160]
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtMapViewOfSection
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenProcess
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtOpenThread
Code mfehidk.sys (McAfee Link Driver/McAfee, Inc.) NtSetSecurityObject

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \FileSystem\Fastfat \Fat mfehidk.sys (McAfee Link Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Ip mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\Udp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp mfetdi2k.sys (Anti-Virus Mini-Firewall Driver/McAfee, Inc.)

---- Threads - GMER 1.0.15 ----

Thread System [4:136] 825FA53C
Thread System [4:140] 825FC52D

---- EOF - GMER 1.0.15 ----
 
Welcome aboard
yahooo.gif


Please, observe following rules:
  • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
  • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
  • Please refrain from running tools or applying updates other than those I suggest.
  • Never run more than one scan at a time.
  • Keep updating me regarding your computer behavior, good, or bad.
  • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
  • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
  • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

=====================================================================

Download TDSSKiller and save it to your desktop.
  • Extract (unzip) its contents to your desktop.
  • Open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  • If an infected file is detected, the default action will be Cure, click on Continue.
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory (usually C:\ folder) in the form of TDSSKiller_xxxx_log.txt. Please copy and paste the contents of that file here.
 
Thank you for your quick response.
The only other posting I ever made was about 2 years ago on another site and I still haven't gotten a response. I appreciate any suggestions on forum protocol.

I ran TDSSKiller.. No issues. Log file pasted below.

