Solved Infected XP PC

[Bobbye]

Will, I'd like to check this out: this is an unsigned driver.

Please run this Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

FileLook::
c:\windows\system32\drivers\tcpip.sys
CTHELPER.EXE

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================

Flash Disinfector did install the folder autorun on flash drive, but not the external hdd. (There is an autorun.inf file there already).

Make sure the external drive is connected and run the disinfector again, just to be sure.
======================
Okay, I need you to stop downloading/installing/renaming/moving location, etc. unless I direct you to do so. You appear to be comfortable on the system- that's a good thing, but everything you do can affect what I see or what I think you should do.

Regarding the Recovery Console: I'm not sure why you decided to 'see if it worked'. This would be when you boot from the CD- correct? So you would havve had to change the BIOS to boot from the CD first instead of the hard drive? Let's get you back online, then run Combofix again and install the RC from there.
======================
Without checking into anything else, please just give me an update on what is or is not happening. I'll start you off:
1. Can't get online>>> what happens when you try? Message? What?
2. Malware>> are you experiencing problems that appear to be directly related to the malware itself>
3. To distinguish from #2:>> without trying to do any special feature or function, do you have issues that you "think" may be related to the system settings?

 

[Will40]

Okay Bobbye,

Firstly, I'm now back online. I use a mobile broadband dongle, and decided to run it from a different USB port. (It seemed to run more slowly from one of the USB ports on the loaned laptop I had). For whatever reason, this worked, and as soon as I got online, the dongle said it needed to update itself, which is now done. It is now back working the way it should.

Regarding the Recovery Console: I'm not sure why you decided to 'see if it worked'. This would be when you boot from the CD- correct?

No, as you had mentioned in an earlier post that we needed to get it onto the system, I installed it onto the system as per Microsoft's instructions on their website http://support.microsoft.com/kb/314058. When I went to check that it would boot into RC mode, it came up with the error of the missing/corrupt hal.dll file.

So you would havve had to change the BIOS to boot from the CD first instead of the hard drive?

I tried this AFTER it wouldn't boot from the hard drive. (And it worked no problems).

1. Can't get online>>> what happens when you try? Message? What?
2. Malware>> are you experiencing problems that appear to be directly related to the malware itself>
3. To distinguish from #2:>> without trying to do any special feature or function, do you have issues that you "think" may be related to the system settings?

1. I'm back online now as per above. The dongle GUI would 'Connect' i.e. say it was connected online, then would just hang and come up with a message saying 'No Service'. The service bars (as on a mobile phone) would drop down to none, however, I was able to ping addresses from the Cmd prompt. Also, when the dongle connects, it automatically opens my browser (FF), which it would do, but could not load any pages.

2. These were the original problems, however, I have updated the system with MS updates and they no longer are a problem.
When clicking on My Computer, the system would hang.
When pressing Alt-Ctrl-Del, nothing would happen.
When Clicking on Search from the Start menu, nothing would hapen.
The System Volume Information folder would say it was empty on both the C: drive and my external Drive, and would say Access is Denied. This no longer happens on the C drive but DOES happen when I click on the External drive.

I would have to switch the power off & on again to reboot the machine.

3. It's a shot in the dark, but I'm wondering whether this topic would be helpful: https://www.techspot.com/vb/topic145884.html. My Device Manager shows a lot of grayed out USB ports.

Okay, I need you to stop downloading/installing/renaming/moving location, etc. unless I direct you to do so.

No probs Bobbye. As earlier, I have performed the MS updates, update my AV's & installed a clean copy of FF 7.

Also, I have run Eset Online scanner which came up with:
J:\My Documents (Tosh)\My Downloads\Unlocker1.9.1.exe Win32/Adware.ADON application

I had downloaded Unlocker AFTER I had the problem as I wanted to use it to get into the System Vol folder.

I have run FlashDisenfector again and it has not placed the AutoRun folder onto the external (J: ) hard drive.

I will now go and run ComboFix as per your instructions.

Thanks for all your help to date Bobbye - it's very much appreciated....
Will

 

[Will40]

Bobbye,

I've run ComboFix and the USB dongle has stopped working again. It simply loads up when I click on the icon, and the GUI which shows the 'Connect' button & the bars for Signal strength are greyed out with it showing there is 'No Network' available. (Which there is as I'm using it on the laptop here now!).

When this happened, I again clicked on the My Computer icon, which, when I clicked to open the C drive, the system again hanged. Ctrl-Alt-Del would not work either & I had to switch power off at the socket in order to reboot.

When I ran ComboFix earlier, it asked to connect to download MS Recovery Console, which it did, before running the script. Log to follow.......

 

[Will40]

Part I of Log:
ComboFix 11-10-05.01 - Owner 06/10/2011 18:24:02.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.353.1033.18.3071.2580 [GMT 1:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\cfscript.txt
.
.
((((((((((((((((((((((((( Files Created from 2011-09-06 to 2011-10-06 )))))))))))))))))))))))))))))))
.
.
2011-09-28 08:37 . 2011-09-28 08:38 -------- d-----w- C:\$WIN_NT$.BT
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-09-09 09:11 . 2009-10-19 08:25 599552 ----a-w- c:\windows\system32\crypt32.dll
2011-07-15 13:29 . 2009-10-19 08:26 457856 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2011-09-29 07:09 . 2011-10-05 15:51 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
--- c:\windows\system32\drivers\tcpip.sys ---
Company: Microsoft Corporation
File Description: TCP/IP Protocol Driver
File Version: 5.1.2600.5649 (xpsp_sp3_qfe.080728-1259)
Product Name: Microsoft® Windows® Operating System
Copyright: © Microsoft Corporation. All rights reserved.
Original Filename: tcpip.sys
File size: 361600
Created time: 2009-10-19 08:35
Modified time: 2009-10-19 08:35
MD5: BA8C046D98345129723E6BCAA1E8AB99
SHA1: EA605CDC5567F00ED8EC0B1122BB956DFF0A3C2E
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2009-10-19 . BA8C046D98345129723E6BCAA1E8AB99 . 361600 . . [5.1.2600.5649] . . c:\windows\system32\drivers\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\SP3QFE\tcpip.sys
[7] 2008-06-20 . AD978A1B783B5719720CFF204B666C8E . 361600 . . [5.1.2600.5625] . . c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 . 9AEFA14BD6B182D61E3119FA5F436D3D . 361600 . . [5.1.2600.5625] . . c:\windows\SoftwareDistribution\Download\ff0686f2f699fa07ed5ad0848fa3055b\SP3GDR\tcpip.sys

 

[Will40]

