Inactive Help with backdoor trojan TDSS 565 removal

[ldesim]

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 7052

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

7/11/2011 6:23:35 PM
mbam-log-2011-07-11 (18-23-35).txt

Scan type: Quick scan
Objects scanned: 172242
Time elapsed: 11 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


GMER 1.0.15.15640 - http://www.gmer.net
Rootkit quick scan 2011-07-11 18:46:14
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS543216L9SA00 rev.FB2OC40C
Running: kjyl3vnd.exe; Driver: C:\DOCUME~1\Laurie\LOCALS~1\Temp\kwkiaaog.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior

---- Devices - GMER 1.0.15 ----

Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8654131B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 8654131B
Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8654131B

AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (WDF Dynamic/Microsoft Corporation)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (WDF Dynamic/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

.
DDS (Ver_2011-06-23.01) - NTFSx86
Internet Explorer: 8.0.6001.18702
Run by Laurie at 18:31:05 on 2011-07-11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.447 [GMT -4:00]
.
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
svchost.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\Explorer.EXE
C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe
C:\Program Files\EeePC\ACPI\AsEPCMon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Realtek\Wireless LAN Utility\RtWLan.exe
C:\Program Files\Newsbin\newsbinpro.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
.
============== Pseudo HJT Report ===============
.
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [AsusACPIServer] c:\program files\eeepc\acpi\AsAcpiSvr.exe
mRun: [AsusEPCMonitor] c:\program files\eeepc\acpi\AsEPCMon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SynAsusAcpi] c:\program files\synaptics\syntp\SynAsusAcpi.exe
mRun: [LiveUpdate] c:\program files\asus\liveupdate\LiveUpdate.exe auto
mRun: [EasyMode] "%ProgramFiles%\\ASUS\\Easy Mode\\Easy Mode.exe" --limitedUserImportRegister
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\realte~1.lnk - c:\program files\realtek\wireless lan utility\RtWLan.exe
TCP: Interfaces\{5E3CFA78-4DC7-4EC5-ADC7-918148CA28C1} : DhcpNameServer = 68.87.71.230 68.87.73.246
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\laurie\application data\mozilla\firefox\profiles\sqwakfbo.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 60061
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\documents and settings\laurie\local settings\application data\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
============= SERVICES / DRIVERS ===============
.
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-8-17 55152]
R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [2009-8-17 5097632]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [2009-8-12 38912]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [2011-7-8 332928]
R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [2009-8-12 39040]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2009-8-17 1684736]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [2011-7-8 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [2011-7-8 8456]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]
.
=============== Created Last 30 ================
.
2011-07-11 02:15:06 -------- d-----w- c:\documents and settings\laurie\DoctorWeb
2011-07-10 19:13:55 -------- d-----w- c:\windows\pss
2011-07-10 18:58:17 108 ---h--w- c:\documents and settings\laurie\application data\Plug.bat
2011-07-10 18:47:19 106 ---h--w- c:\documents and settings\laurie\application data\LocalAccountAuthority.bat
2011-07-10 18:43:06 16384 ---h--w- c:\windows\sysmgm.exe
2011-07-10 18:40:38 -------- d-----w- c:\documents and settings\laurie\local settings\application data\Identities
2011-07-10 18:38:59 -------- d-----w- c:\documents and settings\laurie\local settings\application data\{3CBDFF8D-6575-441D-B948-4AFB3A506953}
2011-07-10 18:37:44 241 ----a-w- c:\documents and settings\laurie\delme.bat
2011-07-10 18:36:21 -------- d-----w- c:\documents and settings\all users\application data\WSTB
2011-07-10 18:35:40 180224 ----a-w- c:\documents and settings\laurie\application data\dwm.exe
2011-07-10 18:35:39 16636 ---h--w- c:\windows\dxxsetup.exe
2011-07-10 18:35:34 -------- d-----w- c:\documents and settings\laurie\application data\Qeomb
2011-07-10 18:35:34 -------- d-----w- c:\documents and settings\laurie\application data\Miugy
2011-07-10 18:35:10 100252 ---h--w- c:\windows\msmgm.exe
2011-07-10 18:34:58 106496 --sha-r- c:\windows\system32\proctexet.dll
2011-07-10 18:17:37 -------- d-----w- c:\program files\common files\Sandlot Shared
2011-07-10 18:17:20 -------- d-----w- c:\documents and settings\all users\application data\Sandlot Games
2011-07-10 18:17:19 -------- d-----w- c:\documents and settings\all users\application data\Trymedia
2011-07-10 01:35:49 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-09 21:55:37 -------- d-----w- c:\documents and settings\laurie\application data\PeaceCraft2
2011-07-09 20:19:12 -------- d-----w- c:\documents and settings\laurie\local settings\application data\QuickPar
2011-07-09 15:45:06 -------- d-----w- c:\documents and settings\laurie\application data\Meridian93
2011-07-09 04:59:03 -------- d-----w- c:\windows\system32\XPSViewer
2011-07-09 04:58:33 89088 ----a-w- c:\windows\system32\spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-07-09 04:58:22 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-07-09 04:58:22 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-07-09 04:58:22 597504 ------w- c:\windows\system32\spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-07-09 04:58:22 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-07-09 04:58:22 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-07-09 04:58:22 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-07-09 04:58:22 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-07-09 04:58:22 117760 ------w- c:\windows\system32\prntvpt.dll
2011-07-08 11:56:03 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-07-08 11:56:03 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-07-08 11:56:02 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-07-08 11:56:01 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-07-08 11:56:01 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-07-08 11:55:59 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-07-08 11:49:41 -------- d-----w- c:\documents and settings\laurie\application data\Malwarebytes
2011-07-08 11:49:22 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-08 11:49:19 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes
2011-07-08 11:49:15 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-08 11:49:15 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-08 11:46:36 -------- d-----w- c:\windows\system32\PreInstall
2011-07-08 11:45:23 -------- d-----w- c:\program files\uTorrent
2011-07-08 11:44:46 -------- d-----w- c:\documents and settings\laurie\local settings\application data\uTorrent
2011-07-08 11:44:46 -------- d-----w- c:\documents and settings\laurie\application data\uTorrent
2011-07-08 11:38:01 -------- d-----w- c:\program files\QuickPar
2011-07-08 11:18:44 -------- d-----w- c:\program files\Newsbin
2011-07-08 11:18:44 -------- d-----w- c:\documents and settings\laurie\local settings\application data\Newsbin
2011-07-08 10:56:08 86408 ----a-w- c:\windows\system32\setupempdrv03.exe
2011-07-08 10:56:08 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys
2011-07-08 10:56:08 1774720 ----a-w- c:\windows\system32\BootMan.exe
2011-07-08 10:56:08 14848 ----a-w- c:\windows\system32\EuEpmGdi.dll
2011-07-08 10:56:08 13192 ----a-w- c:\windows\system32\epmntdrv.sys
2011-07-08 10:55:47 -------- d-----w- c:\program files\EASEUS
2011-07-08 10:49:38 -------- d-----w- c:\documents and settings\laurie\local settings\application data\Mozilla
2011-07-08 10:46:42 -------- d-----w- c:\documents and settings\laurie\local settings\application data\Google
2011-07-08 10:46:25 -------- d-----w- c:\documents and settings\laurie\local settings\application data\Deployment
2011-07-08 10:45:48 -------- d-----w- c:\windows\system32\SoftwareDistribution
2011-07-08 10:45:35 -------- d-sh--w- c:\documents and settings\laurie\IECompatCache
2011-07-08 10:44:02 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-07-08 10:43:59 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
2011-07-08 10:43:43 342784 ----a-w- c:\windows\system32\drivers\rtl8187B.sys
2011-07-08 10:43:43 332928 ----a-w- c:\windows\system32\drivers\rtl8187.sys
2011-07-08 10:43:43 -------- d-----w- c:\windows\OPTIONS
2011-07-08 10:43:37 451072 ----a-w- c:\windows\system32\ISSRemoveSP.exe
2011-07-08 10:43:37 -------- d-----w- c:\windows\system32\RtlGina
2011-07-06 07:28:33 -------- d-----w- C:\mplayer
.
==================== Find3M ====================
.
2011-05-02 15:31:52 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25:27 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19:43 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11:12 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11:11 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11:11 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01:22 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37:43 105472 ----a-w- c:\windows\system32\drivers\mup.sys
.
=================== ROOTKIT ====================
.
Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: Hitachi_HTS543216L9SA00 rev.FB2OC40C -> Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
.
device: opened successfully
user: MBR read successfully
.
Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x865414D0]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x865477d0]; MOV EAX, [0x8654784c]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x86523AB8]
3 CLASSPNP[0xF7630FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\00000063[0x865DFAB0]
5 ACPI[0xF74C7620] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x865D5D98]
\Driver\atapi[0x865D45A8] -> IRP_MJ_CREATE -> 0x865414D0
error: Read A device attached to the system is not functioning.
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; STI ; PUSH AX; POP ES; PUSH AX; POP DS; CLD ; MOV SI, 0x7c1b; MOV DI, 0x61b; PUSH AX; PUSH DI; MOV CX, 0x1e5; REP MOVSB ; RETF ; MOV BP, 0x7be; MOV CL, 0x4; CMP [BP+0x0], CH; JL 0x2e; JNZ 0x3a; }
detected disk devices:
detected hooks:
\Driver\atapi DriverStartIo -> 0x8654131B
user & kernel MBR OK
Warning: possible TDL3 rootkit infection !
.
============= FINISH: 18:33:16.71 ===============