Thanks,
Guy

================== TDSSKiller Log ================

2011/01/13 12:24:58.0369 TDSS rootkit removing tool 2.4.13.0 Jan 12 2011 09:51:11
2011/01/13 12:24:58.0369 ================================================================================
2011/01/13 12:24:58.0369 SystemInfo:
2011/01/13 12:24:58.0369
2011/01/13 12:24:58.0369 OS Version: 5.0.2195 ServicePack: 2.0
2011/01/13 12:24:58.0369 Product type: Workstation
2011/01/13 12:24:58.0369 ComputerName: CAR-Z713ZJFWK2G
2011/01/13 12:24:58.0369 UserName: Administrator
2011/01/13 12:24:58.0369 Windows directory: C:\WINNT
2011/01/13 12:24:58.0369 System windows directory: C:\WINNT
2011/01/13 12:24:58.0369 Processor architecture: Intel x86
2011/01/13 12:24:58.0369 Number of processors: 1
2011/01/13 12:24:58.0369 Page size: 0x1000
2011/01/13 12:24:58.0369 Boot type: Normal boot
2011/01/13 12:24:58.0369 ================================================================================
2011/01/13 12:24:59.0421 Initialize success
2011/01/13 12:25:09.0215 ================================================================================
2011/01/13 12:25:09.0215 Scan started
2011/01/13 12:25:09.0215 Mode: Manual;
2011/01/13 12:25:09.0215 ================================================================================
2011/01/13 12:25:15.0964 Aavmker4 (2ccfa74242741ca22a4267cce9b586f4) C:\WINNT\System32\drivers\Aavmker4.sys
2011/01/13 12:25:55.0391 AFD (0028ba47db7c15af0e090a7582bbbd7a) C:\WINNT\System32\drivers\afd.sys
2011/01/13 12:26:01.0880 agp440 (ef0b06c91c81fb3af3d31cf9ea5b2591) C:\WINNT\System32\DRIVERS\agp440.sys
2011/01/13 12:27:08.0016 aswMon (f5296ecfcbfe5935253ae6c29e6d086e) C:\WINNT\System32\drivers\aswMon.sys
2011/01/13 12:27:15.0016 aswRdr (8080d683489c99cbace813f6fa4069cc) C:\WINNT\System32\drivers\aswRdr.sys
2011/01/13 12:27:21.0315 aswSP (2e5a2ad5004b55df39b7606130a88142) C:\WINNT\System32\drivers\aswSP.sys
2011/01/13 12:27:27.0524 aswTdi (d4c83a37efadfa2c398362e0776e3773) C:\WINNT\System32\drivers\aswTdi.sys
2011/01/13 12:27:28.0876 AsyncMac (1b4de1039fe6d4321003303870185b8e) C:\WINNT\System32\DRIVERS\asyncmac.sys
2011/01/13 12:27:32.0821 atapi (7e91972f4cf3ea0b0c804f005bf42c7a) C:\WINNT\System32\DRIVERS\atapi.sys
2011/01/13 12:27:46.0241 atirage3 (17c31530529e7649a5886a0ded4fb359) C:\WINNT\System32\DRIVERS\atimpab.sys
2011/01/13 12:27:47.0653 Atmarpc (3e348b3313ea633d45caf59da0d631ba) C:\WINNT\System32\DRIVERS\atmarpc.sys
2011/01/13 12:27:54.0242 audstub (39d57104a45270f0d376e9ddb484ebbd) C:\WINNT\System32\DRIVERS\audstub.sys
2011/01/13 12:27:55.0784 Beep (df012c2853281ce2bf536e8de871c8c1) C:\WINNT\System32\drivers\Beep.sys
2011/01/13 12:28:11.0577 Cdaudio (b101e013d810d6125e17125e324fcd2c) C:\WINNT\System32\drivers\Cdaudio.sys
2011/01/13 12:28:13.0149 Cdfs (1af778f5e883e73440f99d71f8cac11a) C:\WINNT\System32\drivers\Cdfs.sys
2011/01/13 12:28:14.0711 Cdrom (43d40ee132e19c9101773d0eb4936b40) C:\WINNT\System32\DRIVERS\cdrom.sys
2011/01/13 12:28:28.0972 cirrus (3a030b83a48ae4b81ece16351d2a8c74) C:\WINNT\System32\DRIVERS\cirrus.sys
2011/01/13 12:29:15.0579 Disk (1d8e18dcebb5650d5b6fce48d93a7d0b) C:\WINNT\System32\DRIVERS\disk.sys
2011/01/13 12:29:17.0291 Diskperf (c138cc1b6b3461eb33389952be21e101) C:\WINNT\System32\drivers\Diskperf.sys
2011/01/13 12:29:21.0758 dmboot (2e7b76249fba51ae2319a17b9b72d080) C:\WINNT\System32\drivers\dmboot.sys
2011/01/13 12:29:26.0054 dmio (d74e21c5401c3aef200dd0c40754f889) C:\WINNT\System32\drivers\dmio.sys
2011/01/13 12:29:30.0280 dmload (24c790f1e0292d0880f1fa3943e3b3e5) C:\WINNT\System32\drivers\dmload.sys
2011/01/13 12:29:37.0020 DMusic (3431984234b5988d4c09f043cf4cd779) C:\WINNT\System32\drivers\DMusic.sys
2011/01/13 12:29:43.0349 DriverX (7ce858a0a41c3db941a93f36059a2b4f) C:\WINNT\System32\Drivers\driverx.sys
2011/01/13 12:29:47.0675 EFS (c345a56a95298f8af35426e132d675c1) C:\WINNT\System32\drivers\EFS.sys
2011/01/13 12:29:55.0046 es1371 (6766378af10e8b901befe5939dac6f9a) C:\WINNT\System32\drivers\es1371mp.sys
2011/01/13 12:29:59.0452 Fastfat (124042a44c2d2dc2ae9e6b1e565cb6af) C:\WINNT\System32\drivers\Fastfat.sys
2011/01/13 12:30:08.0886 Fdc (c08df03f9d8786caf4daef83e68e3639) C:\WINNT\System32\DRIVERS\fdc.sys
2011/01/13 12:30:13.0292 Fips (b27a36d4725a362a13d0c52ad6c7175b) C:\WINNT\System32\drivers\Fips.sys
2011/01/13 12:30:29.0295 Flpydisk (d5b19480bae13512ccd6f3f352f2ad3b) C:\WINNT\System32\DRIVERS\flpydisk.sys
2011/01/13 12:30:31.0118 Fs_Rec (1260118019ef85e6138273c4a917dfa6) C:\WINNT\System32\drivers\Fs_Rec.sys
2011/01/13 12:30:32.0950 Ftdisk (b11265305c597351dc3f165f2ca8b648) C:\WINNT\System32\DRIVERS\ftdisk.sys
2011/01/13 12:30:39.0500 gameenum (8469d1242904fefc1be9c0debc83b059) C:\WINNT\System32\DRIVERS\gameenum.sys
2011/01/13 12:30:41.0773 Gpc (b5daf7509c1b46a7e797e5b65fb9fb9d) C:\WINNT\System32\DRIVERS\msgpc.sys
2011/01/13 12:30:47.0421 i8042prt (ce82de7694174df9fb0a73e9a31b2bd5) C:\WINNT\System32\DRIVERS\i8042prt.sys
2011/01/13 12:31:00.0470 IntelIde (011a7396af63689be165ab07c248849f) C:\WINNT\System32\DRIVERS\intelide.sys
2011/01/13 12:31:02.0483 IpFilterDriver (09a604211e2b2334fc023a41337e3165) C:\WINNT\System32\DRIVERS\ipfltdrv.sys
2011/01/13 12:31:04.0526 IpInIp (dbc1437b56eea1af02cd39c011904491) C:\WINNT\System32\DRIVERS\ipinip.sys
2011/01/13 12:31:08.0952 IpNat (879daaec27f2593413e23e180c65aee5) C:\WINNT\System32\DRIVERS\ipnat.sys
2011/01/13 12:31:13.0398 IPSEC (eb3822a4d8718293e86a4f5194b1b739) C:\WINNT\System32\DRIVERS\ipsec.sys
2011/01/13 12:31:26.0397 isapnp (032e64d27bc7f17b26d2b8579930a423) C:\WINNT\System32\DRIVERS\isapnp.sys
2011/01/13 12:31:30.0243 Kbdclass (283e1604997cfb83ee6a8df7f1993afc) C:\WINNT\System32\DRIVERS\kbdclass.sys
2011/01/13 12:31:37.0042 kmixer (b9bb35ff2da8ec6a5151cbaefecd806c) C:\WINNT\System32\drivers\kmixer.sys
2011/01/13 12:31:41.0639 KSecDD (ddb757c39b9b3b0a9034685cf7e80c3d) C:\WINNT\System32\drivers\KSecDD.sys
2011/01/13 12:31:55.0219 lne100tx (7327205f99ef2e9b1a4cab2191c96b64) C:\WINNT\System32\DRIVERS\lne100tx.sys
2011/01/13 12:32:08.0598 ltmodem5 (cb11d0f03fe04ec369a8e26004b4ae08) C:\WINNT\System32\DRIVERS\ltmdmnt.sys
2011/01/13 12:32:10.0781 mnmdd (f9a1ccc84d1c8b392d67bf2e661ed334) C:\WINNT\System32\drivers\mnmdd.sys
2011/01/13 12:32:15.0378 Modem (e00a3cbfbb7adb2f9090daad76b6bd6e) C:\WINNT\System32\drivers\Modem.sys
2011/01/13 12:32:21.0867 MODEMCSA (dd1d1d99c79544a751dbca96687887bd) C:\WINNT\System32\drivers\MODEMCSA.sys
2011/01/13 12:32:25.0712 Mouclass (a6b5bfbe155f687f6e888553d4ff7950) C:\WINNT\System32\DRIVERS\mouclass.sys
2011/01/13 12:32:30.0339 MountMgr (822d7c902bae3c64dd9d107c131ada1a) C:\WINNT\System32\drivers\MountMgr.sys
2011/01/13 12:32:41.0986 MRxSmb (8c7d6860ffbf7a1f78f076e46745f3ba) C:\WINNT\System32\DRIVERS\mrxsmb.sys
2011/01/13 12:32:44.0259 Msfs (8840bc3953d2c0bbb104932cab848a27) C:\WINNT\System32\drivers\Msfs.sys
2011/01/13 12:32:50.0959 MSKSSRV (883385dc3eca3cf7c2d7efcf644ca5ae) C:\WINNT\System32\drivers\MSKSSRV.sys
2011/01/13 12:32:57.0638 MSPCLOCK (4d0e25cb6bfd5bedd546501faf69b3f7) C:\WINNT\System32\drivers\MSPCLOCK.sys
2011/01/13 12:33:04.0448 MSPQM (bb041315c9930063e5eab0bee90acff6) C:\WINNT\System32\drivers\MSPQM.sys
2011/01/13 12:33:09.0145 Mup (0bf77605cf41c743d311de7910ea569e) C:\WINNT\System32\drivers\Mup.sys
2011/01/13 12:33:20.0892 NDIS (46a5d4a87160521c25eb18691ba2d7f8) C:\WINNT\System32\drivers\NDIS.sys
2011/01/13 12:33:23.0245 NdisTapi (39fbc00f3b2850bb69892c623858ae6e) C:\WINNT\System32\DRIVERS\ndistapi.sys
2011/01/13 12:33:27.0992 NdisWan (462927317e1dfbca6fbf5d86c2acd9d8) C:\WINNT\System32\DRIVERS\ndiswan.sys
2011/01/13 12:33:30.0355 NDProxy (1f426863d87bdf75aec76584223cd0c7) C:\WINNT\System32\drivers\NDProxy.sys
2011/01/13 12:33:32.0819 NetBIOS (5151e6020a26bf7bc21c18fd612506bd) C:\WINNT\System32\DRIVERS\netbios.sys
2011/01/13 12:33:37.0726 NetBT (0aab8be803089fe6a28ef2231b91054a) C:\WINNT\System32\DRIVERS\netbt.sys
2011/01/13 12:33:40.0260 NetDetect (9b2a6147a22f7e696cc7538283de6346) C:\WINNT\system32\drivers\netdtect.sys
2011/01/13 12:33:42.0743 Npfs (e85a77dfcb8f1088f85120ca123ce191) C:\WINNT\System32\drivers\Npfs.sys
2011/01/13 12:33:47.0680 Ntfs (0007f8dac2b5cafe07dd9c50d6e68e01) C:\WINNT\System32\drivers\Ntfs.sys
2011/01/13 12:33:50.0324 Null (280209cde798720a24d232bf9cfda8e9) C:\WINNT\System32\drivers\Null.sys
2011/01/13 12:33:52.0758 NwlnkFlt (9b0d6fb5c5d6a7571aedb0c1a7a9c1b6) C:\WINNT\System32\DRIVERS\nwlnkflt.sys
2011/01/13 12:33:55.0261 NwlnkFwd (09fa39e4812fdd042834650df09675a0) C:\WINNT\System32\DRIVERS\nwlnkfwd.sys
2011/01/13 12:34:00.0248 Parallel (7d91b9a7cce56dc5c81c41a54c9d55d6) C:\WINNT\System32\DRIVERS\parallel.sys
2011/01/13 12:34:05.0286 Parport (5b728098406c1208b6634dc71baec74f) C:\WINNT\System32\DRIVERS\parport.sys
2011/01/13 12:34:07.0909 PartMgr (977c7ebaa041479f83f3759d1ffa427e) C:\WINNT\System32\drivers\PartMgr.sys
2011/01/13 12:34:10.0643 ParVdm (888f6a6ad5810f5828de594e17fe8f3b) C:\WINNT\System32\drivers\ParVdm.sys
2011/01/13 12:34:16.0361 PCI (babeca11ee94c4701e854c531b7baf04) C:\WINNT\System32\DRIVERS\pci.sys
2011/01/13 12:34:35.0679 Pcmcia (b045865ab881259fe6445d28b30bd174) C:\WINNT\System32\drivers\Pcmcia.sys
2011/01/13 12:34:37.0852 PICLPTNT (3c419b3752da897d1b3091b77ff28577) C:\PIC\EPIC\PICLPTNT.SYS
2011/01/13 12:34:44.0792 pmxscan (491b0a826a24e32b9b4424ca0cd3d5a8) C:\WINNT\System32\DRIVERS\usbscan.sys
2011/01/13 12:34:47.0656 PptpMiniport (39b261d8b597c56fcfd34b569158ff29) C:\WINNT\System32\DRIVERS\raspptp.sys
2011/01/13 12:34:53.0004 Ptilink (9819165e18a02ba56153c78809fcd090) C:\WINNT\System32\DRIVERS\ptilink.sys
2011/01/13 12:35:23.0698 RasAcd (63051b814e005dc62c7a0971668c52b4) C:\WINNT\System32\DRIVERS\rasacd.sys
2011/01/13 12:35:26.0582 Rasl2tp (e1654e9d94b1e5c926fbe1f232e8f9e3) C:\WINNT\System32\DRIVERS\rasl2tp.sys
2011/01/13 12:35:29.0417 Raspti (cb09a98e97e52c389ab17b1e003c9566) C:\WINNT\System32\DRIVERS\raspti.sys
2011/01/13 12:35:32.0291 RCA (afce1f733a6aa3a90ac60794dfb26104) C:\WINNT\System32\drivers\RCA.sys
2011/01/13 12:35:37.0618 Rdbss (9e19b75b32dd6ea7cc8c81357e92ab4d) C:\WINNT\System32\DRIVERS\rdbss.sys
2011/01/13 12:35:43.0737 redbook (f247cf518c40f62fee994febbe3f0076) C:\WINNT\System32\DRIVERS\redbook.sys
2011/01/13 12:35:47.0262 serenum (63022606dcbae1b3c93776954495c177) C:\WINNT\System32\DRIVERS\serenum.sys
2011/01/13 12:35:52.0730 Serial (702d373e6514ff9c8fbec2922f942a90) C:\WINNT\System32\DRIVERS\serial.sys
2011/01/13 12:35:55.0754 Sfloppy (4ea7db6b1d0393254ae038b327bbdc3a) C:\WINNT\System32\drivers\Sfloppy.sys
2011/01/13 12:36:16.0044 solo (c3f73f29c730689213e626bfe2fdc090) C:\WINNT\System32\drivers\solo.sys
2011/01/13 12:36:28.0632 Srv (14bffde9e4e44a77f62a645d0bd28591) C:\WINNT\System32\DRIVERS\srv.sys
2011/01/13 12:36:31.0986 swenum (a151f2d55ebf635550709c48fce564aa) C:\WINNT\System32\DRIVERS\swenum.sys
2011/01/13 12:36:38.0526 swmidi (939fd78b57c5e648b73c29fde93fcb7c) C:\WINNT\System32\drivers\swmidi.sys
2011/01/13 12:37:06.0726 sysaudio (d8fe89eebf7b929ef49d0609c091856a) C:\WINNT\System32\drivers\sysaudio.sys
2011/01/13 12:37:12.0545 Tcpip (f1fb884809bf73d90368709b5a9a893f) C:\WINNT\System32\DRIVERS\tcpip.sys
2011/01/13 12:37:25.0313 Udfs (7f1c1d6e015aa25d1cfb7972017e62dd) C:\WINNT\System32\drivers\Udfs.sys
2011/01/13 12:37:31.0262 uhcd (11585f5f5e05a8b0dd57022c746fc1f2) C:\WINNT\System32\DRIVERS\uhcd.sys
2011/01/13 12:37:44.0030 Update (0f67f175716bd57da8b51e3fb2badd28) C:\WINNT\System32\DRIVERS\update.sys
2011/01/13 12:37:49.0919 usbhub (ea6b44a0f08ed357fe59c76c5614729f) C:\WINNT\System32\DRIVERS\usbhub.sys
2011/01/13 12:37:56.0668 USBSTOR (ebace7c24a01e67da2ac7c646ca10a62) C:\WINNT\System32\DRIVERS\USBSTOR.SYS
2011/01/13 12:38:03.0839 USB_RNDIS_2K (f39039d5c96c1d3ac2a637a659dbf282) C:\WINNT\System32\DRIVERS\usb8023k.sys
2011/01/13 12:38:07.0203 VgaSave (1b0040415ba34497a8d76a553aee88aa) C:\WINNT\System32\drivers\vga.sys
2011/01/13 12:38:10.0849 Wanarp (796fd58d58a0c88b7612137fcfa29f76) C:\WINNT\System32\DRIVERS\wanarp.sys
2011/01/13 12:38:17.0538 wdmaud (024bac6f8e0d5fba6b9f4c16016e705f) C:\WINNT\System32\drivers\wdmaud.sys
2011/01/13 12:38:18.0500 ================================================================================
2011/01/13 12:38:18.0500 Scan finished
2011/01/13 12:38:18.0500 ================================================================================
 
Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

=====================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Submission of correct TDSSKiller file

Broni,

Again, my apologies for the log file mixup.