Cont'd....
((((((((((((((((((((((((((((( SnapShot@2011-09-24_07.45.24 )))))))))))))))))))))))))))))))))))))))))
.
Edit: Lengthy SnapShot entries deleted by Bobbye

 

[Will40]

Edit: Lengthy SnapShot entries deleted by Bobbye

 

[Will40]

Edit: Lengthy SnapShot entries deleted by Bobbye

 

[Will40]

Edit: Lengthy SnapShot entries deleted by Bobbye

-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2011-09-06 20:45 122512 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2011-10-05 4611456]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2011-05-15 325512]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2011-09-06 3722416]
"IObit Malware Fighter"="c:\program files\IObit\IObit Malware Fighter\IMF.exe" [2011-07-20 4393816]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2009-10-19 128512]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
3Connect.lnk - c:\program files\3 Mobile Broadband\3Connect\Wilog.exe [2011-9-21 38640]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"MaxRecentDocs"= 18 (0x12)
"NoSMConfigurePrograms"= 1 (0x1)
"NoRecentDocsNetHood"= 1 (0x1)
"MemCheckBoxInRunDlg"= 1 (0x1)
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\IMFservice]
@="Service"
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5985:TCP"= 5985:TCP:*isabled:Windows Remote Management
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [21/09/2011 18:07 442200]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [21/09/2011 18:07 320856]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [22/07/2011 17:27 12880]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [12/07/2011 22:55 67664]
R2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [19/07/2011 01:02 116608]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [21/09/2011 18:07 20568]
R2 IMFservice;IMF Service;c:\program files\IObit\IObit Malware Fighter\IMFsrv.exe [21/09/2011 18:18 820568]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [18/03/2010 20:39 99416]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [18/03/2010 20:39 555096]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [18/03/2010 20:39 566360]
R3 RegFilter;RegFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\RegFilter.sys [21/09/2011 18:18 30368]
R3 UrlFilter;UrlFilter;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\UrlFilter.sys [21/09/2011 18:18 16080]
S1 DumpDrv;Crash Dump Driver;c:\windows\system32\drivers\dumpdrv.sys [19/10/2009 09:29 9472]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [18/03/2010 20:39 99416]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe [21/09/2011 18:04 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [18/03/2010 20:39 555096]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [18/03/2010 20:39 100952]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [18/03/2010 20:39 100952]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [18/03/2010 20:39 566360]
S3 hwusbdev;Huawei DataCard USB PNP Device;c:\windows\system32\drivers\ewusbdev.sys [21/09/2011 12:59 100736]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [21/09/2011 18:28 22216]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [19/10/2009 09:27 14848]
S4 FileMonitor;FileMonitor;c:\program files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys [21/09/2011 18:18 239600]
S4 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [21/09/2011 18:28 366152]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - uphcleanhlp
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM REG_MULTI_SZ WINRM
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.ie/
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\s5mm385t.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ie/
FF - prefs.js: network.proxy.type - 0
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre7\bin\jusched.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-10-06 18:32
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(812)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
.
- - - - - - - > 'explorer.exe'(2140)
c:\windows\system32\WININET.dll
c:\windows\system32\msi.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-10-06 18:35:31
ComboFix-quarantined-files.txt 2011-10-06 17:35
ComboFix2.txt 2011-09-25 10:44
ComboFix3.txt 2011-09-24 07:48
.
Pre-Run: 147,196,661,760 bytes free
Post-Run: 147,240,591,360 bytes free
.
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - 22E0C79C80FD357B67E4600F9C089521

 

[Will40]

Bobbye

Firstly, I found out that the possible reason for the return to the original issues could be that my wife restored the old Firefox settings from MozBackup (located on my external drive) without my knowledge. Divorce has been threatened should she go near the PC again!

When I tried the PC this morning, the broadband connection works fine again. I'm very confused as to what is happening! What is also interesting is that when I had installed Firefox 7, I chose it as the default browser. This means that when the broadband connection goes online, it automatically opens the default browser (FF). This is not happening, the BB connection opens IE, yet within the settings of IE, it states it is not the default browser! I haven't uninstalled FF as of yet until I hear your recommendations....

However, I have had to update the drivers for my nvidia graphics card due to a constant screen blinking issue which would then freeze the screen completely.

 

[Will40]

Ignore - irrelevant.

 

[Bobbye]

Will, you're welcome for the help and I appreciate your patience. I almost missed this:

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Files  
  J:\My Documents (Tosh)\My Downloads\Unlocker1.9.1.exe
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Unlocker came with adware.
============================
Will, about the default browser: first, I'm not using v7 of Firefox yet, but previously I have found that not only does Firefox have to be set as the default, but Internet Explorer has to be unchecked.

Use Tools in IE or the Control Panel to access Internet Options> Programs tab> at the bottom, Uncheck 'Internet Explorer should check to see if it's the default'> Apply> OK.

I found IE very pushy and regardless whether FF was set to be the default, if IE wasn't unchecked, it would put itself as the default.

Reboot and try launching a bookmark to see if Firefox opens it.
========================================
Poor spouse! Surely you've has a talk with her by now and made it clear that setting shouldn't be changed while we're working! Mystery solved! No harm done, but don't let that out!

Sorry you got that lengthy 'sign check ' in Combofix. I'm going to remove it so the thread won't be so long.

Combofix look good. Is there anything else we need to work on?

 

[Will40]

OTM Log:
All processes killed
========== FILES ==========
J:\My Documents (Tosh)\My Downloads\Unlocker1.9.1.exe moved successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Custom Settings

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Flash cache emptied: 56468 bytes

User: LocalService
->Temp folder emptied: 65748 bytes
->Temporary Internet Files folder emptied: 32902 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Owner
->Temp folder emptied: 318464 bytes
->Temporary Internet Files folder emptied: 23874769 bytes
->FireFox cache emptied: 46781242 bytes
->Flash cache emptied: 57392 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 2577 bytes
%systemroot%\System32\dllcache .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 4608 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 68.00 mb


OTM by OldTimer - Version 3.1.18.0 log created on 10072011_104017

Files moved on Reboot...
C:\WINDOWS\temp\_avast_\Webshlock.txt moved successfully.

Registry entries deleted on Reboot...

not only does Firefox have to be set as the default, but Internet Explorer has to be unchecked.

Yep. I had done this Bobbye, but it still wouldn't open FireFox. When I say it wouldn't open, I mean the Mobile Broadband automatically opens the default browser when it 'connects' online. It's opening IE instead of FF. Even though I had done all of the above.

Reboot and try launching a bookmark to see if Firefox opens it.