.
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
.
DDS (Ver_2011-06-23.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 1/1/2002 5:12:20 AM
System Uptime: 7/11/2011 6:05:27 PM (0 hours ago)
.
Motherboard: ASUSTeK Computer INC. | | 1101HA
Processor: Intel(R) Atom(TM) CPU Z520 @ 1.33GHz | CPU 1 | 1331/133mhz
.
==== Disk Partitions =========================
.
C: is FIXED (NTFS) - 46 GiB total, 36.886 GiB free.
D: is FIXED (NTFS) - 98 GiB total, 88.593 GiB free.
E: is Removable
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
No restore point in system.
.
==== Installed Programs ======================
.
µTorrent
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 8.1.1
Asus ACPI Driver
ASUS VIBE
ASUSUpdate for Eee PC
Atheros Client Installation Program
Atheros Communications Inc.(R) AR81Family Gigabit/Fast Ethernet Driver
Azurewave Wireless LAN Card
Choice Guard
Compatibility Pack for the 2007 Office system
Data Sync
EASEUS Partition Master 6.1.1 Professional
Easy Mode
EzMessenger
FontResizer
GamePark Console
Google Chrome
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB954708)
Hotfix for Windows XP (KB961118)
Intel(R) Graphics Media Accelerator 500
Junk Mail filter update
LiveUpdate
Malwarebytes' Anti-Malware version 1.51.0.1200
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Application Error Reporting
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Kernel-Mode Driver Framework Feature Pack 1.7
Microsoft Office Excel MUI (English) 2007
Microsoft Office Home and Student 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office PowerPoint Viewer 2007 (English)
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Suite Activation Assistant
Microsoft Office Word MUI (English) 2007
Microsoft Search Enhancement Pack
Microsoft Software Update for Web Folders (English) 12
Microsoft SQL Server 2005 Compact Edition [ENU]
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Works
Mozilla Firefox 5.0 (x86 en-US)
MSVCRT
Newsbin Pro
QuickPar 0.9
Realtek High Definition Audio Driver
REALTEK Wireless LAN Driver and Utility
Sandlot Games Client Services 1.2.2
Security Update for Microsoft .NET Framework 3.5 SP1 (KB2416473)
Security Update for Windows Internet Explorer 8 (KB2510531)
Security Update for Windows Internet Explorer 8 (KB2530548)
Security Update for Windows Internet Explorer 8 (KB2544521)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2412687)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476490)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479943)
Security Update for Windows XP (KB2481109)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485663)
Security Update for Windows XP (KB2503665)
Security Update for Windows XP (KB2506212)
Security Update for Windows XP (KB2506223)
Security Update for Windows XP (KB2507618)
Security Update for Windows XP (KB2508272)
Security Update for Windows XP (KB2508429)
Security Update for Windows XP (KB2509553)
Security Update for Windows XP (KB2524375)
Security Update for Windows XP (KB2535512)
Security Update for Windows XP (KB2536276)
Security Update for Windows XP (KB2544893)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB963027)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB978706)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981322)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982665)
Segoe UI
Super Hybrid Engine
Synaptics Pointing Device Driver
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Office System 2007 Setup (KB929722)
Update for Windows Internet Explorer 8 (KB971930)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2541763)
Update for Windows XP (KB898461)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951618-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB953356)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB961503)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971029)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
USB2.0 UVC Camera Device
WebFldrs XP
Windows Internet Explorer 8
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Family Safety
Windows Live Mail
Windows Live Messenger
Windows Live Photo Gallery
Windows Live Sign-in Assistant
Windows Live Sync
Windows Live Toolbar
Windows Live Upload Tool
Windows Live Writer
Windows Media Format 11 runtime
Windows Media Player 11
WinRAR 4.01 (32-bit)
.
==== Event Viewer Messages From Past Week ========
.
7/9/2011 4:49:57 PM, error: SideBySide [59] - Resolve Partial Assembly failed for Microsoft.Windows.Common-Controls. Reference error message: The system cannot find the path specified. .
7/9/2011 4:49:57 PM, error: SideBySide [59] - Generate Activation Context failed for C:\Program Files\Roads of Rome\RoadsOfRome.exe. Reference error message: The operation completed successfully. .
7/10/2011 5:31:20 PM, error: Service Control Manager [7032] - The Service Control Manager tried to take a corrective action (Restart the service) after the unexpected termination of the Windows Management Instrumentation service, but this action failed with the following error: An instance of the service is already running.
7/10/2011 4:10:17 PM, error: Service Control Manager [7023] - The System Restore Service service terminated with the following error: The system cannot find the file specified.
7/10/2011 4:08:46 PM, error: SRService [104] - The System Restore initialization process failed.
7/10/2011 4:08:43 PM, error: Dhcp [1002] - The IP address lease 192.168.1.102 for the Network Card with network address 00C0CA47A58E has been denied by the DHCP server 0.0.0.0 (The DHCP Server sent a DHCPNACK message).
7/10/2011 4:01:01 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
7/10/2011 3:14:12 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss Tcpip
7/10/2011 3:14:12 PM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
7/10/2011 3:14:12 PM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/10/2011 3:14:12 PM, error: Service Control Manager [7001] - The fssfltr service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/10/2011 3:14:12 PM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
7/10/2011 3:14:12 PM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
7/10/2011 3:13:29 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
7/10/2011 3:13:22 PM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
7/10/2011 3:01:22 PM, error: Service Control Manager [7034] - The HTTP SSL service terminated unexpectedly. It has done this 1 time(s).
7/10/2011 2:21:11 PM, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.
.
==== End Of File ===========================

Thank you!

 

[Bobbye]

Can you tell me how you came of with the name "Backdoor Trojan TDSS 565? It surely help when I have some idea of what's going on. I see you ran Dr. Web. Remove it please.
=================================================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• Follow the order of the tasks I give you. Order is crucial in cleaning process.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.
• Please let me know if there is any change in the system.

If I have not replied for 2 days, you can send me a PM reminder. Include the URL of your thread. Please do not send me a PM to tell me your logs are up.
If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
=====================================

• Download the file TDSSKiller.zip and save to the desktop.
  (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
• Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
• Double click on TDSSKiller.exe. to run the scan
• When the scan is over, the utility outputs a list of detected objects with description.
  The utility automatically selects an action (Cure or Delete) for malicious objects.
  The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
• Select the action Quarantine to quarantine detected objects.
  The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
• After clicking Next, the utility applies selected actions and outputs the result.
• A reboot is required after disinfection.

====================================================
Then run Please note: If you have Combofix on the desktop already, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe & follow the prompts.
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
  
  
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• .Close any open browsers.
• .Double click combofix.exe
  
  & follow the prompts to run.
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.

Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2: ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
Note 3: Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
Note 4: CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Note 5: If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart computer to fix the issue.
=====================================
Both logs in next reply please.
======================================
P2P or 'file sharing' Warning:

2011-07-08 11:45:23 -------- d-----w- c:\program files\uTorrent
2011-07-08 11:44:46 -------- d-----w- c:\documents and settings\laurie\local settings\application data\uTorrent
2011-07-08 11:44:46 -------- d-----w- c:\documents and settings\laurie\application data\uTorrent

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall uTorrent for the following reasons:

• As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
• Malware writers use these program to include malicious content.
• File sharing is usually unmonitored and there is a danger that your private files might be accessed.
• The 'sharing' also includes malware that the shared system has on it.
• Files that are illegal can be spread through file sharing.

Please read the information on P2P Warning to help you better understand these dangers.

Do not use any torrent sites or download manager for the downloads I give you.

Doesn't make any sense to me why you put uTorrent on the system when you already have a rootkoit- unless you got the infection from uTorrent!

 

[ldesim]

Thank you Bobbye,

I took your advice and removed utorrent and ran the 2 scans.. I think I messed up with TDSSKiller and cured it, when I read it a 2nd time seems like I should have quarantined? Sorry if I misunderstood.. here are logs.