Here is the correct file. 1 problem found. A reboot was required.

I will hold off on the last instructions you sent until I hear from you.

Regards,
Guy

===================================================

2011/01/13 13:00:19.0250 TDSS rootkit removing tool 2.4.13.0 Jan 12 2011 09:51:11
2011/01/13 13:00:19.0250 ================================================================================
2011/01/13 13:00:19.0250 SystemInfo:
2011/01/13 13:00:19.0250
2011/01/13 13:00:19.0250 OS Version: 5.1.2600 ServicePack: 3.0
2011/01/13 13:00:19.0250 Product type: Workstation
2011/01/13 13:00:19.0250 ComputerName: HOMENETID
2011/01/13 13:00:19.0250 UserName: Guy
2011/01/13 13:00:19.0250 Windows directory: C:\WINDOWS
2011/01/13 13:00:19.0250 System windows directory: C:\WINDOWS
2011/01/13 13:00:19.0250 Processor architecture: Intel x86
2011/01/13 13:00:19.0250 Number of processors: 1
2011/01/13 13:00:19.0250 Page size: 0x1000
2011/01/13 13:00:19.0250 Boot type: Normal boot
2011/01/13 13:00:19.0250 ================================================================================
2011/01/13 13:00:19.0531 Initialize success
2011/01/13 13:00:26.0234 ================================================================================
2011/01/13 13:00:26.0234 Scan started
2011/01/13 13:00:26.0234 Mode: Manual;
2011/01/13 13:00:26.0234 ================================================================================
2011/01/13 13:00:27.0390 abp480n5 (6abb91494fe6c59089b9336452ab2ea3) C:\WINDOWS\system32\DRIVERS\ABP480N5.SYS
2011/01/13 13:00:27.0781 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/01/13 13:00:28.0203 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
2011/01/13 13:00:28.0593 adpu160m (9a11864873da202c996558b2106b0bbc) C:\WINDOWS\system32\DRIVERS\adpu160m.sys
2011/01/13 13:00:29.0046 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/01/13 13:00:29.0500 AFD (7e775010ef291da96ad17ca4b17137d7) C:\WINDOWS\System32\drivers\afd.sys
2011/01/13 13:00:29.0718 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
2011/01/13 13:00:29.0843 agpCPQ (03a7e0922acfe1b07d5db2eeb0773063) C:\WINDOWS\system32\DRIVERS\agpCPQ.sys
2011/01/13 13:00:30.0031 Aha154x (c23ea9b5f46c7f7910db3eab648ff013) C:\WINDOWS\system32\DRIVERS\aha154x.sys
2011/01/13 13:00:30.0171 aic78u2 (19dd0fb48b0c18892f70e2e7d61a1529) C:\WINDOWS\system32\DRIVERS\aic78u2.sys
2011/01/13 13:00:30.0281 aic78xx (b7fe594a7468aa0132deb03fb8e34326) C:\WINDOWS\system32\DRIVERS\aic78xx.sys
2011/01/13 13:00:30.0421 AliIde (1140ab9938809700b46bb88e46d72a96) C:\WINDOWS\system32\DRIVERS\aliide.sys
2011/01/13 13:00:30.0546 alim1541 (cb08aed0de2dd889a8a820cd8082d83c) C:\WINDOWS\system32\DRIVERS\alim1541.sys
2011/01/13 13:00:30.0656 amdagp (95b4fb835e28aa1336ceeb07fd5b9398) C:\WINDOWS\system32\DRIVERS\amdagp.sys
2011/01/13 13:00:30.0750 amsint (79f5add8d24bd6893f2903a3e2f3fad6) C:\WINDOWS\system32\DRIVERS\amsint.sys
2011/01/13 13:00:30.0843 asc (62d318e9a0c8fc9b780008e724283707) C:\WINDOWS\system32\DRIVERS\asc.sys
2011/01/13 13:00:30.0953 asc3350p (69eb0cc7714b32896ccbfd5edcbea447) C:\WINDOWS\system32\DRIVERS\asc3350p.sys
2011/01/13 13:00:31.0046 asc3550 (5d8de112aa0254b907861e9e9c31d597) C:\WINDOWS\system32\DRIVERS\asc3550.sys
2011/01/13 13:00:31.0171 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/01/13 13:00:31.0359 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/01/13 13:00:31.0531 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/01/13 13:00:31.0765 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/01/13 13:00:31.0953 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/01/13 13:00:32.0234 cbidf (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\DRIVERS\cbidf2k.sys
2011/01/13 13:00:32.0359 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/01/13 13:00:32.0500 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/01/13 13:00:32.0687 cd20xrnt (f3ec03299634490e97bbce94cd2954c7) C:\WINDOWS\system32\DRIVERS\cd20xrnt.sys
2011/01/13 13:00:32.0781 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/01/13 13:00:32.0890 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/01/13 13:00:33.0062 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/01/13 13:00:33.0171 cfwids (7e6f7da1c4de5680820f964562548949) C:\WINDOWS\system32\drivers\cfwids.sys
2011/01/13 13:00:33.0546 CmdIde (e5dcb56c533014ecbc556a8357c929d5) C:\WINDOWS\system32\DRIVERS\cmdide.sys
2011/01/13 13:00:33.0734 CorLog (13d00da6f795591ffe8b082cfddada48) C:\WINDOWS\system32\Drivers\CorLog.sys
2011/01/13 13:00:33.0843 CorMem (f06daf367f183673084c34b2d7d7ad0f) C:\WINDOWS\system32\Drivers\CorMem.sys
2011/01/13 13:00:34.0031 CorPci (0c19e960caf8ddc0a1bc60ea2629272a) C:\WINDOWS\system32\Drivers\CorPci.sys
2011/01/13 13:00:34.0281 CorSerial (8fc77440522fe1b7e82bbc5e3eabf0ee) C:\WINDOWS\system32\Drivers\corserial.sys
2011/01/13 13:00:34.0640 Cpqarray (3ee529119eed34cd212a215e8c40d4b6) C:\WINDOWS\system32\DRIVERS\cpqarray.sys
2011/01/13 13:00:34.0750 dac2w2k (e550e7418984b65a78299d248f0a7f36) C:\WINDOWS\system32\DRIVERS\dac2w2k.sys
2011/01/13 13:00:34.0937 dac960nt (683789caa3864eb46125ae86ff677d34) C:\WINDOWS\system32\DRIVERS\dac960nt.sys
2011/01/13 13:00:35.0046 dfmirage (d8cd6a2a94f545858eec6117f0d5dff4) C:\WINDOWS\system32\DRIVERS\dfmirage.sys
2011/01/13 13:00:35.0234 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/01/13 13:00:35.0359 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/01/13 13:00:35.0609 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/01/13 13:00:35.0703 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/01/13 13:00:35.0828 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/01/13 13:00:36.0031 dpti2o (40f3b93b4e5b0126f2f5c0a7a5e22660) C:\WINDOWS\system32\DRIVERS\dpti2o.sys
2011/01/13 13:00:36.0125 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/01/13 13:00:36.0296 drvmcdb (b15f9e526ba511a48b1b1b8537815740) C:\WINDOWS\system32\drivers\drvmcdb.sys
2011/01/13 13:00:36.0421 drvnddm (fa4670cae95ae2bb857c68e535661145) C:\WINDOWS\system32\drivers\drvnddm.sys
2011/01/13 13:00:36.0562 E100B (7d91dc6342248369f94d6eba0cf42e99) C:\WINDOWS\system32\DRIVERS\e100b325.sys
2011/01/13 13:00:36.0765 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/01/13 13:00:36.0859 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
2011/01/13 13:00:37.0046 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/01/13 13:00:37.0140 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
2011/01/13 13:00:37.0343 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\drivers\fltmgr.sys
2011/01/13 13:00:37.0531 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/01/13 13:00:37.0656 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/01/13 13:00:37.0906 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/01/13 13:00:38.0093 HidUsb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/01/13 13:00:38.0234 hpn (b028377dea0546a5fcfba928a8aefae0) C:\WINDOWS\system32\DRIVERS\hpn.sys
2011/01/13 13:00:38.0437 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/01/13 13:00:38.0609 i2omgmt (9368670bd426ebea5e8b18a62416ec28) C:\WINDOWS\system32\drivers\i2omgmt.sys
2011/01/13 13:00:38.0734 i2omp (f10863bf1ccc290babd1a09188ae49e0) C:\WINDOWS\system32\DRIVERS\i2omp.sys
2011/01/13 13:00:38.0890 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/01/13 13:00:39.0046 ialm (9a883c3c4d91292c0d09de7c728e781c) C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
2011/01/13 13:00:39.0281 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/01/13 13:00:39.0437 ini910u (4a40e045faee58631fd8d91afc620719) C:\WINDOWS\system32\DRIVERS\ini910u.sys
2011/01/13 13:00:39.0671 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
2011/01/13 13:00:40.0000 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
2011/01/13 13:00:40.0265 IntelC53 (cf0b937710cec6ef39416edecd803cbb) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
2011/01/13 13:00:40.0531 IntelIde (b5466a9250342a7aa0cd1fba13420678) C:\WINDOWS\system32\DRIVERS\intelide.sys
2011/01/13 13:00:40.0625 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/01/13 13:00:40.0796 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\drivers\ip6fw.sys
2011/01/13 13:00:40.0921 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/01/13 13:00:41.0109 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/01/13 13:00:41.0218 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/01/13 13:00:41.0421 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/01/13 13:00:41.0531 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/01/13 13:00:41.0687 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/01/13 13:00:41.0796 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/01/13 13:00:41.0984 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/01/13 13:00:42.0078 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/01/13 13:00:42.0375 mfeapfk (84d59a3eddfb9438fb94f7f80d37859d) C:\WINDOWS\system32\drivers\mfeapfk.sys
2011/01/13 13:00:42.0609 mfeavfk (67e961988312b1a28d6f93357b0bf998) C:\WINDOWS\system32\drivers\mfeavfk.sys
2011/01/13 13:00:42.0812 mfebopk (19161b1796cf74a6a326abde309062ba) C:\WINDOWS\system32\drivers\mfebopk.sys
2011/01/13 13:00:43.0078 mfefirek (d5f89b4934960c70882924d992c6abfc) C:\WINDOWS\system32\drivers\mfefirek.sys
2011/01/13 13:00:43.0390 mfehidk (0efab2b91b27543fe589de700de07136) C:\WINDOWS\system32\drivers\mfehidk.sys
2011/01/13 13:00:43.0578 mfendisk (549dd4966bf0b1d1fc205ca0755a745b) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2011/01/13 13:00:43.0718 mfendiskmp (549dd4966bf0b1d1fc205ca0755a745b) C:\WINDOWS\system32\DRIVERS\mfendisk.sys
2011/01/13 13:00:43.0890 mferkdet (c9eda1eada2ab6e34cd1a10c3a24ab25) C:\WINDOWS\system32\drivers\mferkdet.sys
2011/01/13 13:00:44.0156 mfetdi2k (e6c5f7aade5a31c057d73201acfe8adf) C:\WINDOWS\system32\drivers\mfetdi2k.sys
2011/01/13 13:00:44.0328 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/01/13 13:00:44.0453 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/01/13 13:00:44.0656 MODEMCSA (1992e0d143b09653ab0f9c5e04b0fd65) C:\WINDOWS\system32\drivers\MODEMCSA.sys
2011/01/13 13:00:44.0921 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
2011/01/13 13:00:45.0015 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/01/13 13:00:45.0109 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/01/13 13:00:45.0296 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/01/13 13:00:45.0390 mraid35x (3f4bb95e5a44f3be34824e8e7caf0737) C:\WINDOWS\system32\DRIVERS\mraid35x.sys
2011/01/13 13:00:45.0609 MREMPR5 (2bc9e43f55de8c30fc817ed56d0ee907) C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS
2011/01/13 13:00:45.0875 MRENDIS5 (594b9d8194e3f4ecbf0325bd10bbeb05) C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS
2011/01/13 13:00:46.0125 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/01/13 13:00:46.0234 MRxSmb (f3aefb11abc521122b67095044169e98) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/01/13 13:00:46.0453 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/01/13 13:00:46.0656 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/01/13 13:00:46.0828 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/01/13 13:00:47.0015 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/01/13 13:00:47.0203 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/01/13 13:00:47.0359 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/01/13 13:00:47.0500 Mup (2f625d11385b1a94360bfc70aaefdee1) C:\WINDOWS\system32\drivers\Mup.sys
2011/01/13 13:00:47.0703 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/01/13 13:00:47.0953 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/01/13 13:00:48.0078 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/01/13 13:00:48.0187 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/01/13 13:00:48.0328 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/01/13 13:00:48.0453 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/01/13 13:00:48.0562 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/01/13 13:00:48.0750 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/01/13 13:00:48.0843 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/01/13 13:00:49.0062 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/01/13 13:00:49.0171 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/01/13 13:00:49.0390 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/01/13 13:00:49.0640 nv (2b298519edbfcf451d43e0f1e8f1006d) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
2011/01/13 13:00:49.0968 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/01/13 13:00:50.0078 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/01/13 13:00:50.0203 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
2011/01/13 13:00:50.0343 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/01/13 13:00:50.0515 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/01/13 13:00:50.0640 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/01/13 13:00:50.0875 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/01/13 13:00:51.0062 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/01/13 13:00:51.0390 perc2 (6c14b9c19ba84f73d3a86dba11133101) C:\WINDOWS\system32\DRIVERS\perc2.sys
2011/01/13 13:00:51.0578 perc2hib (f50f7c27f131afe7beba13e14a3b9416) C:\WINDOWS\system32\DRIVERS\perc2hib.sys
2011/01/13 13:00:51.0765 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/01/13 13:00:51.0859 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/01/13 13:00:52.0015 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/01/13 13:00:52.0109 PxHelp20 (153d02480a0a2f45785522e814c634b6) C:\WINDOWS\system32\Drivers\PxHelp20.sys
2011/01/13 13:00:52.0296 ql1080 (0a63fb54039eb5662433caba3b26dba7) C:\WINDOWS\system32\DRIVERS\ql1080.sys
2011/01/13 13:00:52.0390 Ql10wnt (6503449e1d43a0ff0201ad5cb1b8c706) C:\WINDOWS\system32\DRIVERS\ql10wnt.sys
2011/01/13 13:00:52.0593 ql12160 (156ed0ef20c15114ca097a34a30d8a01) C:\WINDOWS\system32\DRIVERS\ql12160.sys
2011/01/13 13:00:52.0734 ql1240 (70f016bebde6d29e864c1230a07cc5e6) C:\WINDOWS\system32\DRIVERS\ql1240.sys
2011/01/13 13:00:52.0937 ql1280 (907f0aeea6bc451011611e732bd31fcf) C:\WINDOWS\system32\DRIVERS\ql1280.sys
2011/01/13 13:00:53.0046 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/01/13 13:00:53.0234 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/01/13 13:00:53.0359 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/01/13 13:00:53.0500 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/01/13 13:00:53.0625 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/01/13 13:00:53.0765 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/01/13 13:00:53.0859 rdpdr (15cabd0f7c00c47c70124907916af3f1) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
2011/01/13 13:00:54.0031 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/01/13 13:00:54.0156 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/01/13 13:00:54.0421 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/01/13 13:00:54.0625 senfilt (b9c7617c1e8ab6fdff75d3c8dafcb4c8) C:\WINDOWS\system32\drivers\senfilt.sys
2011/01/13 13:00:54.0906 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
2011/01/13 13:00:55.0000 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
2011/01/13 13:00:55.0203 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/01/13 13:00:55.0406 silabenm (c16173316918a1360dc22947c4ff6352) C:\WINDOWS\system32\DRIVERS\silabenm.sys
2011/01/13 13:00:55.0671 silabser (20a3ca1dfb7165315753339c204063ea) C:\WINDOWS\system32\DRIVERS\silabser.sys
2011/01/13 13:00:55.0984 sisagp (6b33d0ebd30db32e27d1d78fe946a754) C:\WINDOWS\system32\DRIVERS\sisagp.sys
2011/01/13 13:00:56.0156 slabbus (1b07ad8cce612ac298dd29763d579cda) C:\WINDOWS\system32\DRIVERS\slabbus.sys
2011/01/13 13:00:56.0312 slabser (4d3d895660b22fdaa48e80381870fa8d) C:\WINDOWS\system32\DRIVERS\slabser.sys
2011/01/13 13:00:56.0531 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/01/13 13:00:56.0656 smwdm (86c4d93b7b7818d066c52fdb03c6c921) C:\WINDOWS\system32\drivers\smwdm.sys
2011/01/13 13:00:56.0718 Sparrow (83c0f71f86d3bdaf915685f3d568b20e) C:\WINDOWS\system32\DRIVERS\sparrow.sys
2011/01/13 13:00:56.0812 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/01/13 13:00:57.0000 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/01/13 13:00:57.0093 Srv (0f6aefad3641a657e18081f52d0c15af) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/01/13 13:00:57.0281 sscdbhk5 (d7968049be0adbb6a57cee3960320911) C:\WINDOWS\system32\drivers\sscdbhk5.sys
2011/01/13 13:00:57.0406 ssrtln (c3ffd65abfb6441e7606cf74f1155273) C:\WINDOWS\system32\drivers\ssrtln.sys
2011/01/13 13:00:57.0593 sst1B9 (c0255cfcafbd642365dac62a16cbcd98) C:\WINDOWS\system32\drivers\sst1B9.sys
2011/01/13 13:00:57.0859 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/01/13 13:00:57.0953 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/01/13 13:00:58.0125 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/01/13 13:00:58.0265 symc810 (1ff3217614018630d0a6758630fc698c) C:\WINDOWS\system32\DRIVERS\symc810.sys
2011/01/13 13:00:58.0468 symc8xx (070e001d95cf725186ef8b20335f933c) C:\WINDOWS\system32\DRIVERS\symc8xx.sys
2011/01/13 13:00:58.0562 sym_hi (80ac1c4abbe2df3b738bf15517a51f2c) C:\WINDOWS\system32\DRIVERS\sym_hi.sys
2011/01/13 13:00:58.0734 sym_u3 (bf4fab949a382a8e105f46ebb4937058) C:\WINDOWS\system32\DRIVERS\sym_u3.sys
2011/01/13 13:00:58.0828 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/01/13 13:00:58.0953 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/01/13 13:00:59.0140 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/01/13 13:00:59.0250 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/01/13 13:00:59.0359 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/01/13 13:00:59.0546 tfsnboio (1d265cd2fb1673a0873bf8cec19ddc7f) C:\WINDOWS\system32\dla\tfsnboio.sys
2011/01/13 13:00:59.0812 tfsncofs (62e4901295e0467cac78e5b4b131ae5c) C:\WINDOWS\system32\dla\tfsncofs.sys
2011/01/13 13:01:00.0062 tfsndrct (a2f380f9252ab3464c859adf91eead9c) C:\WINDOWS\system32\dla\tfsndrct.sys
2011/01/13 13:01:00.0281 tfsndres (eee79bbefe9c6a2a3ce6c8753cfea950) C:\WINDOWS\system32\dla\tfsndres.sys
2011/01/13 13:01:00.0500 tfsnifs (9d644eb11fec9487450c4cfcd63a5df4) C:\WINDOWS\system32\dla\tfsnifs.sys
2011/01/13 13:01:00.0734 tfsnopio (e656af05c67edb7c0e9230a5df71ed1b) C:\WINDOWS\system32\dla\tfsnopio.sys
2011/01/13 13:01:00.0984 tfsnpool (64fccb9cce703ca507dffc3cebf6b2cb) C:\WINDOWS\system32\dla\tfsnpool.sys
2011/01/13 13:01:01.0250 tfsnudf (48bc9d8ab4e4b9bff70fb18e55cec3d6) C:\WINDOWS\system32\dla\tfsnudf.sys
2011/01/13 13:01:01.0515 tfsnudfa (79f60822224256b49bfc855da8d651d5) C:\WINDOWS\system32\dla\tfsnudfa.sys
2011/01/13 13:01:01.0765 TosIde (f2790f6af01321b172aa62f8e1e187d9) C:\WINDOWS\system32\DRIVERS\toside.sys
2011/01/13 13:01:01.0875 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/01/13 13:01:02.0062 ultra (1b698a51cd528d8da4ffaed66dfc51b9) C:\WINDOWS\system32\DRIVERS\ultra.sys
2011/01/13 13:01:02.0171 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/01/13 13:01:02.0390 usbaudio (e919708db44ed8543a7c017953148330) C:\WINDOWS\system32\drivers\usbaudio.sys
2011/01/13 13:01:02.0500 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/01/13 13:01:02.0671 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/01/13 13:01:02.0765 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/01/13 13:01:02.0937 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
2011/01/13 13:01:03.0031 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
2011/01/13 13:01:03.0218 USBSTOR (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/01/13 13:01:03.0343 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/01/13 13:01:03.0531 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/01/13 13:01:03.0656 viaagp (754292ce5848b3738281b4f3607eaef4) C:\WINDOWS\system32\DRIVERS\viaagp.sys
2011/01/13 13:01:03.0765 ViaIde (3b3efcda263b8ac14fdf9cbdd0791b2e) C:\WINDOWS\system32\DRIVERS\viaide.sys
2011/01/13 13:01:03.0937 VolSnap (0fd6d2221c85dafe1a1a149972463458) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/13 13:01:03.0937 Suspicious file (Forged): C:\WINDOWS\system32\drivers\VolSnap.sys. Real md5: 0fd6d2221c85dafe1a1a149972463458, Fake md5: 4c8fcb5cc53aab716d810740fe59d025
2011/01/13 13:01:03.0937 VolSnap - detected Rootkit.Win32.TDSS.tdl3 (0)
2011/01/13 13:01:04.0187 VX3000 (e26744e5dd71a16e80d4dd5a286b8423) C:\WINDOWS\system32\DRIVERS\VX3000.sys
2011/01/13 13:01:04.0500 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/01/13 13:01:04.0703 Wdf01000 (fd47474bd21794508af449d9d91af6e6) C:\WINDOWS\system32\DRIVERS\Wdf01000.sys
2011/01/13 13:01:05.0031 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/01/13 13:01:05.0296 WS2IFSL (6abe6e225adb5a751622a9cc3bc19ce8) C:\WINDOWS\System32\drivers\ws2ifsl.sys
2011/01/13 13:01:05.0421 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/01/13 13:01:06.0140 ================================================================================
2011/01/13 13:01:06.0140 Scan finished
2011/01/13 13:01:06.0140 ================================================================================
2011/01/13 13:01:06.0156 Detected object count: 1
2011/01/13 13:02:36.0343 VolSnap (0fd6d2221c85dafe1a1a149972463458) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/01/13 13:02:36.0343 Suspicious file (Forged): C:\WINDOWS\system32\drivers\VolSnap.sys. Real md5: 0fd6d2221c85dafe1a1a149972463458, Fake md5: 4c8fcb5cc53aab716d810740fe59d025
2011/01/13 13:02:38.0859 Backup copy found, using it..
2011/01/13 13:02:38.0906 C:\WINDOWS\system32\drivers\VolSnap.sys - will be cured after reboot
2011/01/13 13:02:38.0906 Rootkit.Win32.TDSS.tdl3(VolSnap) - User select action: Cure
2011/01/13 13:02:47.0671 Deinitialize success
 