I suppose I'm worried as before MozBackup was run, Firefox would open as the default. Also, before the re-install of XP, the firefox.dll was removed as it was infected. This leads me to think maybe the backups are infected too? I'm thinking would I be safer in removing the Firefox entries for MozBackup, and re-installing Firefox again? Before I take this route, I'd just like your opinion on it!

Sorry you got that lengthy 'sign check ' in Combofix. I'm going to remove it so the thread won't be so long.?

No worries! I was thinking it was a bit long...!

Combofix look good. Is there anything else we need to work on?

Apart from the FF piece, just my external drive. The Sys Vol Info folder won't let me open it, and still says it's empty when I hover the mouse key over it. I have tried changing the Properties by unchecking the Read-Only box, but they automatically revert back to Read-Only. It always says 'Access is Denied'. Will turning off the System Restore for that particular drive help?

Finally, I haven't reinstalled a firewall since we started (using Windows FW for the moment). Is it ok now to install Comodo FW, and other apps (iTunes, OpenOffice etc.)?

Cheers
Will

 

[Bobbye]

Will, don't put the apps and new firewall back. Have you check all of the setting in Firefox? Either backups could be corrupt previous settings could have been corrupted, or the external hard drive she used itself could have infected the system- possibly again..

I'm not familiar if the mobile FF requires something different so you'll need to check that out.

A lot of different issues have come up> malware, settings, connection startup mode! USB ports were not visible in device manager> see if there are any

by the USB entries.

About this: "wife restored the old Firefox settings from MozBackup (located on my external drive) without my knowledge"
Consider the possibility that the drive itself was infected and when she used it to access backup FF settings, it may have restores the malware.
=========================================.

 

[Bobbye]

Will, please go ahead with the following:

• Download the file TDSSKiller.zip and save to the desktop.
  (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
• Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
• Double click on TDSSKiller.exe. to run the scan
• When the scan is over, the utility outputs a list of detected objects with description.
  The utility automatically selects an action (Cure or Delete) for malicious objects.
  The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
• Select the action Quarantine to quarantine detected objects.
  The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
• After clicking Next, the utility applies selected actions and outputs the result.
• A reboot is required after disinfection.

==========================================
Follow with download Of maxhandle.exe by noahdfear to your desktop.

• Double click maxhandle.exeand run the application
• An active internet connection is required so that maxhandle.exe may download a tool from SysInternals
• If Max++ is present the log will open automatically.
• If Max++ is not found Nothing found! is echoed to the screen - no log is produced.
• Log is saved to c:\maxhandle.txt

==================================
Please post both logs in next reply.

Note: no new installs or uninstalls, don't change settings, no flash drive or external HD connect unless it has been disinfected first!

 

[Will40]

Hi Bobbye,

Just to go through these systematically:

1. USB entries are all ok. Also, they've always been visible in Device Manager.

2. Apologies! I may have confused you over the FF & Mobile Broadband. It's the 'normal' FireFox program, not a mobile version. It's the broadband I use which is the mobile USB dongle type!

3. I agree with you about the possibility of the external drive infecting the system again, however, it was only when my wife restored the Firefox settings which caused issues again. I haven't used Firefox since. The external drive has been connected to the main PC previously (powered on) with no problems at all.

4. I'm pretty sure the external drive is still infected though as I can't access the System Volume Information folder (see earlier comments). Will turning off the System Restore, rebooting, and turning it back on help??