2011/07/11 21:20:36.0546 2420 TDSS rootkit removing tool 2.5.9.0 Jul 1 2011 18:45:21
2011/07/11 21:20:37.0484 2420 ================================================================================
2011/07/11 21:20:37.0484 2420 SystemInfo:
2011/07/11 21:20:37.0484 2420
2011/07/11 21:20:37.0484 2420 OS Version: 5.1.2600 ServicePack: 3.0
2011/07/11 21:20:37.0484 2420 Product type: Workstation
2011/07/11 21:20:37.0484 2420 ComputerName: YOUR-I9GK72D6EW
2011/07/11 21:20:37.0531 2420 UserName: Laurie
2011/07/11 21:20:37.0531 2420 Windows directory: C:\WINDOWS
2011/07/11 21:20:37.0531 2420 System windows directory: C:\WINDOWS
2011/07/11 21:20:37.0531 2420 Processor architecture: Intel x86
2011/07/11 21:20:37.0531 2420 Number of processors: 2
2011/07/11 21:20:37.0531 2420 Page size: 0x1000
2011/07/11 21:20:37.0531 2420 Boot type: Normal boot
2011/07/11 21:20:37.0531 2420 ================================================================================
2011/07/11 21:20:39.0406 2420 Initialize success
2011/07/11 21:20:53.0296 3268 ================================================================================
2011/07/11 21:20:53.0296 3268 Scan started
2011/07/11 21:20:53.0296 3268 Mode: Manual;
2011/07/11 21:20:53.0296 3268 ================================================================================
2011/07/11 21:20:54.0609 3268 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
2011/07/11 21:20:54.0796 3268 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
2011/07/11 21:20:55.0140 3268 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
2011/07/11 21:20:55.0343 3268 AegisP (023867b6606fbabcdd52e089c4a507da) C:\WINDOWS\system32\DRIVERS\AegisP.sys
2011/07/11 21:20:55.0531 3268 AFD (355556d9e580915118cd7ef736653a89) C:\WINDOWS\System32\drivers\afd.sys
2011/07/11 21:20:56.0281 3268 Ambfilt (f6af59d6eee5e1c304f7f73706ad11d8) C:\WINDOWS\system32\drivers\Ambfilt.sys
2011/07/11 21:20:56.0703 3268 AR5416 (d3e782ad9dca4d6215222a43345f43b0) C:\WINDOWS\system32\DRIVERS\athw.sys
2011/07/11 21:20:57.0562 3268 AsusACPI (12415a4b61ded200fe9932b47a35fa42) C:\WINDOWS\system32\DRIVERS\ASUSACPI.sys
2011/07/11 21:20:57.0718 3268 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
2011/07/11 21:20:57.0890 3268 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
2011/07/11 21:20:58.0062 3268 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
2011/07/11 21:20:58.0203 3268 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
2011/07/11 21:20:58.0421 3268 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
2011/07/11 21:20:59.0203 3268 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
2011/07/11 21:20:59.0375 3268 CCDECODE (0be5aef125be881c4f854c554f2b025c) C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
2011/07/11 21:20:59.0500 3268 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
2011/07/11 21:20:59.0578 3268 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
2011/07/11 21:20:59.0703 3268 Cdrom (1f4260cc5b42272d71f79e570a27a4fe) C:\WINDOWS\system32\DRIVERS\cdrom.sys
2011/07/11 21:20:59.0937 3268 CmBatt (0f6c187d38d98f8df904589a5f94d411) C:\WINDOWS\system32\DRIVERS\CmBatt.sys
2011/07/11 21:21:00.0093 3268 Compbatt (6e4c9f21f0fae8940661144f41b13203) C:\WINDOWS\system32\DRIVERS\compbatt.sys
2011/07/11 21:21:00.0750 3268 Disk (044452051f3e02e7963599fc8f4f3e25) C:\WINDOWS\system32\DRIVERS\disk.sys
2011/07/11 21:21:00.0953 3268 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
2011/07/11 21:21:01.0250 3268 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
2011/07/11 21:21:01.0406 3268 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
2011/07/11 21:21:01.0593 3268 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
2011/07/11 21:21:01.0781 3268 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
2011/07/11 21:21:01.0921 3268 epmntdrv (f07ba56b0235f15eff8f10dc6389c42e) C:\WINDOWS\system32\epmntdrv.sys
2011/07/11 21:21:02.0109 3268 EuGdiDrv (1f2f4ab15ce03ecc257feb2f6dc5a013) C:\WINDOWS\system32\EuGdiDrv.sys
2011/07/11 21:21:02.0437 3268 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
2011/07/11 21:21:02.0656 3268 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\drivers\Fdc.sys
2011/07/11 21:21:02.0781 3268 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
2011/07/11 21:21:02.0859 3268 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\drivers\Flpydisk.sys
2011/07/11 21:21:02.0968 3268 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
2011/07/11 21:21:03.0187 3268 fssfltr (960f5e5e4e1f720465311ac68a99c2df) C:\WINDOWS\system32\DRIVERS\fssfltr_tdi.sys
2011/07/11 21:21:03.0328 3268 Fs_Rec (3e1e2bd4f39b0e2b7dc4f4d2bcc2779a) C:\WINDOWS\system32\drivers\Fs_Rec.sys
2011/07/11 21:21:03.0421 3268 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
2011/07/11 21:21:03.0562 3268 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
2011/07/11 21:21:03.0687 3268 HDAudBus (573c7d0a32852b48f3058cfd8026f511) C:\WINDOWS\system32\DRIVERS\HDAudBus.sys
2011/07/11 21:21:03.0890 3268 hidusb (ccf82c5ec8a7326c3066de870c06daf1) C:\WINDOWS\system32\DRIVERS\hidusb.sys
2011/07/11 21:21:04.0156 3268 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
2011/07/11 21:21:04.0484 3268 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
2011/07/11 21:21:04.0812 3268 igd (4a1e0f6367ff47f87cbe8a7ecf38b01d) C:\WINDOWS\system32\DRIVERS\igxpmp32.sys
2011/07/11 21:21:05.0140 3268 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
2011/07/11 21:21:05.0578 3268 IntcAzAudAddService (afa6853aa949b5e151e4a10f6805b5b2) C:\WINDOWS\system32\drivers\RtkHDAud.sys
2011/07/11 21:21:06.0421 3268 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
2011/07/11 21:21:06.0609 3268 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
2011/07/11 21:21:07.0000 3268 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
2011/07/11 21:21:07.0125 3268 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
2011/07/11 21:21:07.0203 3268 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
2011/07/11 21:21:07.0312 3268 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
2011/07/11 21:21:07.0562 3268 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
2011/07/11 21:21:07.0765 3268 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
2011/07/11 21:21:07.0937 3268 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
2011/07/11 21:21:08.0031 3268 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
2011/07/11 21:21:08.0171 3268 KSecDD (b467646c54cc746128904e1654c750c1) C:\WINDOWS\system32\drivers\KSecDD.sys
2011/07/11 21:21:08.0296 3268 L1c (6c8658587e91ea25b0fd2e71781ad228) C:\WINDOWS\system32\DRIVERS\l1c51x86.sys
2011/07/11 21:21:08.0593 3268 mnmdd (4ae068242760a1fb6e1a44bf4e16afa6) C:\WINDOWS\system32\drivers\mnmdd.sys
2011/07/11 21:21:08.0765 3268 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
2011/07/11 21:21:08.0906 3268 Monfilt (9fa7207d1b1adead88ae8eed9cdbbaa5) C:\WINDOWS\system32\drivers\Monfilt.sys
2011/07/11 21:21:09.0125 3268 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
2011/07/11 21:21:09.0218 3268 mouhid (b1c303e17fb9d46e87a98e4ba6769685) C:\WINDOWS\system32\DRIVERS\mouhid.sys
2011/07/11 21:21:09.0375 3268 MountMgr (a80b9a0bad1b73637dbcbba7df72d3fd) C:\WINDOWS\system32\drivers\MountMgr.sys
2011/07/11 21:21:09.0515 3268 MRxDAV (11d42bb6206f33fbb3ba0288d3ef81bd) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
2011/07/11 21:21:09.0640 3268 MRxSmb (0dc719e9b15e902346e87e9dcd5751fa) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
2011/07/11 21:21:09.0859 3268 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
2011/07/11 21:21:09.0921 3268 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
2011/07/11 21:21:09.0953 3268 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2011/07/11 21:21:10.0015 3268 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
2011/07/11 21:21:10.0265 3268 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
2011/07/11 21:21:10.0468 3268 MSTEE (e53736a9e30c45fa9e7b5eac55056d1d) C:\WINDOWS\system32\drivers\MSTEE.sys
2011/07/11 21:21:10.0609 3268 Mup (de6a75f5c270e756c5508d94b6cf68f5) C:\WINDOWS\system32\drivers\Mup.sys
2011/07/11 21:21:10.0734 3268 NABTSFEC (5b50f1b2a2ed47d560577b221da734db) C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
2011/07/11 21:21:10.0859 3268 NDIS (1df7f42665c94b825322fae71721130d) C:\WINDOWS\system32\drivers\NDIS.sys
2011/07/11 21:21:10.0937 3268 NdisIP (7ff1f1fd8609c149aa432f95a8163d97) C:\WINDOWS\system32\DRIVERS\NdisIP.sys
2011/07/11 21:21:11.0062 3268 NdisTapi (1ab3d00c991ab086e69db84b6c0ed78f) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
2011/07/11 21:21:11.0187 3268 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
2011/07/11 21:21:11.0359 3268 NdisWan (edc1531a49c80614b2cfda43ca8659ab) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
2011/07/11 21:21:11.0500 3268 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
2011/07/11 21:21:11.0609 3268 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
2011/07/11 21:21:11.0734 3268 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
2011/07/11 21:21:12.0187 3268 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
2011/07/11 21:21:12.0453 3268 Ntfs (78a08dd6a8d65e697c18e1db01c5cdca) C:\WINDOWS\system32\drivers\Ntfs.sys
2011/07/11 21:21:12.0640 3268 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
2011/07/11 21:21:12.0718 3268 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
2011/07/11 21:21:12.0796 3268 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
2011/07/11 21:21:12.0968 3268 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\drivers\Parport.sys
2011/07/11 21:21:13.0046 3268 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
2011/07/11 21:21:13.0156 3268 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
2011/07/11 21:21:13.0296 3268 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
2011/07/11 21:21:13.0468 3268 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
2011/07/11 21:21:13.0578 3268 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
2011/07/11 21:21:14.0187 3268 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
2011/07/11 21:21:14.0281 3268 PSched (09298ec810b07e5d582cb3a3f9255424) C:\WINDOWS\system32\DRIVERS\psched.sys
2011/07/11 21:21:14.0328 3268 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
2011/07/11 21:21:14.0687 3268 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
2011/07/11 21:21:14.0781 3268 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
2011/07/11 21:21:14.0937 3268 RasPppoe (5bc962f2654137c9909c3d4603587dee) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
2011/07/11 21:21:15.0046 3268 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
2011/07/11 21:21:15.0281 3268 Rdbss (7ad224ad1a1437fe28d89cf22b17780a) C:\WINDOWS\system32\DRIVERS\rdbss.sys
2011/07/11 21:21:15.0453 3268 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
2011/07/11 21:21:16.0031 3268 RDPWD (6728e45b66f93c08f11de2e316fc70dd) C:\WINDOWS\system32\drivers\RDPWD.sys
2011/07/11 21:21:16.0406 3268 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
2011/07/11 21:21:16.0875 3268 RTLWUSB (5a850259b849a899990379a75460a4eb) C:\WINDOWS\system32\DRIVERS\RTL8187.sys
2011/07/11 21:21:17.0281 3268 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
2011/07/11 21:21:17.0515 3268 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\drivers\Serial.sys
2011/07/11 21:21:17.0968 3268 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
2011/07/11 21:21:18.0468 3268 SLIP (866d538ebe33709a5c9f5c62b73b7d14) C:\WINDOWS\system32\DRIVERS\SLIP.sys
2011/07/11 21:21:18.0875 3268 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
2011/07/11 21:21:19.0000 3268 sr (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
2011/07/11 21:21:19.0234 3268 Srv (47ddfc2f003f7f9f0592c6874962a2e7) C:\WINDOWS\system32\DRIVERS\srv.sys
2011/07/11 21:21:19.0390 3268 streamip (77813007ba6265c4b6098187e6ed79d2) C:\WINDOWS\system32\DRIVERS\StreamIP.sys
2011/07/11 21:21:19.0468 3268 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
2011/07/11 21:21:19.0625 3268 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
2011/07/11 21:21:20.0078 3268 SynTP (8e25a1dbb8527b2074af9b682f818768) C:\WINDOWS\system32\DRIVERS\SynTP.sys
2011/07/11 21:21:20.0171 3268 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
2011/07/11 21:21:20.0390 3268 Tcpip (9aefa14bd6b182d61e3119fa5f436d3d) C:\WINDOWS\system32\DRIVERS\tcpip.sys
2011/07/11 21:21:20.0562 3268 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
2011/07/11 21:21:20.0640 3268 TDTCP (c56b6d0402371cf3700eb322ef3aaf61) C:\WINDOWS\system32\drivers\TDTCP.sys
2011/07/11 21:21:20.0718 3268 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
2011/07/11 21:21:21.0031 3268 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
2011/07/11 21:21:21.0265 3268 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
2011/07/11 21:21:21.0421 3268 usbccgp (173f317ce0db8e21322e71b7e60a27e8) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
2011/07/11 21:21:21.0531 3268 usbehci (65dcf09d0e37d4c6b11b5b0b76d470a7) C:\WINDOWS\system32\DRIVERS\usbehci.sys
2011/07/11 21:21:21.0687 3268 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
2011/07/11 21:21:21.0765 3268 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
2011/07/11 21:21:21.0859 3268 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
2011/07/11 21:21:22.0046 3268 usbvideo (63bbfca7f390f4c49ed4b96bfb1633e0) C:\WINDOWS\system32\Drivers\usbvideo.sys
2011/07/11 21:21:22.0125 3268 uvclf (c019889035cdc1a06f2febc93cbb6897) C:\WINDOWS\system32\DRIVERS\uvclf.sys
2011/07/11 21:21:22.0234 3268 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
2011/07/11 21:21:22.0468 3268 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
2011/07/11 21:21:22.0703 3268 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
2011/07/11 21:21:22.0828 3268 Wdf01000 (bbcfeab7e871cddac2d397ee7fa91fdc) C:\WINDOWS\system32\Drivers\wdf01000.sys
2011/07/11 21:21:23.0093 3268 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
2011/07/11 21:21:23.0406 3268 WmiAcpi (c42584fd66ce9e17403aebca199f7bdb) C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
2011/07/11 21:21:23.0703 3268 WSTCODEC (c98b39829c2bbd34e454150633c62c78) C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
2011/07/11 21:21:23.0859 3268 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
2011/07/11 21:21:24.0046 3268 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
2011/07/11 21:21:24.0265 3268 MBR (0x1B8) (2839639fa37b8353e792a2a30a12ced3) \Device\Harddisk0\DR0
2011/07/11 21:21:24.0312 3268 \Device\Harddisk0\DR0 - detected Rootkit.Win32.TDSS.tdl4 (0)
2011/07/11 21:21:24.0375 3268 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk1\DR7
2011/07/11 21:21:24.0781 3268 Boot (0x1200) (84926bd769e5148c7b355472a17fa8fe) \Device\Harddisk0\DR0\Partition0
2011/07/11 21:21:24.0890 3268 Boot (0x1200) (ee7cb087a5c2ebfd2391160967141f20) \Device\Harddisk0\DR0\Partition1
2011/07/11 21:21:24.0953 3268 Boot (0x1200) (4739a056464bba8adc1bac285194f002) \Device\Harddisk1\DR7\Partition0
2011/07/11 21:21:25.0000 3268 ================================================================================
2011/07/11 21:21:25.0000 3268 Scan finished
2011/07/11 21:21:25.0000 3268 ================================================================================
2011/07/11 21:21:25.0078 2700 Detected object count: 1
2011/07/11 21:21:25.0093 2700 Actual detected object count: 1
2011/07/11 21:21:32.0046 2700 \Device\Harddisk0\DR0 (Rootkit.Win32.TDSS.tdl4) - will be cured after reboot
2011/07/11 21:21:32.0046 2700 \Device\Harddisk0\DR0 - ok
2011/07/11 21:21:32.0046 2700 Rootkit.Win32.TDSS.tdl4(\Device\Harddisk0\DR0) - User select action: Cure
2011/07/11 21:22:33.0109 2044 Deinitialize success