DDS retry - no joy

Broni,

DDS.scr opens a notepad window, pauses and writes out garbage.
I think it contained the same message as before about not operating in DOS.

Guy
 
Download MBRCheck to your desktop

Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
It will show a black screen with some data on it.
Enter N to exit.
A report called MBRcheckxxxx.txt will be on your desktop
Open this report and post its content in your next reply.

======================================================================

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    NOTE1. If Combofix asks you to install Recovery Console, please allow it.
    NOTE 2. If Combofix asks you to update the program, always do so.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt"
**Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
**Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
Use AppRemover to uninstall it: https://www.techspot.com/downloads/5514-appremover.html
We can reinstall it when we're done with CF.
**Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



Make sure, you re-enable your security programs, when you're done with Combofix.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NOTE.
If, for some reason, Combofix refuses to run, try one of the following:

1. Run Combofix from Safe Mode.

2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
Do NOT run it yet.

Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

Rkill.com
Rkill.scr
Rkill.exe

  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use the one provided in Link 2.
  • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
  • Do not reboot until instructed.
  • If the tool does not run from any of the links provided, please let me know.

Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

If normal mode still doesn't work, run BOTH tools from safe mode.

In case #2, please post BOTH logs, rKill and Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
 
Question about disabling McAfee

Hi, Bruni,

I hope this question is not too trivial, but my version of McAfee Antivirus + (which is current) does not have an "Exit button" as described in the link to Bleepingcomputer.

Will I be OK if I separately disable real time scanning and the firewall?
If not, this might be why DSS didn't run.
I tried calling mcafee, but they would not help with their own program.

Thanks,
Guy
 
Results of MBRCheck and ComboFix

I ran MBR without incident.
Combofix was more interesting:

1. During stage 3 of the scan, mcafee quarantined a virus and removed a trojan
I am sure I turned off mcafee real time scan for at least an hour.

2. After the start of the reboot, I got a warning that "NirCmd.dll failed to initialize because Windows stations shutting down", but after a while the reboot continued.

3. During preparation of the log report, the Adobe updater popped up. I waited about 10 minutes and (very reluctantly) closed the adobe updater window.

4. mcafee then removed another trojan during the report prep.

Combofix seems to have removed itself from my desktop.

Thanks,
Guy

=============== MBR Check ===========================

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Home Edition
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x0000000d