5. Maxhandle did not produce a log, simply said 'Nothing found!'.

6. TDSSKiller Log:

16:18:12.0640 3504 TDSS rootkit removing tool 2.6.8.0 Oct 12 2011 07:30:54
16:18:14.0640 3504 ============================================================
16:18:14.0640 3504 Current date / time: 2011/10/12 16:18:14.0640
16:18:14.0640 3504 SystemInfo:
16:18:14.0640 3504
16:18:14.0640 3504 OS Version: 5.1.2600 ServicePack: 3.0
16:18:14.0640 3504 Product type: Workstation
16:18:14.0640 3504 ComputerName: WILL
16:18:14.0640 3504 UserName: Owner
16:18:14.0640 3504 Windows directory: C:\WINDOWS
16:18:14.0640 3504 System windows directory: C:\WINDOWS
16:18:14.0640 3504 Processor architecture: Intel x86
16:18:14.0640 3504 Number of processors: 1
16:18:14.0640 3504 Page size: 0x1000
16:18:14.0640 3504 Boot type: Normal boot
16:18:14.0640 3504 ============================================================
16:18:16.0203 3504 Initialize success
16:19:01.0281 2132 ============================================================
16:19:01.0281 2132 Scan started
16:19:01.0281 2132 Mode: Manual;
16:19:01.0281 2132 ============================================================
16:19:02.0656 2132 Aavmker4 (95d1de2a6613494e853a9738d5d9acd4) C:\WINDOWS\system32\drivers\Aavmker4.sys
16:19:02.0656 2132 Aavmker4 - ok
16:19:03.0859 2132 Abiosdsk - ok
16:19:05.0000 2132 abp480n5 - ok
16:19:06.0140 2132 ACPI (8fd99680a539792a30e97944fdaecf17) C:\WINDOWS\system32\DRIVERS\ACPI.sys
16:19:06.0156 2132 ACPI - ok
16:19:07.0328 2132 ACPIEC (9859c0f6936e723e4892d7141b1327d5) C:\WINDOWS\system32\drivers\ACPIEC.sys
16:19:07.0328 2132 ACPIEC - ok
16:19:08.0546 2132 adpu160m - ok
16:19:09.0734 2132 aec (8bed39e3c35d6a489438b8141717a557) C:\WINDOWS\system32\drivers\aec.sys
16:19:09.0734 2132 aec - ok
16:19:10.0906 2132 AFD (8d499b1276012eb907e7a9e0f4d8fda4) C:\WINDOWS\System32\drivers\afd.sys
16:19:10.0921 2132 AFD - ok
16:19:12.0046 2132 agp440 (08fd04aa961bdc77fb983f328334e3d7) C:\WINDOWS\system32\DRIVERS\agp440.sys
16:19:12.0062 2132 agp440 - ok
16:19:13.0296 2132 Aha154x - ok
16:19:14.0468 2132 aic78u2 - ok
16:19:15.0640 2132 aic78xx - ok
16:19:16.0781 2132 AliIde - ok
16:19:17.0890 2132 amsint - ok
16:19:19.0140 2132 Arp1394 (b5b8a80875c1dededa8b02765642c32f) C:\WINDOWS\system32\DRIVERS\arp1394.sys
16:19:19.0140 2132 Arp1394 - ok
16:19:20.0296 2132 asc - ok
16:19:21.0437 2132 asc3350p - ok
16:19:22.0578 2132 asc3550 - ok
16:19:23.0812 2132 aswFsBlk (c47623ffd181a1e7d63574dde2a0a711) C:\WINDOWS\system32\drivers\aswFsBlk.sys
16:19:23.0812 2132 aswFsBlk - ok
16:19:25.0015 2132 aswMon2 (fff2dbb17a3c89f87f78d5fa72ca47fd) C:\WINDOWS\system32\drivers\aswMon2.sys
16:19:25.0015 2132 aswMon2 - ok
16:19:26.0171 2132 aswRdr (36239e24470a3dd81fae37510953cc6c) C:\WINDOWS\system32\drivers\aswRdr.sys
16:19:26.0187 2132 aswRdr - ok
16:19:27.0375 2132 aswSnx (caa846e9c83836bdc3d2d700c678db65) C:\WINDOWS\system32\drivers\aswSnx.sys
16:19:27.0390 2132 aswSnx - ok
16:19:28.0625 2132 aswSP (748ae7f2d7da33adb063fe05704a9969) C:\WINDOWS\system32\drivers\aswSP.sys
16:19:28.0625 2132 aswSP - ok
16:19:29.0781 2132 aswTdi (ca9925ce1dbd07ffe1eb357752cf5577) C:\WINDOWS\system32\drivers\aswTdi.sys
16:19:29.0781 2132 aswTdi - ok
16:19:30.0937 2132 AsyncMac (b153affac761e7f5fcfa822b9c4e97bc) C:\WINDOWS\system32\DRIVERS\asyncmac.sys
16:19:30.0937 2132 AsyncMac - ok
16:19:32.0078 2132 atapi (9f3a2f5aa6875c72bf062c712cfa2674) C:\WINDOWS\system32\DRIVERS\atapi.sys
16:19:32.0078 2132 atapi - ok
16:19:33.0218 2132 Atdisk - ok
16:19:34.0406 2132 Atmarpc (9916c1225104ba14794209cfa8012159) C:\WINDOWS\system32\DRIVERS\atmarpc.sys
16:19:34.0406 2132 Atmarpc - ok
16:19:35.0578 2132 audstub (d9f724aa26c010a217c97606b160ed68) C:\WINDOWS\system32\DRIVERS\audstub.sys
16:19:35.0578 2132 audstub - ok
16:19:36.0718 2132 Beep (da1f27d85e0d1525f6621372e7b685e9) C:\WINDOWS\system32\drivers\Beep.sys
16:19:36.0718 2132 Beep - ok
16:19:36.0828 2132 catchme - ok
16:19:37.0937 2132 cbidf2k (90a673fc8e12a79afbed2576f6a7aaf9) C:\WINDOWS\system32\drivers\cbidf2k.sys
16:19:37.0953 2132 cbidf2k - ok
16:19:39.0453 2132 cd20xrnt - ok
16:19:40.0656 2132 Cdaudio (c1b486a7658353d33a10cc15211a873b) C:\WINDOWS\system32\drivers\Cdaudio.sys
16:19:40.0656 2132 Cdaudio - ok
16:19:41.0812 2132 Cdfs (c885b02847f5d2fd45a24e219ed93b32) C:\WINDOWS\system32\drivers\Cdfs.sys
16:19:41.0828 2132 Cdfs - ok
16:19:42.0953 2132 Cdrom (4b0a100eaf5c49ef3cca8c641431eacc) C:\WINDOWS\system32\DRIVERS\cdrom.sys
16:19:42.0953 2132 Cdrom - ok
16:19:44.0171 2132 Changer - ok
16:19:45.0453 2132 CmdIde - ok