ComboFix 11-07-11.02 - Laurie 07/11/2011 21:34:12.1.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.283 [GMT -4:00]
Running from: c:\documents and settings\Laurie\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Laurie\Application Data\chrtmp
c:\documents and settings\Laurie\Application Data\dwm.exe
c:\documents and settings\Laurie\Application Data\LocalAccountAuthority.bat
c:\documents and settings\Laurie\Application Data\Plug.bat
c:\documents and settings\Laurie\Cookies\15438875na.t
c:\documents and settings\Laurie\delme.bat
c:\documents and settings\Laurie\Local Settings\Application Data\{3CBDFF8D-6575-441D-B948-4AFB3A506953}
c:\documents and settings\Laurie\Local Settings\Application Data\{3CBDFF8D-6575-441D-B948-4AFB3A506953}\chrome.manifest
c:\documents and settings\Laurie\Local Settings\Application Data\{3CBDFF8D-6575-441D-B948-4AFB3A506953}\chrome\content\_cfg.js
c:\documents and settings\Laurie\Local Settings\Application Data\{3CBDFF8D-6575-441D-B948-4AFB3A506953}\chrome\content\overlay.xul
c:\documents and settings\Laurie\Local Settings\Application Data\{3CBDFF8D-6575-441D-B948-4AFB3A506953}\install.rdf
c:\windows\system32\Thumbs.db
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Legacy_MOUSEDRIVER
.
.
((((((((((((((((((((((((( Files Created from 2011-06-12 to 2011-07-12 )))))))))))))))))))))))))))))))
.
.
2011-07-11 02:15 . 2011-07-11 02:15 -------- d-----w- c:\documents and settings\Laurie\DoctorWeb
2011-07-10 20:19 . 2011-07-10 20:19 -------- d-----w- c:\documents and settings\Administrator
2011-07-10 18:51 . 2011-07-10 18:51 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-07-10 18:43 . 2011-07-10 18:43 16384 ---h--w- c:\windows\sysmgm.exe
2011-07-10 18:40 . 2011-07-10 18:48 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Identities
2011-07-10 18:36 . 2011-07-10 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
2011-07-10 18:35 . 2011-07-10 18:35 16636 ---h--w- c:\windows\dxxsetup.exe
2011-07-10 18:35 . 2011-07-10 19:59 -------- d-----w- c:\documents and settings\Laurie\Application Data\Qeomb
2011-07-10 18:35 . 2011-07-10 19:02 -------- d-----w- c:\documents and settings\Laurie\Application Data\Miugy
2011-07-10 18:35 . 2011-07-10 18:35 100252 ---h--w- c:\windows\msmgm.exe
2011-07-10 18:34 . 2011-07-10 18:34 106496 --sha-r- c:\windows\system32\proctexet.dll
2011-07-10 18:17 . 2011-07-10 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2011-07-10 18:17 . 2011-07-10 18:17 -------- d-----w- c:\program files\Common Files\Sandlot Shared
2011-07-10 18:17 . 2011-07-10 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2011-07-10 18:17 . 2011-07-10 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2011-07-10 01:35 . 2011-07-10 01:35 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-09 21:55 . 2011-07-09 21:57 -------- d-----w- c:\documents and settings\Laurie\Application Data\PeaceCraft2
2011-07-09 20:19 . 2011-07-09 20:20 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\QuickPar
2011-07-09 15:45 . 2011-07-09 15:45 -------- d-----w- c:\documents and settings\Laurie\Application Data\Meridian93
2011-07-09 04:59 . 2011-07-09 04:59 -------- d-----w- c:\windows\system32\XPSViewer
2011-07-09 04:58 . 2011-07-09 04:58 -------- d-----w- c:\program files\MSBuild
2011-07-09 04:58 . 2011-07-09 04:58 -------- d-----w- c:\program files\Reference Assemblies
2011-07-09 04:58 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-07-09 04:58 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-07-09 04:58 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-07-09 04:58 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-07-09 04:58 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-07-09 04:58 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-07-09 04:58 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-07-09 04:58 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-07-09 04:58 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-07-09 04:52 . 2011-07-09 04:52 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-07-08 11:56 . 2011-04-25 16:11 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-07-08 11:56 . 2011-04-25 16:11 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-07-08 11:56 . 2011-04-25 16:11 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-07-08 11:56 . 2011-04-25 16:11 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-07-08 11:56 . 2011-04-25 16:11 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-07-08 11:55 . 2011-04-25 16:11 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-07-08 11:49 . 2011-07-08 11:49 -------- d-----w- c:\documents and settings\Laurie\Application Data\Malwarebytes
2011-07-08 11:49 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-08 11:49 . 2011-07-08 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-08 11:49 . 2011-07-08 11:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-08 11:49 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-08 11:45 . 2011-07-08 11:45 -------- d-----w- c:\program files\uTorrent
2011-07-08 11:44 . 2011-07-08 11:46 -------- d-----w- c:\documents and settings\Laurie\Application Data\uTorrent
2011-07-08 11:44 . 2011-07-08 11:44 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\uTorrent
2011-07-08 11:38 . 2011-07-08 11:38 -------- d-----w- c:\program files\QuickPar
2011-07-08 11:18 . 2011-07-12 01:22 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Newsbin
2011-07-08 11:18 . 2011-07-08 11:19 -------- d-----w- c:\program files\Newsbin
2011-07-08 10:56 . 2010-07-27 22:42 1774720 ----a-w- c:\windows\system32\BootMan.exe
2011-07-08 10:56 . 2010-07-15 12:44 86408 ----a-w- c:\windows\system32\setupempdrv03.exe
2011-07-08 10:56 . 2010-07-15 12:44 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys
2011-07-08 10:56 . 2010-07-15 12:44 13192 ----a-w- c:\windows\system32\epmntdrv.sys
2011-07-08 10:56 . 2010-07-15 12:44 14848 ----a-w- c:\windows\system32\EuEpmGdi.dll
2011-07-08 10:55 . 2011-07-08 10:55 -------- d-----w- c:\program files\EASEUS
2011-07-08 10:49 . 2011-07-08 10:49 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Mozilla
2011-07-08 10:46 . 2011-07-08 10:48 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Google
2011-07-08 10:46 . 2011-07-08 10:46 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Deployment
2011-07-08 10:45 . 2011-07-08 10:45 -------- d-sh--w- c:\documents and settings\Laurie\IECompatCache
2011-07-08 10:44 . 2011-07-08 10:44 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-07-08 10:43 . 2011-07-08 10:44 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
2011-07-08 10:43 . 2011-07-08 10:43 -------- d-----w- c:\windows\OPTIONS
2011-07-08 10:43 . 2010-03-31 18:58 342784 ----a-w- c:\windows\system32\drivers\rtl8187B.sys
2011-07-08 10:43 . 2008-06-27 13:39 332928 ----a-w- c:\windows\system32\drivers\rtl8187.sys
2011-07-08 10:43 . 2011-07-11 22:09 -------- d-----w- c:\windows\system32\RtlGina
2011-07-08 10:43 . 2010-12-01 13:31 451072 ----a-w- c:\windows\system32\ISSRemoveSP.exe
2011-07-06 07:28 . 2011-07-08 11:17 -------- d-----w- C:\mplayer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-02 15:31 . 2009-08-17 18:07 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2009-08-17 17:51 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2009-08-17 17:51 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-04-25 16:11 . 2009-08-17 17:51 916480 ----a-w- c:\windows\system32\wininet.dll
2011-04-25 16:11 . 2009-08-17 17:51 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-04-25 16:11 . 2009-08-17 17:51 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-04-25 12:01 . 2009-08-17 17:51 385024 ----a-w- c:\windows\system32\html.iec
2011-04-21 13:37 . 2009-08-17 17:51 105472 ----a-w- c:\windows\system32\drivers\mup.sys
2011-06-16 04:17 . 2011-07-10 22:29 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-07-10 700416]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-05-08 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-04-09 1512744]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-04-09 79144]
"LiveUpdate"="c:\program files\Asus\LiveUpdate\LiveUpdate.exe" [2009-06-25 712704]
"EasyMode"="c:\program files\\ASUS\\Easy Mode\\Easy Mode.exe" [2009-03-18 1249280]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
REALTEK Wireless LAN Utility.lnk - c:\program files\Realtek\Wireless LAN Utility\RtWLan.exe [2011-7-8 1015808]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 23:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-02-06 22:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Realtek\\Wireless LAN Utility\\RtWLan.exe"=
"c:\\Program Files\\Newsbin\\newsbinpro.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
"1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
"53:UDP"= 53:UDP:Realtek AP UDP Prot
.
R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [8/17/2009 2:24 PM 5097632]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [8/12/2009 5:35 AM 38912]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [7/8/2011 6:43 AM 332928]
R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [8/12/2009 5:35 AM 39040]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/17/2009 2:25 PM 1684736]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/8/2011 6:56 AM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/8/2011 6:56 AM 8456]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-54177274-1042514724-1164472201-1005Core.job
- c:\documents and settings\Laurie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-08 10:46]
.
2011-07-12 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-54177274-1042514724-1164472201-1005UA.job
- c:\documents and settings\Laurie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-08 10:46]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 68.87.71.230 68.87.73.246
FF - ProfilePath - c:\documents and settings\Laurie\Application Data\Mozilla\Firefox\Profiles\sqwakfbo.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 60061
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-11 21:46
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3988)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\rundll32.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\windows\system32\igfxext.exe
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2011-07-11 21:49:52 - machine was rebooted
ComboFix-quarantined-files.txt 2011-07-12 01:49
.
Pre-Run: 39,488,720,896 bytes free
Post-Run: 40,160,452,608 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 4DCD8891A90B4DC34C072F60EAD88E51

 

[Bobbye]

It looks good. Did you notice the name> Rootkit.Win32.TDSS.tdl4

Question: Does Comcast require you to use a proxy in Firefox> > FF - prefs.js: network.proxy.http_port - 60061
If not, please do this: Reset your browser proxies


o For Firefox:
o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
o Click on the "Network" tab, and then on the "Settings" button.
o Please make sure that the "No Proxy" option is selected.

o For Internet Explorer:
o Open Internet Explorer.
o Click on "Tools" and then select "Internet Options".
o Click on the "Connections" tab and click the "Lan Settings" button at the bottom.
o Uncheck "Use a Proxy server for your LAN".
o Click Ok to close the Local Area Network (LAN) Settings window.
o Click Ok to close the Internet Options window.
=======================================
Please go ahead and do this scan- I'll check the Combofix log in the morning: I have to write some script for entries to be removed.

• Hold down Control and click on the following link to open ESET OnlineScan in a new window.
  ESETOnlineScan
• For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  [o] Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
  [o] Double click on the
  
  on your desktop.
• Check 'Yes I accept terms of use.'
• Click Start button
• Accept any security warnings from your browser.
  
  
• Uncheck 'Remove found threats'
• Check 'Scan archives/
• Leave remaining settings as is.
• Press the Start button.
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
• When the scan completes, press List of found threats
• Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
• Push the Back button
• Push Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

 

[ldesim]

I went to reset the proxy's but no proxy was checked in both Firefox & IE.. weird.