Kernel Drivers (total 187):
0x804D7000 \WINDOWS\system32\ntoskrnl.exe
0x806EE000 \WINDOWS\system32\hal.dll
0xF89F8000 \WINDOWS\system32\KDCOM.DLL
0xF8908000 \WINDOWS\system32\BOOTVID.dll
0xF84A9000 ACPI.sys
0xF89FA000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xF8498000 pci.sys
0xF84F8000 isapnp.sys
0xF8AC0000 pciide.sys
0xF8778000 \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
0xF89FC000 aliide.sys
0xF89FE000 cmdide.sys
0xF8A00000 toside.sys
0xF8A02000 viaide.sys
0xF8A04000 intelide.sys
0xF8508000 MountMgr.sys
0xF8479000 ftdisk.sys
0xF8780000 PartMgr.sys
0xF8518000 VolSnap.sys
0xF890C000 cpqarray.sys
0xF8461000 \WINDOWS\system32\DRIVERS\SCSIPORT.SYS
0xF8449000 atapi.sys
0xF8910000 aha154x.sys
0xF8788000 sparrow.sys
0xF8914000 symc810.sys
0xF8528000 aic78xx.sys
0xF8918000 dac960nt.sys
0xF8538000 ql10wnt.sys
0xF891C000 amsint.sys
0xF8790000 asc.sys
0xF8920000 asc3550.sys
0xF8798000 mraid35x.sys
0xF87A0000 i2omp.sys
0xF8924000 ini910u.sys
0xF8548000 ql1240.sys
0xF8558000 aic78u2.sys
0xF87A8000 symc8xx.sys
0xF87B0000 sym_hi.sys
0xF87B8000 sym_u3.sys
0xF87C0000 ABP480N5.SYS
0xF87C8000 asc3350p.sys
0xF8A06000 cd20xrnt.sys
0xF8568000 ultra.sys
0xF8430000 adpu160m.sys
0xF87D0000 dpti2o.sys
0xF8578000 ql1080.sys
0xF8588000 ql1280.sys
0xF8598000 ql12160.sys
0xF87D8000 perc2.sys
0xF8A08000 perc2hib.sys
0xF87E0000 hpn.sys
0xF8928000 cbidf2k.sys
0xF8404000 dac2w2k.sys
0xF85A8000 disk.sys
0xF85B8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xF83E4000 fltmgr.sys
0xF83D2000 sr.sys
0xF8375000 mfehidk.sys
0xF8360000 drvmcdb.sys
0xF85C8000 PxHelp20.sys
0xF8349000 KSecDD.sys
0xF82BC000 Ntfs.sys
0xF828F000 NDIS.sys
0xF8A0A000 CorLog.sys
0xF87E8000 CorMem.sys
0xF85D8000 sisagp.sys
0xF85E8000 viaagp.sys
0xF8275000 Mup.sys
0xF85F8000 agp440.sys
0xF8608000 alim1541.sys
0xF8618000 amdagp.sys
0xF8628000 agpCPQ.sys
0xF8748000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xF76BB000 \SystemRoot\system32\DRIVERS\ialmnt5.sys
0xF76A7000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xF8860000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xF7683000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xF8868000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xF8758000 \SystemRoot\system32\DRIVERS\IntelC53.sys
0xF7660000 \SystemRoot\system32\DRIVERS\ks.sys
0xF7539000 \SystemRoot\system32\DRIVERS\IntelC51.sys
0xF74A4000 \SystemRoot\system32\DRIVERS\IntelC52.sys
0xF8870000 \SystemRoot\system32\DRIVERS\mohfilt.sys
0xF8878000 \SystemRoot\System32\Drivers\Modem.SYS
0xF747E000 \SystemRoot\system32\DRIVERS\e100b325.sys
0xF8880000 \SystemRoot\system32\DRIVERS\fdc.sys
0xF8768000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xF8888000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xF8890000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xF821D000 \SystemRoot\system32\DRIVERS\serial.sys
0xF8174000 \SystemRoot\system32\DRIVERS\serenum.sys
0xF746A000 \SystemRoot\system32\DRIVERS\parport.sys
0xF820D000 \SystemRoot\system32\DRIVERS\imapi.sys
0xF8A56000 \SystemRoot\system32\drivers\sscdbhk5.sys
0xF81FD000 \SystemRoot\system32\DRIVERS\cdrom.sys
0xF81ED000 \SystemRoot\system32\DRIVERS\redbook.sys
0xF742A000 \SystemRoot\system32\drivers\smwdm.sys
0xF7406000 \SystemRoot\system32\drivers\portcls.sys
0xF81DD000 \SystemRoot\system32\drivers\drmk.sys
0xF7353000 \SystemRoot\system32\drivers\senfilt.sys
0xF81CD000 \SystemRoot\system32\DRIVERS\dfmirage.sys
0xF8AFF000 \SystemRoot\system32\DRIVERS\audstub.sys
0xF733F000 \SystemRoot\system32\DRIVERS\mfendisk.sys
0xF81BD000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xF8164000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xF7328000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xF81AD000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xF819D000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xF8898000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xF7317000 \SystemRoot\system32\DRIVERS\psched.sys
0xF818D000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xF72F3000 \SystemRoot\system32\drivers\mfeavfk.sys
0xF72A8000 \SystemRoot\system32\drivers\mfefirek.sys
0xF88A0000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xF88A8000 \SystemRoot\system32\DRIVERS\raspti.sys
0xF8648000 \SystemRoot\system32\DRIVERS\termdd.sys
0xF8A5C000 \SystemRoot\system32\DRIVERS\swenum.sys
0xF724A000 \SystemRoot\system32\DRIVERS\update.sys
0xF7911000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xF7BAF000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xF7B8F000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xF8A68000 \SystemRoot\system32\DRIVERS\USBD.SYS
0xF89E0000 \SystemRoot\system32\drivers\MODEMCSA.sys
0xF88C8000 \SystemRoot\system32\DRIVERS\flpydisk.sys
0xF89F0000 \SystemRoot\System32\Drivers\i2omgmt.SYS
0xF8A6A000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xF8AF3000 \SystemRoot\System32\Drivers\Null.SYS
0xF8A6C000 \SystemRoot\System32\Drivers\Beep.SYS
0xF88D8000 \SystemRoot\system32\drivers\ssrtln.sys
0xF88E0000 \SystemRoot\System32\drivers\vga.sys
0xF8A6E000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xF8A70000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xF88E8000 \SystemRoot\System32\Drivers\Msfs.SYS
0xF88F0000 \SystemRoot\System32\Drivers\Npfs.SYS
0xF8251000 \SystemRoot\system32\DRIVERS\rasacd.sys
0xEF078000 \SystemRoot\system32\DRIVERS\ipsec.sys
0xEF01F000 \SystemRoot\system32\DRIVERS\tcpip.sys
0xEF00C000 \SystemRoot\system32\drivers\mfetdi2k.sys
0xEEFE6000 \SystemRoot\system32\DRIVERS\ipnat.sys
0xEEFBE000 \SystemRoot\system32\DRIVERS\netbt.sys
0xF8241000 \SystemRoot\System32\drivers\ws2ifsl.sys
0xEEF9C000 \SystemRoot\System32\drivers\afd.sys
0xF7889000 \SystemRoot\system32\DRIVERS\netbios.sys
0xF823D000 \SystemRoot\System32\Drivers\CorPci.sys
0xF7879000 \SystemRoot\System32\Drivers\corserial.sys
0xEEF49000 \SystemRoot\system32\DRIVERS\rdbss.sys
0xEEED9000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xF7869000 \SystemRoot\System32\Drivers\Fips.SYS
0xF7859000 \SystemRoot\system32\DRIVERS\wanarp.sys
0xF88F8000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xEECFB000 \SystemRoot\system32\DRIVERS\VX3000.sys
0xF7829000 \SystemRoot\system32\DRIVERS\STREAM.SYS
0xF7809000 \SystemRoot\system32\drivers\usbaudio.sys
0xF86D8000 \SystemRoot\System32\Drivers\Cdfs.SYS
0xEECE3000 \SystemRoot\System32\Drivers\dump_atapi.sys
0xF8AAE000 \SystemRoot\System32\Drivers\dump_WMILIB.SYS
0xBF800000 \SystemRoot\System32\win32k.sys
0xEF139000 \SystemRoot\System32\drivers\Dxapi.sys
0xEF0CB000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xF8B7F000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF020000 \SystemRoot\System32\ialmdnt5.dll
0xBF012000 \SystemRoot\System32\ialmrnt5.dll
0xBF042000 \SystemRoot\System32\ialmdev5.DLL
0xBF077000 \SystemRoot\System32\ialmdd5.DLL
0xBFFA0000 \SystemRoot\System32\ATMFD.DLL
0xF8698000 \SystemRoot\system32\drivers\drvnddm.sys
0xF8C39000 \SystemRoot\system32\dla\tfsndres.sys
0xEEB8D000 \SystemRoot\system32\dla\tfsnifs.sys
0xEECBF000 \SystemRoot\system32\dla\tfsnopio.sys
0xF8ABC000 \SystemRoot\system32\dla\tfsnpool.sys
0xF88D0000 \SystemRoot\system32\dla\tfsnboio.sys
0xF86A8000 \SystemRoot\system32\dla\tfsncofs.sys
0xF8C3A000 \SystemRoot\system32\dla\tfsndrct.sys
0xEEB74000 \SystemRoot\system32\dla\tfsnudf.sys
0xEEB5B000 \SystemRoot\system32\dla\tfsnudfa.sys
0xEEBBF000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0xEE8D6000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0xEE78E000 \SystemRoot\system32\DRIVERS\srv.sys
0xEE639000 \SystemRoot\system32\drivers\wdmaud.sys
0xEE86E000 \SystemRoot\system32\drivers\sysaudio.sys
0xEE45F000 \SystemRoot\System32\Drivers\Fastfat.SYS
0xEDCF2000 \SystemRoot\System32\Drivers\HTTP.sys
0xEE36F000 \SystemRoot\system32\drivers\cfwids.sys
0xEDC3C000 \SystemRoot\system32\drivers\mfeapfk.sys
0xEE82E000 \SystemRoot\system32\drivers\mfebopk.sys
0x7C900000 \WINDOWS\SYSTEM32\ntdll.dll

Processes (total 46):
0 System Idle Process
4 System
896 C:\WINDOWS\SYSTEM32\smss.exe
1020 csrss.exe
1044 C:\WINDOWS\SYSTEM32\winlogon.exe
1088 C:\WINDOWS\SYSTEM32\services.exe
1100 C:\WINDOWS\SYSTEM32\lsass.exe
1272 C:\WINDOWS\SYSTEM32\svchost.exe
1360 svchost.exe
1480 C:\WINDOWS\SYSTEM32\svchost.exe
1532 svchost.exe
1600 svchost.exe
2012 C:\WINDOWS\SYSTEM32\spoolsv.exe
208 C:\WINDOWS\explorer.exe
268 svchost.exe
332 C:\Program Files\Java\jre6\bin\jqs.exe
360 C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
408 C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe
564 C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe
680 C:\Program Files\Microsoft LifeCam\MSCamS32.exe
716 C:\Program Files\Dantz\Retrospect\retrorun.exe
1012 C:\PROGRA~1\Dantz\RETROS~1\wdsvc.exe
1472 C:\Program Files\Dell Support Center\bin\sprtsvc.exe
1748 C:\WINDOWS\SYSTEM32\svchost.exe
1132 C:\Program Files\Common Files\McAfee\SystemCore\mcshield.exe
1996 C:\Program Files\Common Files\McAfee\SystemCore\mfefire.exe
844 C:\Program Files\Canon\CAL\CALMAIN.exe
2328 C:\Program Files\Analog Devices\Core\smax4pnp.exe
2352 C:\Program Files\Common Files\Java\Java Update\jusched.exe
2360 C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
2380 C:\WINDOWS\SYSTEM32\hkcmd.exe
2392 C:\WINDOWS\SYSTEM32\igfxpers.exe
2548 C:\PROGRA~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
2556 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
2780 C:\WINDOWS\vVX3000.exe
2804 C:\Program Files\Dell Support Center\bin\sprtcmd.exe
2852 C:\Program Files\verizon\VSP\VerizonServicepoint.exe
2860 C:\WINDOWS\SYSTEM32\dla\tfswctrl.exe
2876 C:\Program Files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
2932 C:\WINDOWS\SYSTEM32\WDBtnMgr.exe
3124 C:\Program Files\McAfee.com\Agent\mcagent.exe
3240 C:\WINDOWS\SYSTEM32\ctfmon.exe
3444 alg.exe
3412 C:\Program Files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
1140 mcupdmgr.exe
1628 C:\Documents and Settings\Guy\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`02738a00 (NTFS)

PhysicalDrive0 Model Number: ST380011A, Rev: 8.16

Size Device Name MBR Status
--------------------------------------------
74 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: E66C176942DF42CCFE7A0113EAFF39E82F8B0047


Found non-standard or infected MBR.
Enter 'Y' and hit ENTER for more options, or 'N' to exit:

Done!

================= ComboFix log =============================

ComboFix 11-01-13.01 - Guy 01/14/2011 9:22.1.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.258 [GMT -5:00]
Running from: c:\documents and settings\Guy\Desktop\ComboFix.exe
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Guy\g2mdlhlpx.exe
c:\documents and settings\Guy\GoToAssistDownloadHelper.exe
c:\documents and settings\Guy\Recent\Thumbs.db
C:\Thumbs.db
c:\windows\ST6UNST.000
c:\windows\system32\drivers\sst1B9.sys
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_sst1B9
-------\Service_sst1B9


((((((((((((((((((((((((( Files Created from 2010-12-14 to 2011-01-14 )))))))))))))))))))))))))))))))
.