16:19:46.0703 2132 COMMONFX (ef44c32b1aef62380426b260bf2c66f1) C:\WINDOWS\system32\drivers\COMMONFX.SYS
16:19:46.0703 2132 COMMONFX - ok
16:19:47.0984 2132 COMMONFX.SYS (ef44c32b1aef62380426b260bf2c66f1) C:\WINDOWS\System32\drivers\COMMONFX.SYS
16:19:47.0984 2132 COMMONFX.SYS - ok
16:19:49.0250 2132 Cpqarray - ok
16:19:50.0531 2132 ctac32k (357c534b38019b597f51c8bf7186c118) C:\WINDOWS\system32\drivers\ctac32k.sys
16:19:50.0546 2132 ctac32k - ok
16:19:51.0843 2132 ctaud2k (691f8259a1f9c983356d8db2cde8043c) C:\WINDOWS\system32\drivers\ctaud2k.sys
16:19:51.0859 2132 ctaud2k - ok
16:19:53.0093 2132 CTAUDFX (7fc78aa6521ef3d9f16e51efab0bf13b) C:\WINDOWS\system32\drivers\CTAUDFX.SYS
16:19:53.0093 2132 CTAUDFX - ok
16:19:54.0390 2132 CTAUDFX.SYS (7fc78aa6521ef3d9f16e51efab0bf13b) C:\WINDOWS\System32\drivers\CTAUDFX.SYS
16:19:54.0406 2132 CTAUDFX.SYS - ok
16:19:55.0671 2132 ctdvda2k (8545d70b0335a05498f34e7e3f8ca9a2) C:\WINDOWS\system32\drivers\ctdvda2k.sys
16:19:55.0687 2132 ctdvda2k - ok
16:19:56.0906 2132 CTERFXFX (16f448354067914e7deaea709011bd60) C:\WINDOWS\system32\drivers\CTERFXFX.SYS
16:19:56.0906 2132 CTERFXFX - ok
16:19:58.0109 2132 CTERFXFX.SYS (16f448354067914e7deaea709011bd60) C:\WINDOWS\System32\drivers\CTERFXFX.SYS
16:19:58.0109 2132 CTERFXFX.SYS - ok
16:19:59.0343 2132 ctprxy2k (4d71541283aea28fb839007be90b5fc7) C:\WINDOWS\system32\drivers\ctprxy2k.sys
16:19:59.0343 2132 ctprxy2k - ok
16:20:00.0593 2132 CTSBLFX (64c83684661be137023f5186a612cf34) C:\WINDOWS\system32\drivers\CTSBLFX.SYS
16:20:00.0593 2132 CTSBLFX - ok
16:20:01.0828 2132 CTSBLFX.SYS (64c83684661be137023f5186a612cf34) C:\WINDOWS\System32\drivers\CTSBLFX.SYS
16:20:01.0828 2132 CTSBLFX.SYS - ok
16:20:03.0046 2132 ctsfm2k (632194572ebde8d461728cf382a7e964) C:\WINDOWS\system32\drivers\ctsfm2k.sys
16:20:03.0046 2132 ctsfm2k - ok
16:20:04.0234 2132 dac2w2k - ok
16:20:05.0390 2132 dac960nt - ok
16:20:06.0593 2132 Disk (47b6aaec570f2c11d8bad80a064d8ed1) C:\WINDOWS\system32\DRIVERS\disk.sys
16:20:06.0609 2132 Disk - ok
16:20:07.0781 2132 dmboot (d992fe1274bde0f84ad826acae022a41) C:\WINDOWS\system32\drivers\dmboot.sys
16:20:07.0812 2132 dmboot - ok
16:20:09.0031 2132 dmio (7c824cf7bbde77d95c08005717a95f6f) C:\WINDOWS\system32\drivers\dmio.sys
16:20:09.0046 2132 dmio - ok
16:20:10.0203 2132 dmload (e9317282a63ca4d188c0df5e09c6ac5f) C:\WINDOWS\system32\drivers\dmload.sys
16:20:10.0203 2132 dmload - ok
16:20:11.0406 2132 DMusic (8a208dfcf89792a484e76c40e5f50b45) C:\WINDOWS\system32\drivers\DMusic.sys
16:20:11.0406 2132 DMusic - ok
16:20:12.0609 2132 dpti2o - ok
16:20:13.0859 2132 drmkaud (8f5fcff8e8848afac920905fbd9d33c8) C:\WINDOWS\system32\drivers\drmkaud.sys
16:20:13.0859 2132 drmkaud - ok
16:20:15.0046 2132 DumpDrv (b327281012b48bd73f587799f9f29be2) C:\WINDOWS\system32\drivers\DumpDrv.sys
16:20:15.0046 2132 DumpDrv - ok
16:20:16.0218 2132 E100B (d57a8fc800b501ac05b10d00f66d127a) C:\WINDOWS\system32\DRIVERS\e100b325.sys
16:20:16.0234 2132 E100B - ok
16:20:17.0437 2132 emupia (bacd9cc06d7a787e529e7ebf56b671aa) C:\WINDOWS\system32\drivers\emupia2k.sys
16:20:17.0437 2132 emupia - ok
16:20:18.0750 2132 exFat (4d893323dae445e34a4c9038b0551bc9) C:\WINDOWS\system32\drivers\exFat.sys
16:20:18.0750 2132 exFat - ok
16:20:19.0937 2132 Fastfat (38d332a6d56af32635675f132548343e) C:\WINDOWS\system32\drivers\Fastfat.sys
16:20:19.0953 2132 Fastfat - ok
16:20:21.0140 2132 Fdc (92cdd60b6730b9f50f6a1a0c1f8cdc81) C:\WINDOWS\system32\DRIVERS\fdc.sys
16:20:21.0140 2132 Fdc - ok
16:20:21.0265 2132 FileMonitor (c21fc36d3cd28c2726fee10d397216c7) C:\Program Files\IObit\IObit Malware Fighter\Drivers\wxp_x86\FileMonitor.sys
16:20:21.0265 2132 FileMonitor - ok
16:20:22.0453 2132 Fips (d45926117eb9fa946a6af572fbe1caa3) C:\WINDOWS\system32\drivers\Fips.sys
16:20:22.0453 2132 Fips - ok
16:20:23.0687 2132 Flpydisk (9d27e7b80bfcdf1cdd9b555862d5e7f0) C:\WINDOWS\system32\DRIVERS\flpydisk.sys
16:20:23.0687 2132 Flpydisk - ok
16:20:24.0890 2132 FltMgr (b2cf4b0786f8212cb92ed2b50c6db6b0) C:\WINDOWS\system32\DRIVERS\fltMgr.sys
16:20:24.0906 2132 FltMgr - ok
16:20:26.0078 2132 Fs_Rec (30d42943a54704ef13e2562911dbfcea) C:\WINDOWS\system32\drivers\Fs_Rec.sys
16:20:26.0078 2132 Fs_Rec - ok
16:20:27.0265 2132 Ftdisk (6ac26732762483366c3969c9e4d2259d) C:\WINDOWS\system32\DRIVERS\ftdisk.sys
16:20:27.0265 2132 Ftdisk - ok
16:20:28.0437 2132 Gpc (0a02c63c8b144bd8c86b103dee7c86a2) C:\WINDOWS\system32\DRIVERS\msgpc.sys
16:20:28.0437 2132 Gpc - ok
16:20:29.0734 2132 ha10kx2k (70606233f3ed0e53cb3ea17f846d6a4f) C:\WINDOWS\system32\drivers\ha10kx2k.sys
16:20:29.0750 2132 ha10kx2k - ok