Unfortunately, the scan did pick up more viruses I'm afraid.. scan below.. a continued thank you:

C:\Documents and Settings\Laurie\DoctorWeb\Quarantine\7F.exe a variant of Win32/Kryptik.QEE trojan
C:\Documents and Settings\Laurie\DoctorWeb\Quarantine\8E.exe a variant of Win32/Kryptik.QEE trojan
C:\Documents and Settings\Laurie\DoctorWeb\Quarantine\A4.exe a variant of Win32/Kryptik.QEE trojan
C:\Documents and Settings\Laurie\DoctorWeb\Quarantine\gfnl5vop1rvo.exe a variant of Win32/Agent.SDL trojan
C:\Documents and Settings\Laurie\DoctorWeb\Quarantine\out5sd.exe multiple threats
C:\Qoobox\Quarantine\C\Documents and Settings\Laurie\Application Data\dwm.exe.vir a variant of Win32/Kryptik.QEE trojan
C:\WINDOWS\dxxsetup.exe a variant of Win32/Agent.SDL trojan
C:\WINDOWS\msmgm.exe a variant of Win32/Agent.SDL trojan
C:\WINDOWS\sysmgm.exe a variant of Win32/Agent.SDL trojan
D:\Software\Wintools.neT.Ult.v10.7.1.rar probably a variant of Win32/SdBot.IBJMWKD trojan

 

[Bobbye]

Apparently you en Dr. Web before you came here. Several of the Eset entries are those quarantined in Dr. Web.

The Qoobox entries are for entries quarantined in Combofix,

The following are the active entries:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files  
  C:\WINDOWS\dxxsetup.exe 
  C:\WINDOWS\msmgm.exe 
  C:\WINDOWS\sysmgm.exe
  D:\Software\Wintools.neT.Ult.v10.7.1.rar 
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
=====================================
This program was pirated, which is why it got malware:
Wintools.neT.Ult.v10.7.1.rar >> The legitimate version cost $40.00

And the D Drive is infected.
===================================
Download CKScanner and save to your desktop.

• Doubleclick CKScanner.exe and click Search For Files.
• When the cursor hourglass disappears, click Save List To File.
• A message box will verify that the file is saved.
• Double-click the CKFiles.txt icon on your desktop and copy/paste the contents
  in your next reply.

 

[ldesim]

I thought I had responded to this.. no wonder no reply.. geez... sorry I have no idea what the wintoolsnet thing is.. I just got this netbook and it was refurbished...


Here's the logs...

All processes killed
Error: Unable to interpret <[CODE> in the current context!
========== FILES ==========
C:\WINDOWS\dxxsetup.exe moved successfully.
C:\WINDOWS\msmgm.exe moved successfully.
C:\WINDOWS\sysmgm.exe moved successfully.
D:\Software\Wintools.neT.Ult.v10.7.1.rar moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 405 bytes

User: All Users

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 82054 bytes
->Flash cache emptied: 405 bytes

User: Laurie
->Temp folder emptied: 40382 bytes
->Temporary Internet Files folder emptied: 1220617 bytes
->FireFox cache emptied: 152441831 bytes
->Google Chrome cache emptied: 58931021 bytes
->Flash cache emptied: 5433 bytes

User: LocalService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 4505734 bytes
->Flash cache emptied: 6632 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 3195014 bytes
->Flash cache emptied: 5506 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 210.00 mb


OTM by OldTimer - Version 3.1.18.0 log created on 07152011_192950

Files moved on Reboot...

Registry entries deleted on Reboot...



CKScanner - Additional Security Risks - These are not necessarily bad
scanner sequence 3.RP.11.IICFXA
----- EOF -----

 

[Bobbye]

I haven't seen any antivirus program or other security programs in any of the logs. Do you have any at all? Where did you find the Backdoor Trojan TDSS "565". information?

What is the D Drive? I asked earlier and said it was infected. My thought of 'refurbished' for a computer is cleaning- the physical parts and if it going to be resold, system wiped clean and OS reinstalled. If that is accurate then any pirated software would have be done by the current users. The OS shows installed 2002, but there are no restore points.

Can you give me any information about the following 2 entries:
2011-07-10 19:59 >> c:\documents and settings\Laurie\Application Data\Qeomb
2011-07-10 18:35 >> c:\documents and settings\Laurie\Application Data\Miugy

Please give me an update on the system.

 

[ldesim]

I had installed freeware version of Malware Bytes.. which initially picked up the viruses, which I'm not sure where they came from... I then ran Dr. Web Cure-it.. which picked up and named the virus as "Backdoor Trojan TDSS 565". I didn't try to cure or delete or anything since it was a boot record as I was afraid I wouldn't be able to reboot.

The D drive is a partition I created. For some reason, System restore was inactive.. maybe as a result of the trojan/viruses?? I didn't realize this until I had the problems and tried to restore as a first course of action.

I have no idea what those files are, but I changed settings to show hidden folders & system folders and the MIUGY folder just has a file named evzox.tmp and the QEOMB folder is empty.

 

[Bobbye]

Malwarebytes is an antimalware program. Even if you bought the Pro version, it does not have an antivirus program. Using the freeware scan may pick up malware, but it is not the same as having an antivirus program installed on the system, updating and running all the time.

Before I take you any further, please install one of the free and good AV programs below:
Avira-AntiVir-Personal-Free-Antivirus
Avast-Free Antivirus

Immediately update the program after the install, then run a scan to make sure it's running okay. I don't need that log.
Reboot the computer when through.

The most basic security is one antivirus program, one firewall and at least two antimalware programs.
===========================================
Update and run a new Eset online virus scan.> directions given previously
Then update and run as new Combofix scan> directions given previously

Both logs in next reply please. I will not continue support without an AV program on the system. Even if you have to disable it to run scans, it's need to be on the system to protect it.

 

[ldesim]

I went with the first one Avira.. nothing turned up in a scan..l here is logs from Eset & Combofix:

C:\_OTM\MovedFiles\07152011_192950\D_Software\Wintools.neT.Ult.v10.7.1.rar probably a variant of Win32/SdBot.IBJMWKD trojan

ComboFix 11-07-24.03 - Laurie 07/24/2011 21:19:05.2.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.167 [GMT -4:00]
Running from: c:\documents and settings\Laurie\Desktop\ComboFix.exe
AV: AntiVir Desktop *Disabled/Outdated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
.
((((((((((((((((((((((((( Files Created from 2011-06-25 to 2011-07-25 )))))))))))))))))))))))))))))))
.
.
2011-07-24 21:33 . 2011-06-17 16:37 61960 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2011-07-24 21:33 . 2011-06-17 16:37 137656 ----a-w- c:\windows\system32\drivers\avipbb.sys
2011-07-24 21:33 . 2010-06-17 19:27 22360 ----a-w- c:\windows\system32\drivers\avgntmgr.sys
2011-07-24 21:33 . 2010-06-17 19:27 45416 ----a-w- c:\windows\system32\drivers\avgntdd.sys
2011-07-24 21:33 . 2011-07-24 21:33 -------- d-----w- c:\program files\Avira
2011-07-24 21:33 . 2011-07-24 21:33 -------- d-----w- c:\documents and settings\All Users\Application Data\Avira
2011-07-17 18:34 . 2011-07-17 18:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SulusGames
2011-07-17 18:28 . 2011-07-17 18:30 -------- d-----w- c:\documents and settings\Laurie\Application Data\Peace Craft
2011-07-15 23:29 . 2011-07-15 23:29 -------- d-----w- C:\_OTM
2011-07-13 02:42 . 2011-07-13 02:42 -------- d-----w- c:\program files\ESET
2011-07-11 02:15 . 2011-07-11 02:15 -------- d-----w- c:\documents and settings\Laurie\DoctorWeb
2011-07-10 20:19 . 2011-07-10 20:19 -------- d-----w- c:\documents and settings\Administrator
2011-07-10 18:51 . 2011-07-10 18:51 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-07-10 18:40 . 2011-07-10 18:48 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Identities
2011-07-10 18:36 . 2011-07-10 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
2011-07-10 18:35 . 2011-07-10 19:59 -------- d-----w- c:\documents and settings\Laurie\Application Data\Qeomb
2011-07-10 18:35 . 2011-07-10 19:02 -------- d-----w- c:\documents and settings\Laurie\Application Data\Miugy
2011-07-10 18:34 . 2011-07-10 18:34 106496 --sha-r- c:\windows\system32\proctexet.dll
2011-07-10 18:17 . 2011-07-10 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2011-07-10 18:17 . 2011-07-10 18:17 -------- d-----w- c:\program files\Common Files\Sandlot Shared
2011-07-10 18:17 . 2011-07-10 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2011-07-10 18:17 . 2011-07-10 18:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Trymedia
2011-07-10 01:35 . 2011-07-10 01:35 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-09 21:55 . 2011-07-09 21:57 -------- d-----w- c:\documents and settings\Laurie\Application Data\PeaceCraft2
2011-07-09 20:19 . 2011-07-22 22:56 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\QuickPar
2011-07-09 15:45 . 2011-07-09 15:45 -------- d-----w- c:\documents and settings\Laurie\Application Data\Meridian93
2011-07-09 04:59 . 2011-07-09 04:59 -------- d-----w- c:\windows\system32\XPSViewer
2011-07-09 04:58 . 2011-07-09 04:58 -------- d-----w- c:\program files\MSBuild
2011-07-09 04:58 . 2011-07-09 04:58 -------- d-----w- c:\program files\Reference Assemblies
2011-07-09 04:58 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-07-09 04:58 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-07-09 04:58 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-07-09 04:58 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-07-09 04:58 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-07-09 04:58 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-07-09 04:58 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-07-09 04:58 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-07-09 04:58 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-07-09 04:52 . 2011-07-09 04:52 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-07-08 11:56 . 2011-04-25 16:11 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-07-08 11:56 . 2011-04-25 16:11 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-07-08 11:56 . 2011-04-25 16:11 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-07-08 11:56 . 2011-04-25 16:11 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-07-08 11:56 . 2011-04-25 16:11 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-07-08 11:55 . 2011-04-25 16:11 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-07-08 11:49 . 2011-07-08 11:49 -------- d-----w- c:\documents and settings\Laurie\Application Data\Malwarebytes
2011-07-08 11:49 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-08 11:49 . 2011-07-08 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-08 11:49 . 2011-07-08 11:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-08 11:49 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-08 11:44 . 2011-07-12 01:58 -------- d-----w- c:\documents and settings\Laurie\Application Data\uTorrent
2011-07-08 11:38 . 2011-07-08 11:38 -------- d-----w- c:\program files\QuickPar
2011-07-08 11:18 . 2011-07-24 19:48 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Newsbin
2011-07-08 11:18 . 2011-07-08 11:19 -------- d-----w- c:\program files\Newsbin
2011-07-08 10:56 . 2010-07-15 12:44 86408 ----a-w- c:\windows\system32\setupempdrv03.exe
2011-07-08 10:56 . 2010-07-15 12:44 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys
2011-07-08 10:56 . 2010-07-15 12:44 13192 ----a-w- c:\windows\system32\epmntdrv.sys
2011-07-08 10:56 . 2010-07-15 12:44 14848 ----a-w- c:\windows\system32\EuEpmGdi.dll
2011-07-08 10:55 . 2011-07-08 10:55 -------- d-----w- c:\program files\EASEUS
2011-07-08 10:49 . 2011-07-08 10:49 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Mozilla
2011-07-08 10:46 . 2011-07-08 10:48 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Google
2011-07-08 10:46 . 2011-07-08 10:46 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Deployment
2011-07-08 10:45 . 2011-07-08 10:45 -------- d-sh--w- c:\documents and settings\Laurie\IECompatCache
2011-07-08 10:44 . 2011-07-08 10:44 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-07-08 10:43 . 2011-07-08 10:44 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
2011-07-08 10:43 . 2011-07-08 10:43 -------- d-----w- c:\windows\OPTIONS
2011-07-08 10:43 . 2010-03-31 18:58 342784 ----a-w- c:\windows\system32\drivers\rtl8187B.sys
2011-07-08 10:43 . 2008-06-27 13:39 332928 ----a-w- c:\windows\system32\drivers\rtl8187.sys
2011-07-08 10:43 . 2011-07-11 22:09 -------- d-----w- c:\windows\system32\RtlGina
2011-07-08 10:43 . 2010-12-01 13:31 451072 ----a-w- c:\windows\system32\ISSRemoveSP.exe
2011-07-06 07:28 . 2011-07-08 11:17 -------- d-----w- C:\mplayer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-02 15:31 . 2009-08-17 18:07 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2009-08-17 17:51 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2009-08-17 17:51 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-16 04:17 . 2011-07-10 22:29 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-07-10 700416]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-05-08 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-04-09 1512744]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-04-09 79144]
"LiveUpdate"="c:\program files\Asus\LiveUpdate\LiveUpdate.exe" [2009-06-25 712704]
"EasyMode"="c:\program files\\ASUS\\Easy Mode\\Easy Mode.exe" [2009-03-18 1249280]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
REALTEK Wireless LAN Utility.lnk - c:\program files\Realtek\Wireless LAN Utility\RtWLan.exe [2011-7-8 1015808]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 23:51 39792 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-02-06 22:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Realtek\\Wireless LAN Utility\\RtWLan.exe"=
"c:\\Program Files\\Newsbin\\newsbinpro.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
"1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
"53:UDP"= 53:UDP:Realtek AP UDP Prot
.
R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [8/17/2009 2:24 PM 5097632]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [8/12/2009 5:35 AM 38912]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [7/8/2011 6:43 AM 332928]
R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [8/12/2009 5:35 AM 39040]
S2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [7/24/2011 5:33 PM 136360]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/17/2009 2:25 PM 1684736]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/8/2011 6:56 AM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/8/2011 6:56 AM 8456]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/8/2011 7:49 AM 39984]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - SSMDRV
*Deregistered* - avipbb
*Deregistered* - ssmdrv
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-08 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-54177274-1042514724-1164472201-1005Core.job
- c:\documents and settings\Laurie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-08 10:46]
.
2011-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-54177274-1042514724-1164472201-1005UA.job
- c:\documents and settings\Laurie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-08 10:46]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
FF - ProfilePath - c:\documents and settings\Laurie\Application Data\Mozilla\Firefox\Profiles\sqwakfbo.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 60061
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-24 21:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(4008)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-07-24 21:29:14
ComboFix-quarantined-files.txt 2011-07-25 01:29
ComboFix2.txt 2011-07-12 01:49
.
Pre-Run: 37,329,793,024 bytes free
Post-Run: 37,377,388,544 bytes free
.
- - End Of File - - 45BCC011548F0AF0CA9DD82425B12917