2011-01-13 00:53 . 2011-01-13 00:52 211968 ----a-w- c:\windows\Dhubia.exe
2011-01-08 01:44 . 2011-01-08 01:44 -------- d-----w- c:\documents and settings\Guy\Application Data\Mozilla Firefox - Guys Profile Backups
2011-01-07 14:49 . 2011-01-08 01:44 -------- d-----w- c:\documents and settings\Administrator.HOMENETID
2011-01-05 17:30 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-05 17:30 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-17 02:29 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-17 02:26 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-13 18:04 . 2004-08-04 11:00 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys
2010-11-18 18:12 . 2004-08-04 11:00 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2004-08-04 11:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 11:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 23:46 . 2010-11-03 23:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-03 23:46 . 2010-11-03 23:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-03 12:25 . 2004-08-04 11:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 11:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 11:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 11:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2005-03-25 08:17 . 2005-12-21 22:42 327680 ----a-w- c:\program files\RCSDK.dll
2005-03-25 08:17 . 2005-12-21 22:42 659456 ----a-w- c:\program files\RCRAPCLS.dll
2005-03-25 08:08 . 2005-12-21 22:42 77824 ----a-w- c:\program files\pscl2STI.dll
2004-11-25 14:29 . 2005-12-21 22:42 282624 ----a-w- c:\program files\rcParse.dll
2004-11-22 16:12 . 2005-12-21 22:42 434176 ----a-w- c:\program files\psdkdll.dll
2004-11-19 11:20 . 2005-12-21 22:42 184320 ----a-w- c:\program files\rcDvlp.dll
2004-11-08 08:32 . 2005-12-21 22:42 356352 ----a-w- c:\program files\rcDcd.dll
2004-10-13 04:35 . 2005-12-21 22:42 98304 ----a-w- c:\program files\pscSetup.dll
2004-10-13 04:34 . 2005-12-21 22:42 135168 ----a-w- c:\program files\pscCllct.dll
2004-10-13 04:34 . 2005-12-21 22:42 57344 ----a-w- c:\program files\pscAdimg.dll
2004-09-28 12:46 . 2005-12-21 22:42 360448 ----a-w- c:\program files\RC2DVLP.dll
2004-01-14 08:08 . 2005-12-21 22:42 598016 ----a-w- c:\program files\RcCamDat.dll
2002-05-21 12:46 . 2005-12-21 22:42 122880 ----a-w- c:\program files\CmSelDlg.dll
1999-04-08 16:18 . 2005-12-21 22:42 49152 ----a-w- c:\program files\_ISREG32.DLL
2010-10-14 02:28 . 2010-09-16 02:44 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Google Update"="c:\documents and settings\Guy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-08-27 136176]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-28 185896]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"VX3000"="c:\windows\vVX3000.exe" [2010-05-20 762736]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-03-12 2303216]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"WD Button Manager"="WDBtnMgr.exe" [2006-03-29 335872]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Documents and Settings\\Guy\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

R0 CorLog;CorLog;c:\windows\SYSTEM32\DRIVERS\CorLog.sys [5/16/2008 3:03 PM 11392]
R0 CorMem;CorMem;c:\windows\SYSTEM32\DRIVERS\cormem.sys [5/16/2008 3:03 PM 35328]
R1 CorPci;CorPci;c:\windows\SYSTEM32\DRIVERS\CorPci.sys [5/16/2008 3:03 PM 18688]
R1 CorSerial;CorSerial;c:\windows\SYSTEM32\DRIVERS\corserial.sys [5/16/2008 3:03 PM 56704]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [8/8/2010 9:53 PM 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/3/2008 12:24 PM 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/8/2010 9:52 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [8/8/2010 9:52 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [8/8/2010 9:53 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [8/8/2010 9:53 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [8/8/2010 9:53 PM 55840]
R3 dfmirage;dfmirage;c:\windows\SYSTEM32\DRIVERS\dfmirage.sys [11/25/2005 5:43 PM 31896]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [8/8/2010 9:53 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [8/8/2010 9:53 PM 88544]
S2 PICLPTNT;PICLPTNT;\??\c:\epic\PICLPTNT.SYS --> c:\epic\PICLPTNT.SYS [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [8/8/2010 9:53 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [8/8/2010 9:53 PM 84264]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\SYSTEM32\DRIVERS\silabenm.sys [6/16/2008 10:02 AM 17920]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\SYSTEM32\DRIVERS\silabser.sys [6/16/2008 10:02 AM 61440]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2011-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2663308291-3766851088-3620130130-1006Core.job
- c:\documents and settings\Guy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-27 17:37]

2011-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2663308291-3766851088-3620130130-1006UA.job
- c:\documents and settings\Guy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-27 17:37]

2008-01-13 c:\windows\Tasks\Microsoft_Hardware_Launch_explorer_exe.job
- c:\windows\explorer.exe [2004-08-04 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
uInternet Settings,ProxyServer = http=127.0.0.1:8074
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: netflix.com
FF - ProfilePath - c:\documents and settings\Guy\Application Data\Mozilla\Firefox\Profiles\ncn1zto4.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
.
.
------- File Associations -------
.
.scr=AutoCADScriptFile
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKCU-Run-TxIgLSBpYUyoPp.exe - c:\documents and settings\All Users\Application Data\TxIgLSBpYUyoPp.exe
HKCU-Run-l0FlWS98OXhWG1d - c:\docume~1\ALLUSE~1\APPLIC~1\l0FlWS98OXhWG1d.exe
HKCU-Run-LbifbJavy - c:\docume~1\ALLUSE~1\APPLIC~1\LbifbJavy.exe
HKCU-Run-EwKYhuUIUyB7SckX - c:\docume~1\ALLUSE~1\APPLIC~1\EwKYhuUIUyB7SckX.exe
HKCU-Run-T0wDKWPX0FGa - c:\docume~1\ALLUSE~1\APPLIC~1\T0wDKWPX0FGa.exe
HKCU-Run-SHf9QntLJK - c:\docume~1\ALLUSE~1\APPLIC~1\SHf9QntLJK.exe
HKCU-Run-jwyrmUI5Mmd - c:\docume~1\ALLUSE~1\APPLIC~1\jwyrmUI5Mmd.exe
HKCU-Run-nZzGLQKAxj - c:\docume~1\ALLUSE~1\APPLIC~1\nZzGLQKAxj.exe
HKLM-Run-MimBoot - c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe
SafeBoot-klmdb.sys
AddRemove-ImageJ_is1 - c:\documents and settings\Guy\My Documents\Corning\UPGRADE 2008\Snake Lausanne\ImageJ\ImageJ\unins000.exe
AddRemove-PicBasic Pro Compiler_is1 - c:\pbp\unins000.exe
AddRemove-SLABCOMM&10C4&EA60 - c:\windows\system32\Silabs\DriverUninstaller.exe VCP CP210x Cardinal\SLABCOMM&10C4&EA60
AddRemove-Verizon Online DSL_is1 - c:\program files\Common Files\SupportSoft\Verizon\vzuninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-14 09:46
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3148)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\program files\Dantz\Retrospect\retrorun.exe
c:\progra~1\Dantz\RETROS~1\wdsvc.exe
c:\program files\Dell Support Center\bin\sprtsvc.exe
c:\program files\Common Files\McAfee\SystemCore\mcshield.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\progra~1\VERIZO~1\HELPSU~1\VERIZO~1.EXE
c:\windows\system32\WDBtnMgr.exe
c:\program files\Common Files\Verizon Online\ConnMgr\cmisrv.exe
c:\program files\Common Files\Verizon Online\AppMgr\vzOpenUIServer.exe
.
**************************************************************************
.
Completion time: 2011-01-14 10:05:10 - machine was rebooted
ComboFix-quarantined-files.txt 2011-01-14 15:04

Pre-Run: 30,931,259,392 bytes free
Post-Run: 30,764,101,632 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - 7FBF403089AF6565E5E296F01485C6D1
 
Combofix seems to have removed itself from my desktop.
Click to expand...
Most likely, McAfee did it...grrrrr.

First, we have to double check this:
Found non-standard or infected MBR.
Click to expand...

Download Bootkit Remover to your Desktop.

  • You then need to extract the remover.exe file from the RAR using a program capable of extracing RAR compressed files. If you don't have an extraction program, you can use 7-Zip: http://www.7-zip.org/
  • After extracing remover.exe to your Desktop, double-click on remover.exe to run the program (Vista/7 users,right click on remover.exe and click Run As Administrator).
  • It will show a Black screen with some data on it.
  • Right click on the screen and click Select All.
  • Press CTRL+C
  • Open a Notepad and press CTRL+V
  • Post the output back here.
 
remover.exe result

Broni,

Copy and paste didn't work for the remover screen (?).
Can I attach a screen grab?

Guy
 
remover screenshot

jpeg of the remover screen attached
 

Attachments

  • Remover_exe screengrab.JPG
    Remover_exe screengrab.JPG
    34.7 KB · Views: 1
OK, we have to fix your MBR...

Please download NTBR by noahdfear and save it to your Desktop.
File size: 2.44 MB (2,565,432 bytes)

  • Place a blank CD in your CD drive.
  • Double click on NTBR_CD.exe file and a folder of the same name will appear.
  • Open the folder and double click on BurnItCD.cmd file. If your CD drive will open, simply close it back.
  • Follow the prompts to burn the CD.
  • Now you will need to set the CD-Rom as first boot device if it isn't already (if you don't know how to do it, see HERE)
  • If you have any questions about this step, ask before you proceed. If you enter the BIOS and are unsure if you have carried out the step correctly, there should be an option to exit without keeping changes, so you won't do any harm.
  • Insert the newly created CD into your infected PC and reboot your computer.
  • Once you have rebooted please press Enter when prompted to continue booting from CD - you have a whole 15 seconds to do this!
  • Read the warning and then continue as prompted.
  • You first need to select your keyboard layout - press Enter for English.
  • Next you want to select the appropriate tool. Enter 1 to choose 1. MBRWORK
  • On the following screen enter 5 to select Install Standard MBR code.
  • Enter 1 to overwrite the infected MBR Code with the Standard MBR code.
  • When asked to confirm please do so.
  • Afterwards, please enter E to leave MBRWORK, then 6 to leave the bootable CD.
  • Eject the disc and then press ctrl+alt+del to reboot the PC.
Once rebooted, run MBRCheck again and post its log.

**Important note to Dell users - fixing the MBR may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. If this is Dell computer, let me know before proceeding.
 
Dell reversion to factory delivered state

Broni,

I am running a Dell Dimension 3000
It would be nice to be able to revert to the initial state if you have a workaround

Guy
 
OK. I want you to check, if you're able to access Dell Restore Utility.
Do nothing else, just see, if you can get there.
 