16:20:30.0953 2132 hap16v2k (a0c69ad2a61e576b0207acdd9626e167) C:\WINDOWS\system32\drivers\hap16v2k.sys
16:20:30.0953 2132 hap16v2k - ok
16:20:32.0171 2132 hap17v2k (2ee89452c574d259ada4fc9fc1c07243) C:\WINDOWS\system32\drivers\hap17v2k.sys
16:20:32.0171 2132 hap17v2k - ok
16:20:33.0343 2132 hpn - ok
16:20:34.0609 2132 HTTP (f80a415ef82cd06ffaf0d971528ead38) C:\WINDOWS\system32\Drivers\HTTP.sys
16:20:34.0625 2132 HTTP - ok
16:20:35.0812 2132 hwdatacard (20330198554b7ddb44403af21d6ae179) C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys
16:20:35.0812 2132 hwdatacard - ok
16:20:37.0031 2132 hwusbdev (60726cb5f063fb25f8b6b71df34fa1d8) C:\WINDOWS\system32\DRIVERS\ewusbdev.sys
16:20:37.0031 2132 hwusbdev - ok
16:20:38.0203 2132 i2omgmt - ok
16:20:39.0390 2132 i2omp - ok
16:20:40.0609 2132 i8042prt (4a0b06aa8943c1e332520f7440c0aa30) C:\WINDOWS\system32\DRIVERS\i8042prt.sys
16:20:40.0609 2132 i8042prt - ok
16:20:41.0781 2132 Imapi (083a052659f5310dd8b6a6cb05edcf8e) C:\WINDOWS\system32\DRIVERS\imapi.sys
16:20:41.0796 2132 Imapi - ok
16:20:42.0937 2132 ini910u - ok
16:20:44.0218 2132 IntelC51 (7509c548400f4c9e0211e3f6e66abbe6) C:\WINDOWS\system32\DRIVERS\IntelC51.sys
16:20:44.0250 2132 IntelC51 - ok
16:20:45.0421 2132 IntelC52 (9584ffdd41d37f2c239681d0dac2513e) C:\WINDOWS\system32\DRIVERS\IntelC52.sys
16:20:45.0437 2132 IntelC52 - ok
16:20:46.0656 2132 IntelC53 (de2686c0e012e6ae24acd6e79eb7ff5d) C:\WINDOWS\system32\DRIVERS\IntelC53.sys
16:20:46.0656 2132 IntelC53 - ok
16:20:47.0812 2132 IntelIde - ok
16:20:49.0093 2132 intelppm (8c953733d8f36eb2133f5bb58808b66b) C:\WINDOWS\system32\DRIVERS\intelppm.sys
16:20:49.0093 2132 intelppm - ok
16:20:50.0265 2132 Ip6Fw (3bb22519a194418d5fec05d800a19ad0) C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
16:20:50.0265 2132 Ip6Fw - ok
16:20:51.0453 2132 IpFilterDriver (731f22ba402ee4b62748adaf6363c182) C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
16:20:51.0468 2132 IpFilterDriver - ok
16:20:52.0609 2132 IpInIp (b87ab476dcf76e72010632b5550955f5) C:\WINDOWS\system32\DRIVERS\ipinip.sys
16:20:52.0625 2132 IpInIp - ok
16:20:53.0828 2132 IpNat (cc748ea12c6effde940ee98098bf96bb) C:\WINDOWS\system32\DRIVERS\ipnat.sys
16:20:53.0843 2132 IpNat - ok
16:20:55.0015 2132 IPSec (23c74d75e36e7158768dd63d92789a91) C:\WINDOWS\system32\DRIVERS\ipsec.sys
16:20:55.0015 2132 IPSec - ok
16:20:56.0187 2132 IRENUM (c93c9ff7b04d772627a3646d89f7bf89) C:\WINDOWS\system32\DRIVERS\irenum.sys
16:20:56.0203 2132 IRENUM - ok
16:20:57.0390 2132 isapnp (05a299ec56e52649b1cf2fc52d20f2d7) C:\WINDOWS\system32\DRIVERS\isapnp.sys
16:20:57.0390 2132 isapnp - ok
16:20:58.0593 2132 Kbdclass (463c1ec80cd17420a542b7f36a36f128) C:\WINDOWS\system32\DRIVERS\kbdclass.sys
16:20:58.0593 2132 Kbdclass - ok
16:20:59.0796 2132 kmixer (692bcf44383d056aed41b045a323d378) C:\WINDOWS\system32\drivers\kmixer.sys
16:20:59.0812 2132 kmixer - ok
16:21:00.0984 2132 KSecDD (c6ebf1d6ad71df30db49b8d3287e1368) C:\WINDOWS\system32\drivers\KSecDD.sys
16:21:00.0984 2132 KSecDD - ok
16:21:02.0171 2132 lbrtfdc - ok
16:21:03.0328 2132 MBAMProtector (69a6268d7f81e53d568ab4e7e991caf3) C:\WINDOWS\system32\drivers\mbam.sys
16:21:03.0343 2132 MBAMProtector - ok
16:21:04.0578 2132 mcdbus (8fd868e32459ece2a1bb0169f513d31e) C:\WINDOWS\system32\DRIVERS\mcdbus.sys
16:21:04.0593 2132 mcdbus - ok
16:21:05.0765 2132 mdvrmng (4e10e84320a8ec1c12bd0d00973b22ab) C:\WINDOWS\system32\drivers\mdvrmng.sys
16:21:05.0781 2132 mdvrmng - ok
16:21:06.0968 2132 Modem (dfcbad3cec1c5f964962ae10e0bcc8e1) C:\WINDOWS\system32\drivers\Modem.sys
16:21:06.0968 2132 Modem - ok
16:21:08.0140 2132 mohfilt (59b8b11ff70728eec60e72131c58b716) C:\WINDOWS\system32\DRIVERS\mohfilt.sys
16:21:08.0140 2132 mohfilt - ok
16:21:09.0390 2132 Mouclass (35c9e97194c8cfb8430125f8dbc34d04) C:\WINDOWS\system32\DRIVERS\mouclass.sys
16:21:09.0390 2132 Mouclass - ok
16:21:10.0640 2132 MountMgr (1a1faa5102466f418494e94ff9b0b091) C:\WINDOWS\system32\drivers\MountMgr.sys
16:21:10.0640 2132 MountMgr - ok
16:21:11.0906 2132 mraid35x - ok
16:21:13.0078 2132 MRxDAV (6a7c4ac5b52155115dee97995c1cf157) C:\WINDOWS\system32\DRIVERS\mrxdav.sys
16:21:13.0093 2132 MRxDAV - ok
16:21:14.0343 2132 MRxSmb (fb2fccc70f7174c7bf64f48e96d3adf4) C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
16:21:14.0359 2132 MRxSmb - ok
16:21:15.0609 2132 Msfs (c941ea2454ba8350021d774daf0f1027) C:\WINDOWS\system32\drivers\Msfs.sys
16:21:15.0625 2132 Msfs - ok
16:21:16.0828 2132 MSKSSRV (d1575e71568f4d9e14ca56b7b0453bf1) C:\WINDOWS\system32\drivers\MSKSSRV.sys