Thanks again for your time.

 

[Bobbye]

You're welcome- glad to help. I'm setting up script for you to run through Combofix and there is a file I can't identify. There are no pages other than this thread on the internet for this process, so it needs to be submitted as follows:

Please go to VirSCAN.org FREE on-line scan service:

• 
  [1]. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.
  
  

  c:\windows\system32\proctexet.dll

  [2]. At the upload site, click once inside the window next to Browse.
  [3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
  [4]. Click on the Upload button.
  This will perform a scan across multiple different virus scanning engines.
  Your file will possibly be entered into a queue which normally takes less than a minute to clear.
  Important: Wait for all of the scanning engines to complete.
  [5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
  [6]. Paste the contents of the Clipboard in your next reply.

===============================================
You also need to update Avira because it's showing this: AV: AntiVir Desktop *Disabled/Outdated
If you look in my instructions, you can note that I instruct you to update after the install. Even if you have to disable to to run a scan, it still needs to be current for the times the system is up and connected to the internet.
==============================================

I changed settings to show hidden folders & system folders and the MIUGY folder just has a file named evzox.tmp and the QEOMB folder is empty.

If the folders are still unhidden, you can do a right click> Delete on each of them as I am going to remove them in the script.
Please be sure to go back and check 'don't show hidden files and folders' and check 'hide protected system files (Recommended)'. You won't need to unhide them unless I instruct you to do so.
=====================================
Go ahead and run the VirSCAN now and let me see the log.
=====================================
As for the D Drive, the partition you created, the infected, pirated program is in it.

 

[ldesim]

Hi there,

I tried uploading and it starts, then I get a message "error, can't find upload file" I looked for the file in explorer.. found it and it's a read only file.. could that be why? I tried using the browse function and uploadng the file and I tried taking it off read only, but it wouldn't let me... I got an access is denied message.

I had updated Avira, at least it told me it did.. regardless, I hated the program and went on to install avast! instead which seems much much better. Scan from that turned up clean as well.

 

[Bobbye]

See if either of these site will do the ID scan: Are you signed on t the Administrative Account?

VirusTotal
Jotti

• 
  [1]. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.
  
  

  c:\windows\system32\proctexet.dll

  [2]. At the upload site, click once inside the window next to Browse.
  [3]. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
  [4]. Click on the Upload button.
  This will perform a scan across multiple different virus scanning engines.
  Your file will possibly be entered into a queue which normally takes less than a minute to clear.
  Important: Wait for all of the scanning engines to complete.
  [5]. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
  [6]. Paste the contents of the Clipboard in your next reply.

 

[ldesim]

This is a bit frustrating, Neither of the sites worked.. the first I got no response and the second said "file is empty (0 bytes).

The only way that I know how to log into the "administrator" account is to go in safe mode... if I log out normally, I don't get the option to go in to administrator. So I did the safe mode and that .dll does not show up, (I made sure the hide files feature was off) although the accompanying file of proctexe.ocx did. I logged off and into the normal one still in safe mode and again tried to take the read only feature off, but was unable to.

 

[Bobbye]

Don't worry about that file. I am going to 'look' at it:

Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

File::
Folder::
c:\windows\system32\PreInstall
c:\program files\uTorrent
c:\documents and settings\laurie\local settings\application data\uTorrent
c:\documents and settings\Laurie\DoctorWeb
c:\documents and settings\laurie\application data\uTorrent
c:\documents and settings\Laurie\Application Data\Qeomb
c:\documents and settings\Laurie\Application Data\Miugy
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\Trymedia
FileLook::
c:\windows\system32\setupempdrv03.exe
c:\windows\system32\proctexet.dll
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
=============================================
Recommend you remove Trymedia The site is rating low by all 4 indices in the WOT Site Advisor.

Please update the Adobe Reader: Adobe Reader site Uninstall any earlier updates as they are vulnerabilities.

 

[ldesim]

Hi Bobeye,

I updated Adobe and ran Combofix and here is log.. Question, is it ok that Avast! seems to have disabled Windows security center? Thank you.