OK, we'll leave MBR alone then.

How is redirection, btw?

Download fresh copy of Combofix, if it's missing.
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code: 
File::
c:\windows\Dhubia.exe

DDS::
uInternet Settings,ProxyServer = http=127.0.0.1:8074


Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"=dword:00000001


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
missed a step

Broni,

I ran ComboFix again, this time without any interruptions or even a reboot.

Trouble is, I did not include the CFSScript lines you indicated (I lost track of the procedure as smoke from a major fire nearby came up towards us)

Should I rerun? I note the lines concerned Mcafee issues.

Thanks,
Guy
 
fresh combofix log

Combofix log with CFScript.txt:
Thanks,
Guy

=============================================
ComboFix 11-01-14.01 - Guy 01/14/2011 17:27:48.3.1 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.252 [GMT -5:00]
Running from: c:\documents and settings\Guy\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Guy\Desktop\CFScript.txt
AV: McAfee Anti-Virus and Anti-Spyware *Disabled/Updated* {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Firewall *Enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

FILE ::
"c:\windows\Dhubia.exe"
.

((((((((((((((((((((((((( Files Created from 2010-12-14 to 2011-01-14 )))))))))))))))))))))))))))))))
.

2011-01-08 01:44 . 2011-01-08 01:44 -------- d-----w- c:\documents and settings\Guy\Application Data\Mozilla Firefox - Guys Profile Backups
2011-01-07 14:49 . 2011-01-08 01:44 -------- d-----w- c:\documents and settings\Administrator.HOMENETID
2011-01-05 17:30 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-01-05 17:30 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-17 02:29 . 2010-11-02 15:17 40960 ------w- c:\windows\system32\dllcache\ndproxy.sys
2010-12-17 02:26 . 2010-10-11 14:59 45568 ------w- c:\windows\system32\dllcache\wab.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-13 18:04 . 2004-08-04 11:00 52352 ----a-w- c:\windows\system32\drivers\volsnap.sys
2010-11-18 18:12 . 2004-08-04 11:00 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-09 14:52 . 2004-08-04 11:00 249856 ----a-w- c:\windows\system32\odbc32.dll
2010-11-06 00:26 . 2004-08-04 11:00 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2004-08-04 11:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2004-08-04 11:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-11-03 23:46 . 2010-11-03 23:47 73728 ----a-w- c:\windows\system32\javacpl.cpl
2010-11-03 23:46 . 2010-11-03 23:47 472808 ----a-w- c:\windows\system32\deployJava1.dll
2010-11-03 12:25 . 2004-08-04 11:00 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2004-08-04 11:00 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2004-08-04 11:00 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2004-08-04 11:00 1853312 ----a-w- c:\windows\system32\win32k.sys
2005-03-25 08:17 . 2005-12-21 22:42 327680 ----a-w- c:\program files\RCSDK.dll
2005-03-25 08:17 . 2005-12-21 22:42 659456 ----a-w- c:\program files\RCRAPCLS.dll
2005-03-25 08:08 . 2005-12-21 22:42 77824 ----a-w- c:\program files\pscl2STI.dll
2004-11-25 14:29 . 2005-12-21 22:42 282624 ----a-w- c:\program files\rcParse.dll
2004-11-22 16:12 . 2005-12-21 22:42 434176 ----a-w- c:\program files\psdkdll.dll
2004-11-19 11:20 . 2005-12-21 22:42 184320 ----a-w- c:\program files\rcDvlp.dll
2004-11-08 08:32 . 2005-12-21 22:42 356352 ----a-w- c:\program files\rcDcd.dll
2004-10-13 04:35 . 2005-12-21 22:42 98304 ----a-w- c:\program files\pscSetup.dll
2004-10-13 04:34 . 2005-12-21 22:42 135168 ----a-w- c:\program files\pscCllct.dll
2004-10-13 04:34 . 2005-12-21 22:42 57344 ----a-w- c:\program files\pscAdimg.dll
2004-09-28 12:46 . 2005-12-21 22:42 360448 ----a-w- c:\program files\RC2DVLP.dll
2004-01-14 08:08 . 2005-12-21 22:42 598016 ----a-w- c:\program files\RcCamDat.dll
2002-05-21 12:46 . 2005-12-21 22:42 122880 ----a-w- c:\program files\CmSelDlg.dll
1999-04-08 16:18 . 2005-12-21 22:42 49152 ----a-w- c:\program files\_ISREG32.DLL
2010-10-14 02:28 . 2010-09-16 02:44 24376 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"Google Update"="c:\documents and settings\Guy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2010-08-27 136176]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-09-26 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 1404928]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-28 185896]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"VX3000"="c:\windows\vVX3000.exe" [2010-05-20 762736]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-05-21 206064]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"VerizonServicepoint.exe"="c:\program files\Verizon\VSP\VerizonServicepoint.exe" [2009-03-12 2303216]
"dla"="c:\windows\system32\dla\tfswctrl.exe" [2004-08-13 122939]
"UpdateManager"="c:\program files\Common Files\Sonic\Update Manager\sgtray.exe" [2004-01-07 110592]
"WD Button Manager"="WDBtnMgr.exe" [2006-03-29 335872]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2010-09-30 1193848]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2007-05-17 279912]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableNotifications"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\WINDOWS\\SYSTEM32\\FXSCLNT.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\McAfee\\McSvcHost\\McSvHost.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Documents and Settings\\Guy\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=

R0 CorLog;CorLog;c:\windows\SYSTEM32\DRIVERS\CorLog.sys [5/16/2008 3:03 PM 11392]
R0 CorMem;CorMem;c:\windows\SYSTEM32\DRIVERS\cormem.sys [5/16/2008 3:03 PM 35328]
R1 CorPci;CorPci;c:\windows\SYSTEM32\DRIVERS\CorPci.sys [5/16/2008 3:03 PM 18688]
R1 CorSerial;CorSerial;c:\windows\SYSTEM32\DRIVERS\corserial.sys [5/16/2008 3:03 PM 56704]
R1 mfetdi2k;McAfee Inc. mfetdi2k;c:\windows\SYSTEM32\DRIVERS\mfetdi2k.sys [8/8/2010 9:53 PM 84072]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\McAfee\SiteAdvisor\McSACore.exe [10/3/2008 12:24 PM 93320]
R2 McMPFSvc;McAfee Personal Firewall;"c:\program files\Common Files\Mcafee\McSvcHost\McSvHost.exe" /McCoreSvc [8/8/2010 9:52 PM 271480]
R2 McNaiAnn;McAfee VirusScan Announcer;"c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe" /McCoreSvc [8/8/2010 9:52 PM 271480]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\mfefire.exe [8/8/2010 9:53 PM 188136]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\program files\Common Files\McAfee\SystemCore\mfevtps.exe [8/8/2010 9:53 PM 141792]
R3 cfwids;McAfee Inc. cfwids;c:\windows\SYSTEM32\DRIVERS\cfwids.sys [8/8/2010 9:53 PM 55840]
R3 dfmirage;dfmirage;c:\windows\SYSTEM32\DRIVERS\dfmirage.sys [11/25/2005 5:43 PM 31896]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\SYSTEM32\DRIVERS\mfefirek.sys [8/8/2010 9:53 PM 313288]
R3 mfendiskmp;mfendiskmp;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [8/8/2010 9:53 PM 88544]
S2 PICLPTNT;PICLPTNT;\??\c:\epic\PICLPTNT.SYS --> c:\epic\PICLPTNT.SYS [?]
S3 mfendisk;McAfee Core NDIS Intermediate Filter;c:\windows\SYSTEM32\DRIVERS\mfendisk.sys [8/8/2010 9:53 PM 88544]
S3 mferkdet;McAfee Inc. mferkdet;c:\windows\SYSTEM32\DRIVERS\mferkdet.sys [8/8/2010 9:53 PM 84264]
S3 silabenm;Silicon Labs CP210x USB to UART Bridge Serial Port Enumerator Driver;c:\windows\SYSTEM32\DRIVERS\silabenm.sys [6/16/2008 10:02 AM 17920]
S3 silabser;Silicon Labs CP210x USB to UART Bridge Driver;c:\windows\SYSTEM32\DRIVERS\silabser.sys [6/16/2008 10:02 AM 61440]

--- Other Services/Drivers In Memory ---

*Deregistered* - mfeavfk01
.
Contents of the 'Scheduled Tasks' folder

2011-01-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2663308291-3766851088-3620130130-1006Core.job
- c:\documents and settings\Guy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-27 17:37]

2011-01-14 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2663308291-3766851088-3620130130-1006UA.job
- c:\documents and settings\Guy\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2010-08-27 17:37]

2008-01-13 c:\windows\Tasks\Microsoft_Hardware_Launch_explorer_exe.job
- c:\windows\explorer.exe [2004-08-04 00:12]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: netflix.com
FF - ProfilePath - c:\documents and settings\Guy\Application Data\Mozilla\Firefox\Profiles\ncn1zto4.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=mcafee&p=
FF - prefs.js: network.proxy.type - 0
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: McAfee SiteAdvisor: {B7082FAA-CB62-4872-9106-E42DD88EDE45} - c:\program files\McAfee\SiteAdvisor
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-01-14 17:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10k_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2916)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
.
Completion time: 2011-01-14 17:49:12
ComboFix-quarantined-files.txt 2011-01-14 22:49
ComboFix2.txt 2011-01-14 21:39
ComboFix3.txt 2011-01-14 15:05

Pre-Run: 31,081,766,912 bytes free
Post-Run: 31,067,922,432 bytes free

- - End Of File - - 1ECA7D230D85C05DE33716E5C973DC81
 
Status
Not open for further replies.

Similar threads

MeinAutoIstKaput
  • Locked
Inactive-A Possible Infection (Posted logs)
Replies
10
Views
3K
Broni
Broni
B
Solved Is this malware and how to remove it? "Received message from unexpected origin : chrome-extension://efaidnbmnnnibpcajpcglclefindmkaj
Replies
6
Views
8K
Broni
Broni
C
Solved Malware \ProductData + possibly more, on two devices
Replies
4
Views
7K
Broni
Broni

Latest posts

Back