16:21:16.0828 2132 MSKSSRV - ok
16:21:17.0984 2132 MSPCLOCK (325bb26842fc7ccc1fcce2c457317f3e) C:\WINDOWS\system32\drivers\MSPCLOCK.sys
16:21:17.0984 2132 MSPCLOCK - ok
16:21:19.0203 2132 MSPQM (bad59648ba099da4a17680b39730cb3d) C:\WINDOWS\system32\drivers\MSPQM.sys
16:21:19.0203 2132 MSPQM - ok
16:21:20.0406 2132 mssmbios (af5f4f3f14a8ea2c26de30f7a1e17136) C:\WINDOWS\system32\DRIVERS\mssmbios.sys
16:21:20.0406 2132 mssmbios - ok
16:21:21.0609 2132 Mup (f7b1ad991491f02af6da70b00b8bf114) C:\WINDOWS\system32\drivers\Mup.sys
16:21:21.0609 2132 Mup - ok
16:21:22.0796 2132 NDIS (b5b1080d35974c0e718d64280761bcd5) C:\WINDOWS\system32\drivers\NDIS.sys
16:21:22.0812 2132 NDIS - ok
16:21:24.0000 2132 NdisTapi (0109c4f3850dfbab279542515386ae22) C:\WINDOWS\system32\DRIVERS\ndistapi.sys
16:21:24.0015 2132 NdisTapi - ok
16:21:25.0171 2132 Ndisuio (f927a4434c5028758a842943ef1a3849) C:\WINDOWS\system32\DRIVERS\ndisuio.sys
16:21:25.0187 2132 Ndisuio - ok
16:21:26.0343 2132 NdisWan (b053a8411045fd0664b389a090cb2bbc) C:\WINDOWS\system32\DRIVERS\ndiswan.sys
16:21:26.0343 2132 NdisWan - ok
16:21:27.0500 2132 NDProxy (9282bd12dfb069d3889eb3fcc1000a9b) C:\WINDOWS\system32\drivers\NDProxy.sys
16:21:27.0515 2132 NDProxy - ok
16:21:28.0718 2132 NetBIOS (5d81cf9a2f1a3a756b66cf684911cdf0) C:\WINDOWS\system32\DRIVERS\netbios.sys
16:21:28.0718 2132 NetBIOS - ok
16:21:29.0921 2132 NetBT (74b2b2f5bea5e9a3dc021d685551bd3d) C:\WINDOWS\system32\DRIVERS\netbt.sys
16:21:29.0937 2132 NetBT - ok
16:21:31.0140 2132 NIC1394 (e9e47cfb2d461fa0fc75b7a74c6383ea) C:\WINDOWS\system32\DRIVERS\nic1394.sys
16:21:31.0140 2132 NIC1394 - ok
16:21:32.0328 2132 Npfs (3182d64ae053d6fb034f44b6def8034a) C:\WINDOWS\system32\drivers\Npfs.sys
16:21:32.0343 2132 Npfs - ok
16:21:33.0515 2132 Ntfs (ae8cad8f28db13b515a68510a539b0b8) C:\WINDOWS\system32\drivers\Ntfs.sys
16:21:33.0531 2132 Ntfs - ok
16:21:34.0812 2132 Null (73c1e1f395918bc2c6dd67af7591a3ad) C:\WINDOWS\system32\drivers\Null.sys
16:21:34.0812 2132 Null - ok
16:21:36.0265 2132 nv (8e72e452b9cc1e455d19e3c9fa964d37) C:\WINDOWS\system32\DRIVERS\nv4_mini.sys
16:21:36.0500 2132 nv - ok
16:21:37.0671 2132 NwlnkFlt (b305f3fad35083837ef46a0bbce2fc57) C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
16:21:37.0687 2132 NwlnkFlt - ok
16:21:38.0875 2132 NwlnkFwd (c99b3415198d1aab7227f2c88fd664b9) C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
16:21:38.0875 2132 NwlnkFwd - ok
16:21:40.0109 2132 ohci1394 (2553f7c60b8d291b5a812245e6d4da6e) C:\WINDOWS\system32\DRIVERS\ohci1394.sys
16:21:40.0109 2132 ohci1394 - ok
16:21:41.0312 2132 ossrv (ae896073e1bbf98fefc2ec52f62c0fba) C:\WINDOWS\system32\drivers\ctoss2k.sys
16:21:41.0312 2132 ossrv - ok
16:21:42.0531 2132 Parport (5575faf8f97ce5e713d108c2a58d7c7c) C:\WINDOWS\system32\DRIVERS\parport.sys
16:21:42.0531 2132 Parport - ok
16:21:43.0687 2132 PartMgr (beb3ba25197665d82ec7065b724171c6) C:\WINDOWS\system32\drivers\PartMgr.sys
16:21:43.0703 2132 PartMgr - ok
16:21:44.0937 2132 ParVdm (70e98b3fd8e963a6a46a2e6247e0bea1) C:\WINDOWS\system32\drivers\ParVdm.sys
16:21:44.0937 2132 ParVdm - ok
16:21:45.0015 2132 pbfilter (61a5701e3f543861b21bbe0932c4cc03) C:\Program Files\PeerBlock\pbfilter.sys
16:21:45.0015 2132 pbfilter - ok
16:21:46.0218 2132 PCI (a219903ccf74233761d92bef471a07b1) C:\WINDOWS\system32\DRIVERS\pci.sys
16:21:46.0234 2132 PCI - ok
16:21:47.0375 2132 PCIDump - ok
16:21:48.0578 2132 PCIIde (ccf5f451bb1a5a2a522a76e670000ff0) C:\WINDOWS\system32\DRIVERS\pciide.sys
16:21:48.0578 2132 PCIIde - ok
16:21:49.0812 2132 Pcmcia (9e89ef60e9ee05e3f2eef2da7397f1c1) C:\WINDOWS\system32\drivers\Pcmcia.sys
16:21:49.0812 2132 Pcmcia - ok
16:21:50.0968 2132 PDCOMP - ok
16:21:52.0140 2132 PDFRAME - ok
16:21:53.0312 2132 PDRELI - ok
16:21:54.0562 2132 PDRFRAME - ok
16:21:55.0718 2132 perc2 - ok
16:21:56.0875 2132 perc2hib - ok
16:21:58.0093 2132 PptpMiniport (efeec01b1d3cf84f16ddd24d9d9d8f99) C:\WINDOWS\system32\DRIVERS\raspptp.sys
16:21:58.0093 2132 PptpMiniport - ok
16:21:59.0390 2132 PSched (d8e11d311785f89f1d70a28b0e879127) C:\WINDOWS\system32\DRIVERS\psched.sys
16:21:59.0390 2132 PSched - ok
16:22:00.0609 2132 Ptilink (80d317bd1c3dbc5d4fe7b1678c60cadd) C:\WINDOWS\system32\DRIVERS\ptilink.sys
16:22:00.0609 2132 Ptilink - ok
16:22:01.0765 2132 ql1080 - ok
16:22:02.0937 2132 Ql10wnt - ok
16:22:04.0093 2132 ql12160 - ok
16:22:05.0265 2132 ql1240 - ok
16:22:06.0453 2132 ql1280 - ok
16:22:07.0796 2132 RasAcd (fe0d99d6f31e4fad8159f690d68ded9c) C:\WINDOWS\system32\DRIVERS\rasacd.sys
16:22:07.0796 2132 RasAcd - ok