ComboFix 11-07-27.03 - Laurie 07/27/2011 20:38:38.3.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.462 [GMT -4:00]
Running from: c:\documents and settings\Laurie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Laurie\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\Trymedia
c:\documents and settings\Laurie\Application Data\Miugy
c:\documents and settings\Laurie\Application Data\Miugy\evzox.tmp
c:\documents and settings\Laurie\Application Data\Qeomb
c:\documents and settings\laurie\application data\uTorrent
c:\documents and settings\laurie\application data\uTorrent\apps\3609FC884502A1DF0AA5D9D160C827BB1BD51FC9.btapp
c:\documents and settings\laurie\application data\uTorrent\apps\4585805A0BEAAAA6F570825EB241201C227B5E09.btapp
c:\documents and settings\laurie\application data\uTorrent\dht.dat
c:\documents and settings\laurie\application data\uTorrent\dlimagecache\10E6FBE4D921B475FA5FEC6E9A535A540D6FEED1
c:\documents and settings\laurie\application data\uTorrent\dlimagecache\2D78C93EC367E6C1D9894103FA04B3BE5B20A84E
c:\documents and settings\laurie\application data\uTorrent\dlimagecache\BBEEC0395D21A2A7F91889D7C7509F3D5D46FC05
c:\documents and settings\laurie\application data\uTorrent\ie\ie.1310125527.tmp
c:\documents and settings\laurie\application data\uTorrent\resume.dat
c:\documents and settings\laurie\application data\uTorrent\rss.dat
c:\documents and settings\laurie\application data\uTorrent\settings.dat
c:\documents and settings\laurie\application data\uTorrent\settings.dat.old
c:\documents and settings\Laurie\DoctorWeb
c:\documents and settings\Laurie\DoctorWeb\CureIt.log
.
.
((((((((((((((((((((((((( Files Created from 2011-06-28 to 2011-07-28 )))))))))))))))))))))))))))))))
.
.
2011-07-27 22:21 . 2011-07-27 22:21 -------- d-----w- c:\program files\Common Files\Adobe
2011-07-27 22:11 . 2011-07-27 22:11 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-07-25 02:14 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-07-25 02:14 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-07-25 02:14 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-07-25 02:14 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-07-25 02:14 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-07-25 02:14 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-07-25 02:14 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-07-25 02:14 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-07-25 02:13 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
2011-07-25 02:13 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-07-25 02:13 . 2011-07-25 02:13 -------- d-----w- c:\program files\AVAST Software
2011-07-25 02:13 . 2011-07-25 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-07-17 18:34 . 2011-07-17 18:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SulusGames
2011-07-17 18:28 . 2011-07-17 18:30 -------- d-----w- c:\documents and settings\Laurie\Application Data\Peace Craft
2011-07-15 23:29 . 2011-07-15 23:29 -------- d-----w- C:\_OTM
2011-07-13 02:42 . 2011-07-13 02:42 -------- d-----w- c:\program files\ESET
2011-07-10 20:19 . 2011-07-10 20:19 -------- d-----w- c:\documents and settings\Administrator
2011-07-10 18:51 . 2011-07-10 18:51 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-07-10 18:40 . 2011-07-10 18:48 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Identities
2011-07-10 18:36 . 2011-07-10 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
2011-07-10 18:34 . 2011-07-10 18:34 106496 --sha-r- c:\windows\system32\proctexet.dll
2011-07-10 18:17 . 2011-07-10 18:17 -------- d-----w- c:\program files\Common Files\Sandlot Shared
2011-07-10 18:17 . 2011-07-10 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2011-07-10 01:35 . 2011-07-10 01:35 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-09 21:55 . 2011-07-09 21:57 -------- d-----w- c:\documents and settings\Laurie\Application Data\PeaceCraft2
2011-07-09 20:19 . 2011-07-22 22:56 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\QuickPar
2011-07-09 15:45 . 2011-07-09 15:45 -------- d-----w- c:\documents and settings\Laurie\Application Data\Meridian93
2011-07-09 04:59 . 2011-07-09 04:59 -------- d-----w- c:\windows\system32\XPSViewer
2011-07-09 04:58 . 2011-07-09 04:58 -------- d-----w- c:\program files\MSBuild
2011-07-09 04:58 . 2011-07-09 04:58 -------- d-----w- c:\program files\Reference Assemblies
2011-07-09 04:58 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-07-09 04:58 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-07-09 04:58 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-07-09 04:58 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-07-09 04:58 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-07-09 04:58 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-07-09 04:58 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-07-09 04:58 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-07-09 04:58 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-07-09 04:52 . 2011-07-09 04:52 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-07-08 11:56 . 2011-04-25 16:11 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-07-08 11:56 . 2011-04-25 16:11 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-07-08 11:56 . 2011-04-25 16:11 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-07-08 11:56 . 2011-04-25 16:11 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-07-08 11:56 . 2011-04-25 16:11 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-07-08 11:55 . 2011-04-25 16:11 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-07-08 11:49 . 2011-07-08 11:49 -------- d-----w- c:\documents and settings\Laurie\Application Data\Malwarebytes
2011-07-08 11:49 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-08 11:49 . 2011-07-08 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-08 11:49 . 2011-07-08 11:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-08 11:49 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-08 11:38 . 2011-07-08 11:38 -------- d-----w- c:\program files\QuickPar
2011-07-08 11:18 . 2011-07-27 23:39 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Newsbin
2011-07-08 11:18 . 2011-07-08 11:19 -------- d-----w- c:\program files\Newsbin
2011-07-08 10:56 . 2010-07-15 12:44 86408 ----a-w- c:\windows\system32\setupempdrv03.exe
2011-07-08 10:56 . 2010-07-15 12:44 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys
2011-07-08 10:56 . 2010-07-15 12:44 13192 ----a-w- c:\windows\system32\epmntdrv.sys
2011-07-08 10:56 . 2010-07-15 12:44 14848 ----a-w- c:\windows\system32\EuEpmGdi.dll
2011-07-08 10:55 . 2011-07-08 10:55 -------- d-----w- c:\program files\EASEUS
2011-07-08 10:49 . 2011-07-08 10:49 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Mozilla
2011-07-08 10:46 . 2011-07-08 10:48 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Google
2011-07-08 10:46 . 2011-07-08 10:46 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Deployment
2011-07-08 10:45 . 2011-07-08 10:45 -------- d-sh--w- c:\documents and settings\Laurie\IECompatCache
2011-07-08 10:44 . 2011-07-08 10:44 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-07-08 10:43 . 2011-07-08 10:44 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
2011-07-08 10:43 . 2011-07-08 10:43 -------- d-----w- c:\windows\OPTIONS
2011-07-08 10:43 . 2010-03-31 18:58 342784 ----a-w- c:\windows\system32\drivers\rtl8187B.sys
2011-07-08 10:43 . 2008-06-27 13:39 332928 ----a-w- c:\windows\system32\drivers\rtl8187.sys
2011-07-08 10:43 . 2011-07-11 22:09 -------- d-----w- c:\windows\system32\RtlGina
2011-07-08 10:43 . 2010-12-01 13:31 451072 ----a-w- c:\windows\system32\ISSRemoveSP.exe
2011-07-06 07:28 . 2011-07-08 11:17 -------- d-----w- C:\mplayer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-05-02 15:31 . 2009-08-17 18:07 692736 ----a-w- c:\windows\system32\inetcomm.dll
2011-04-29 17:25 . 2009-08-17 17:51 151552 ----a-w- c:\windows\system32\schannel.dll
2011-04-29 16:19 . 2009-08-17 17:51 456320 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-06-16 04:17 . 2011-07-10 22:29 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--- c:\windows\system32\proctexet.dll ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 106496
Created time: 2011-07-10 18:34
Modified time: 2011-07-10 18:34
MD5: !HASH: COULD NOT OPEN FILE !!!!!
SHA1: !HASH: COULD NOT OPEN FILE !!!!!
.
.
--- c:\windows\system32\setupempdrv03.exe ---
Company: ------
File Description: ------
File Version: ------
Product Name: ------
Copyright: ------
Original Filename: ------
File size: 86408
Created time: 2011-07-08 10:56
Modified time: 2010-07-15 12:44
MD5: 780FB595E5E11355A8313F644329E3EB
SHA1: 2A4714FF389BB2391F9C57CE9DA6064AC2AED8EE
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-25_01.26.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-17 17:51 . 2011-07-27 21:16 68062 c:\windows\system32\perfc009.dat
- 2009-08-17 17:51 . 2011-07-25 01:15 68062 c:\windows\system32\perfc009.dat
+ 2011-07-27 22:11 . 2011-07-27 22:11 28160 c:\windows\Installer\372583.msi
+ 2009-08-17 17:51 . 2011-07-27 21:16 433256 c:\windows\system32\perfh009.dat
- 2009-08-17 17:51 . 2011-07-25 01:15 433256 c:\windows\system32\perfh009.dat
+ 2011-07-27 22:21 . 2011-07-27 22:21 2295808 c:\windows\Installer\372873.msi
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-07-10 700416]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-05-08 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-04-09 1512744]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-04-09 79144]
"LiveUpdate"="c:\program files\Asus\LiveUpdate\LiveUpdate.exe" [2009-06-25 712704]
"EasyMode"="c:\program files\\ASUS\\Easy Mode\\Easy Mode.exe" [2009-03-18 1249280]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
REALTEK Wireless LAN Utility.lnk - c:\program files\Realtek\Wireless LAN Utility\RtWLan.exe [2011-7-8 1015808]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-02-06 22:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Realtek\\Wireless LAN Utility\\RtWLan.exe"=
"c:\\Program Files\\Newsbin\\newsbinpro.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
"1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
"53:UDP"= 53:UDP:Realtek AP UDP Prot
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/24/2011 10:14 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/24/2011 10:14 PM 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/24/2011 10:14 PM 19544]
R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [8/17/2009 2:24 PM 5097632]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [8/12/2009 5:35 AM 38912]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [7/8/2011 6:43 AM 332928]
R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [8/12/2009 5:35 AM 39040]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/17/2009 2:25 PM 1684736]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/8/2011 6:56 AM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/8/2011 6:56 AM 8456]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/8/2011 7:49 AM 39984]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-25 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-54177274-1042514724-1164472201-1005Core.job
- c:\documents and settings\Laurie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-08 10:46]
.
2011-07-27 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-54177274-1042514724-1164472201-1005UA.job
- c:\documents and settings\Laurie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-08 10:46]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
FF - ProfilePath - c:\documents and settings\Laurie\Application Data\Mozilla\Firefox\Profiles\sqwakfbo.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 60061
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
- - - - ORPHANS REMOVED - - - -
.
MSConfigStartUp-Adobe Reader Speed Launcher - c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-07-27 20:50
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
Completion time: 2011-07-27 20:56:06
ComboFix-quarantined-files.txt 2011-07-28 00:55
ComboFix2.txt 2011-07-25 01:40
ComboFix3.txt 2011-07-12 01:49
.
Pre-Run: 37,142,941,696 bytes free
Post-Run: 37,128,638,464 bytes free
.
- - End Of File - - 9820B24607887307D7F03896DCD09F89

 

[Bobbye]

There is no indication in Combofix that the Security Center is disabled. And Avast would't disable ot. Please check the settings for the Security Center in the Control Panel. Also check the Avast configuration.

The system looks good. But it won't stay that way if you go back to using uTorrent or other file sharing programs.
The WinTools programs that was pirated became infected because of using a torrent site. You have the file on the D Drive.
=======================================
If you haven't done this, please do so:
Reset your browser proxies
o For Firefox:
o Open Firefox, click on "Tools" then "Options" and then on "Advanced".
o Click on the "Network" tab, and then on the "Settings" button.
o Please make sure that the "No Proxy" option is selected.
================================================
I'd like you to update and run a new Eset online virus scan.
============================================
Please run this Custom CFScript:

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.

File::
c:\windows\system32\setupempdrv03.exe
c:\windows\system32\proctexet.dll

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.

 

[ldesim]

Hiya,

Eset turned up something that seems to look bad? Here's log:

C:\System Volume Information\_restore{8244A3B9-3806-4325-B0B1-93AAAAE4ABBF}\RP7\A0001287.exe multiple threats
C:\_OTM\MovedFiles\07152011_192950\D_Software\Wintools.neT.Ult.v10.7.1.rar probably a variant of Win32/SdBot.IBJMWKD trojan

And here is ComboFix:

ComboFix 11-08-01.05 - Laurie 08/01/2011 21:26:51.4.2 - x86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1014.447 [GMT -4:00]
Running from: c:\documents and settings\Laurie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Laurie\Desktop\CFScript.txt
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
FILE ::
"c:\windows\system32\proctexet.dll"
"c:\windows\system32\setupempdrv03.exe"
.
.
((((((((((((((((((((((((( Files Created from 2011-07-02 to 2011-08-02 )))))))))))))))))))))))))))))))
.
.
2011-07-31 22:44 . 2011-07-31 22:44 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Temp
2011-07-27 22:21 . 2011-07-27 22:21 -------- d-----w- c:\program files\Common Files\Adobe
2011-07-27 22:11 . 2011-07-27 22:11 -------- d-----w- c:\program files\Common Files\Adobe AIR
2011-07-25 02:14 . 2011-05-10 12:03 307928 ----a-w- c:\windows\system32\drivers\aswSP.sys
2011-07-25 02:14 . 2011-05-10 11:59 19544 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2011-07-25 02:14 . 2011-05-10 11:59 25432 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2011-07-25 02:14 . 2011-05-10 12:03 441176 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2011-07-25 02:14 . 2011-05-10 12:02 49240 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2011-07-25 02:14 . 2011-05-10 12:02 102616 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2011-07-25 02:14 . 2011-05-10 12:02 96344 ----a-w- c:\windows\system32\drivers\aswmon.sys
2011-07-25 02:14 . 2011-05-10 11:59 30808 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2011-07-25 02:13 . 2011-05-10 12:10 40112 ----a-w- c:\windows\avastSS.scr
2011-07-25 02:13 . 2011-05-10 12:10 199304 ----a-w- c:\windows\system32\aswBoot.exe
2011-07-25 02:13 . 2011-07-25 02:13 -------- d-----w- c:\program files\AVAST Software
2011-07-25 02:13 . 2011-07-25 02:13 -------- d-----w- c:\documents and settings\All Users\Application Data\AVAST Software
2011-07-17 18:34 . 2011-07-17 18:34 -------- d-----w- c:\documents and settings\All Users\Application Data\SulusGames
2011-07-17 18:28 . 2011-07-17 18:30 -------- d-----w- c:\documents and settings\Laurie\Application Data\Peace Craft
2011-07-15 23:29 . 2011-07-15 23:29 -------- d-----w- C:\_OTM
2011-07-13 02:42 . 2011-07-13 02:42 -------- d-----w- c:\program files\ESET
2011-07-10 20:19 . 2011-07-10 20:19 -------- d-----w- c:\documents and settings\Administrator
2011-07-10 18:51 . 2011-07-10 18:51 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-07-10 18:40 . 2011-07-10 18:48 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Identities
2011-07-10 18:36 . 2011-07-10 19:59 -------- d-----w- c:\documents and settings\All Users\Application Data\WSTB
2011-07-10 18:34 . 2011-07-10 18:34 106496 --sha-r- c:\windows\system32\proctexet.dll
2011-07-10 18:17 . 2011-07-10 18:17 -------- d-----w- c:\program files\Common Files\Sandlot Shared
2011-07-10 18:17 . 2011-07-10 18:18 -------- d-----w- c:\documents and settings\All Users\Application Data\Sandlot Games
2011-07-10 01:35 . 2011-07-10 01:35 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-07-09 21:55 . 2011-07-09 21:57 -------- d-----w- c:\documents and settings\Laurie\Application Data\PeaceCraft2
2011-07-09 20:19 . 2011-07-22 22:56 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\QuickPar
2011-07-09 15:45 . 2011-07-09 15:45 -------- d-----w- c:\documents and settings\Laurie\Application Data\Meridian93
2011-07-09 04:59 . 2011-07-09 04:59 -------- d-----w- c:\windows\system32\XPSViewer
2011-07-09 04:58 . 2011-07-09 04:58 -------- d-----w- c:\program files\MSBuild
2011-07-09 04:58 . 2011-07-09 04:58 -------- d-----w- c:\program files\Reference Assemblies
2011-07-09 04:58 . 2008-07-06 12:06 89088 ----a-w- c:\windows\system32\Spool\prtprocs\w32x86\filterpipelineprintproc.dll
2011-07-09 04:58 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2011-07-09 04:58 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2011-07-09 04:58 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2011-07-09 04:58 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2011-07-09 04:58 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2011-07-09 04:58 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2011-07-09 04:58 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2011-07-09 04:58 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\Spool\prtprocs\w32x86\printfilterpipelinesvc.exe
2011-07-09 04:52 . 2011-07-09 04:52 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2011-07-08 11:56 . 2011-04-25 16:11 602112 -c----w- c:\windows\system32\dllcache\msfeeds.dll
2011-07-08 11:56 . 2011-04-25 16:11 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll
2011-07-08 11:56 . 2011-04-25 16:11 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll
2011-07-08 11:56 . 2011-04-25 16:11 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2011-07-08 11:56 . 2011-04-25 16:11 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2011-07-08 11:55 . 2011-04-25 16:11 1991680 -c----w- c:\windows\system32\dllcache\iertutil.dll
2011-07-08 11:49 . 2011-07-08 11:49 -------- d-----w- c:\documents and settings\Laurie\Application Data\Malwarebytes
2011-07-08 11:49 . 2011-05-29 13:11 39984 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2011-07-08 11:49 . 2011-07-08 11:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2011-07-08 11:49 . 2011-07-08 11:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2011-07-08 11:49 . 2011-05-29 13:11 22712 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-07-08 11:38 . 2011-07-08 11:38 -------- d-----w- c:\program files\QuickPar
2011-07-08 11:18 . 2011-08-02 01:19 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Newsbin
2011-07-08 11:18 . 2011-07-08 11:19 -------- d-----w- c:\program files\Newsbin
2011-07-08 10:56 . 2010-07-15 12:44 86408 ----a-w- c:\windows\system32\setupempdrv03.exe
2011-07-08 10:56 . 2010-07-15 12:44 8456 ----a-w- c:\windows\system32\EuGdiDrv.sys
2011-07-08 10:56 . 2010-07-15 12:44 13192 ----a-w- c:\windows\system32\epmntdrv.sys
2011-07-08 10:56 . 2010-07-15 12:44 14848 ----a-w- c:\windows\system32\EuEpmGdi.dll
2011-07-08 10:55 . 2011-07-08 10:55 -------- d-----w- c:\program files\EASEUS
2011-07-08 10:49 . 2011-07-08 10:49 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Mozilla
2011-07-08 10:46 . 2011-07-08 10:48 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Google
2011-07-08 10:46 . 2011-07-08 10:46 -------- d-----w- c:\documents and settings\Laurie\Local Settings\Application Data\Deployment
2011-07-08 10:45 . 2011-07-08 10:45 -------- d-sh--w- c:\documents and settings\Laurie\IECompatCache
2011-07-08 10:44 . 2011-07-08 10:44 21361 ----a-w- c:\windows\system32\drivers\AegisP.sys
2011-07-08 10:43 . 2011-07-08 10:44 376832 ----a-w- c:\windows\system32\AegisI5Installer.exe
2011-07-08 10:43 . 2011-07-08 10:43 -------- d-----w- c:\windows\OPTIONS
2011-07-08 10:43 . 2010-03-31 18:58 342784 ----a-w- c:\windows\system32\drivers\rtl8187B.sys
2011-07-08 10:43 . 2008-06-27 13:39 332928 ----a-w- c:\windows\system32\drivers\rtl8187.sys
2011-07-08 10:43 . 2011-07-11 22:09 -------- d-----w- c:\windows\system32\RtlGina
2011-07-08 10:43 . 2010-12-01 13:31 451072 ----a-w- c:\windows\system32\ISSRemoveSP.exe
2011-07-06 07:28 . 2011-07-08 11:17 -------- d-----w- C:\mplayer
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-02 14:02 . 2009-08-17 17:51 1858944 ----a-w- c:\windows\system32\win32k.sys
2011-06-16 04:17 . 2011-07-10 22:29 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((( SnapShot@2011-07-25_01.26.54 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-08-17 19:19 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll
- 2009-08-17 19:19 . 2010-02-22 14:23 17272 c:\windows\system32\spmsg.dll
- 2009-08-17 17:51 . 2011-07-25 01:15 68062 c:\windows\system32\perfc009.dat
+ 2009-08-17 17:51 . 2011-08-01 22:06 68062 c:\windows\system32\perfc009.dat
+ 2009-08-17 17:51 . 2011-04-26 11:07 33280 c:\windows\system32\dllcache\csrsrv.dll
- 2009-08-17 17:51 . 2010-12-09 14:30 33280 c:\windows\system32\dllcache\csrsrv.dll
- 2009-08-17 17:51 . 2010-12-09 14:30 33280 c:\windows\system32\csrsrv.dll
+ 2009-08-17 17:51 . 2011-04-26 11:07 33280 c:\windows\system32\csrsrv.dll
+ 2011-07-27 22:11 . 2011-07-27 22:11 28160 c:\windows\Installer\372583.msi
- 2009-08-17 17:51 . 2010-06-18 17:45 293376 c:\windows\system32\winsrv.dll
+ 2009-08-17 17:51 . 2011-04-26 11:07 293376 c:\windows\system32\winsrv.dll
+ 2009-08-17 17:51 . 2011-08-01 22:06 433256 c:\windows\system32\perfh009.dat
- 2009-08-17 17:51 . 2011-07-25 01:15 433256 c:\windows\system32\perfh009.dat
- 2009-08-17 10:59 . 2011-07-09 20:12 248696 c:\windows\system32\FNTCACHE.DAT
+ 2009-08-17 10:59 . 2011-07-29 00:56 248696 c:\windows\system32\FNTCACHE.DAT
- 2009-08-17 17:51 . 2010-06-18 17:45 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2009-08-17 17:51 . 2011-04-26 11:07 293376 c:\windows\system32\dllcache\winsrv.dll
+ 2009-08-17 17:51 . 2011-06-02 14:02 1858944 c:\windows\system32\dllcache\win32k.sys
+ 2011-07-27 22:21 . 2011-07-27 22:21 2295808 c:\windows\Installer\372873.msi
+ 2011-07-08 12:19 . 2011-07-29 00:49 49089992 c:\windows\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-05-10 12:10 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2009-07-10 700416]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2009-05-08 98304]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2009-04-09 1512744]
"SynAsusAcpi"="c:\program files\Synaptics\SynTP\SynAsusAcpi.exe" [2009-04-09 79144]
"LiveUpdate"="c:\program files\Asus\LiveUpdate\LiveUpdate.exe" [2009-06-25 712704]
"EasyMode"="c:\program files\\ASUS\\Easy Mode\\Easy Mode.exe" [2009-03-18 1249280]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-05-10 3459712]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
REALTEK Wireless LAN Utility.lnk - c:\program files\Realtek\Wireless LAN Utility\RtWLan.exe [2011-7-8 1015808]
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2008-04-14 12:00 15360 ----a-w- c:\windows\system32\ctfmon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
2009-02-06 22:51 3885408 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Realtek\\Wireless LAN Utility\\RtWLan.exe"=
"c:\\Program Files\\Newsbin\\newsbinpro.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1542:TCP"= 1542:TCP:Realtek WPS TCP Prot
"1542:UDP"= 1542:UDP:Realtek WPS UDP Prot
"53:UDP"= 53:UDP:Realtek AP UDP Prot
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [7/24/2011 10:14 PM 441176]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [7/24/2011 10:14 PM 307928]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [7/24/2011 10:14 PM 19544]
R3 igd;igd;c:\windows\system32\drivers\igxpmp32.sys [8/17/2009 2:24 PM 5097632]
R3 L1c;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c51x86.sys [8/12/2009 5:35 AM 38912]
R3 RTLWUSB;Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter;c:\windows\system32\drivers\rtl8187.sys [7/8/2011 6:43 AM 332928]
R3 uvclf;uvclf;c:\windows\system32\drivers\uvclf.sys [8/12/2009 5:35 AM 39040]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [8/17/2009 2:25 PM 1684736]
S3 epmntdrv;epmntdrv;c:\windows\system32\epmntdrv.sys [7/8/2011 6:56 AM 13192]
S3 EuGdiDrv;EuGdiDrv;c:\windows\system32\EuGdiDrv.sys [7/8/2011 6:56 AM 8456]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [7/8/2011 7:49 AM 39984]
.
Contents of the 'Scheduled Tasks' folder
.
2011-07-31 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-54177274-1042514724-1164472201-1005Core.job
- c:\documents and settings\Laurie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-08 10:46]
.
2011-08-02 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-54177274-1042514724-1164472201-1005UA.job
- c:\documents and settings\Laurie\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-07-08 10:46]
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 192.168.1.1 192.168.1.1
FF - ProfilePath - c:\documents and settings\Laurie\Application Data\Mozilla\Firefox\Profiles\sqwakfbo.default\
FF - prefs.js: network.proxy.http - 127.0.0.1
FF - prefs.js: network.proxy.http_port - 60061
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.cookie.cookieBehavior - 0
FF - user.js: privacy.clearOnShutdown.cookies - false
FF - user.js: security.warn_viewing_mixed - false
FF - user.js: security.warn_viewing_mixed.show_once - false
FF - user.js: security.warn_submit_insecure - false
FF - user.js: security.warn_submit_insecure.show_once - false
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-08-01 21:39
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3300)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-08-01 21:44:09
ComboFix-quarantined-files.txt 2011-08-02 01:44
ComboFix2.txt 2011-07-28 00:56
ComboFix3.txt 2011-07-25 01:40
ComboFix4.txt 2011-07-12 01:49
.
Pre-Run: 36,503,953,408 bytes free
Post-Run: 36,541,816,832 bytes free
.
- - End Of File - - 73531F46C2CD6FBFE25E883F07509FAF

 

[Bobbye]

Who is the Administrator in the system? Do you know if there are any policies set that would prevent logging in to this account?

 

[ldesim]

Well, nobody uses it but me.. and I do not know of any policies that would restrict. As I stated previously, the only way I seem to be able to log in as administrator is to run in safe mode.. If I log off normally from windows it only gives me the option to log back on as "laurie"... there is no log in as administrator option unless I am in safe mode. Not sure if that is normal or not...