16:22:08.0984 2132 Rasl2tp (11b4a627bc9614b885c4969bfa5ff8a6) C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
16:22:09.0000 2132 Rasl2tp - ok
16:22:10.0250 2132 RasPppoe (2c9d4620a0fd35de1828370b392f6e2d) C:\WINDOWS\system32\DRIVERS\raspppoe.sys
16:22:10.0265 2132 RasPppoe - ok
16:22:11.0421 2132 Raspti (fdbb1d60066fcfbb7452fd8f9829b242) C:\WINDOWS\system32\DRIVERS\raspti.sys
16:22:11.0421 2132 Raspti - ok
16:22:12.0625 2132 Rdbss (77050c6615f6eb5402f832b27fd695e0) C:\WINDOWS\system32\DRIVERS\rdbss.sys
16:22:12.0625 2132 Rdbss - ok
16:22:13.0812 2132 RDPCDD (4912d5b403614ce99c28420f75353332) C:\WINDOWS\system32\DRIVERS\RDPCDD.sys
16:22:13.0812 2132 RDPCDD - ok
16:22:15.0062 2132 rdpdr (47ea20320e3d6fdc7b7bb22b2b881ca6) C:\WINDOWS\system32\DRIVERS\rdpdr.sys
16:22:15.0078 2132 rdpdr - ok
16:22:16.0281 2132 RDPWD (3348e61a78ba4f79c795aad6565d3b6f) C:\WINDOWS\system32\drivers\RDPWD.sys
16:22:16.0296 2132 RDPWD - ok
16:22:17.0515 2132 redbook (f828dd7e1419b6653894a8f97a0094c5) C:\WINDOWS\system32\DRIVERS\redbook.sys
16:22:17.0515 2132 redbook - ok
16:22:17.0625 2132 RegFilter (3bc05ec17f0a2bf4f141cb3d3390515e) C:\Program Files\IObit\IObit Malware Fighter\drivers\wxp_x86\regfilter.sys
16:22:17.0625 2132 RegFilter - ok
16:22:18.0796 2132 rspndr (743d7d59767073a617b1dcc6c546f234) C:\WINDOWS\system32\DRIVERS\rspndr.sys
16:22:18.0796 2132 rspndr - ok
16:22:18.0890 2132 SASDIFSV (39763504067962108505bff25f024345) C:\Program Files\SUPERAntiSpyware\SASDIFSV.SYS
16:22:18.0890 2132 SASDIFSV - ok
16:22:18.0906 2132 SASKUTIL (77b9fc20084b48408ad3e87570eb4a85) C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS
16:22:18.0921 2132 SASKUTIL - ok
16:22:20.0171 2132 Secdrv (90a3935d05b494a5a39d37e71f09a677) C:\WINDOWS\system32\DRIVERS\secdrv.sys
16:22:20.0171 2132 Secdrv - ok
16:22:21.0531 2132 serenum (0f29512ccd6bead730039fb4bd2c85ce) C:\WINDOWS\system32\DRIVERS\serenum.sys
16:22:21.0546 2132 serenum - ok
16:22:22.0703 2132 Serial (cca207a8896d4c6a0c9ce29a4ae411a7) C:\WINDOWS\system32\DRIVERS\serial.sys
16:22:22.0703 2132 Serial - ok
16:22:23.0921 2132 Sfloppy (8e6b8c671615d126fdc553d1e2de5562) C:\WINDOWS\system32\drivers\Sfloppy.sys
16:22:23.0921 2132 Sfloppy - ok
16:22:25.0140 2132 Simbad - ok
16:22:26.0343 2132 Sparrow - ok
16:22:27.0546 2132 splitter (ab8b92451ecb048a4d1de7c3ffcb4a9f) C:\WINDOWS\system32\drivers\splitter.sys
16:22:27.0562 2132 splitter - ok
16:22:28.0718 2132 SR (76bb022c2fb6902fd5bdd4f78fc13a5d) C:\WINDOWS\system32\DRIVERS\sr.sys
16:22:28.0718 2132 SR - ok
16:22:29.0968 2132 Srv (9b390283569ea58d43d2586032b892f5) C:\WINDOWS\system32\DRIVERS\srv.sys
16:22:29.0984 2132 Srv - ok
16:22:31.0187 2132 swenum (3941d127aef12e93addf6fe6ee027e0f) C:\WINDOWS\system32\DRIVERS\swenum.sys
16:22:31.0187 2132 swenum - ok
16:22:32.0390 2132 swmidi (8ce882bcc6cf8a62f2b2323d95cb3d01) C:\WINDOWS\system32\drivers\swmidi.sys
16:22:32.0390 2132 swmidi - ok
16:22:33.0578 2132 symc810 - ok
16:22:34.0796 2132 symc8xx - ok
16:22:35.0937 2132 sym_hi - ok
16:22:37.0093 2132 sym_u3 - ok
16:22:38.0312 2132 sysaudio (8b83f3ed0f1688b4958f77cd6d2bf290) C:\WINDOWS\system32\drivers\sysaudio.sys
16:22:38.0312 2132 sysaudio - ok
16:22:39.0562 2132 Tcpip (ba8c046d98345129723e6bcaa1e8ab99) C:\WINDOWS\system32\DRIVERS\tcpip.sys
16:22:39.0578 2132 Tcpip - ok
16:22:40.0750 2132 TDPIPE (6471a66807f5e104e4885f5b67349397) C:\WINDOWS\system32\drivers\TDPIPE.sys
16:22:40.0750 2132 TDPIPE - ok
16:22:41.0937 2132 TDTCP (c0578456f29e5f26285f81b7b71fe57d) C:\WINDOWS\system32\drivers\TDTCP.sys
16:22:41.0937 2132 TDTCP - ok
16:22:43.0140 2132 TermDD (88155247177638048422893737429d9e) C:\WINDOWS\system32\DRIVERS\termdd.sys
16:22:43.0140 2132 TermDD - ok
16:22:44.0312 2132 TosIde - ok
16:22:45.0593 2132 Udfs (5787b80c2e3c5e2f56c2a233d91fa2c9) C:\WINDOWS\system32\drivers\Udfs.sys
16:22:45.0593 2132 Udfs - ok
16:22:46.0765 2132 ultra - ok
16:22:47.0968 2132 Update (402ddc88356b1bac0ee3dd1580c76a31) C:\WINDOWS\system32\DRIVERS\update.sys
16:22:47.0984 2132 Update - ok
16:22:48.0109 2132 UrlFilter (6a65cd6761337d339001959232233f0d) C:\Program Files\IObit\IObit Malware Fighter\drivers\wxp_x86\UrlFilter.sys
16:22:48.0109 2132 UrlFilter - ok
16:22:49.0312 2132 usbccgp (c18d6c74953621346df6b0a11f80c1cc) C:\WINDOWS\system32\DRIVERS\usbccgp.sys
16:22:49.0312 2132 usbccgp - ok
16:22:50.0500 2132 usbehci (52674b5dbee499342a599c7771abecaa) C:\WINDOWS\system32\DRIVERS\usbehci.sys
16:22:50.0500 2132 usbehci - ok
16:22:51.0671 2132 usbhub (1ab3cdde553b6e064d2e754efe20285c) C:\WINDOWS\system32\DRIVERS\usbhub.sys
16:22:51.0671 2132 usbhub - ok
16:22:52.0859 2132 usbprint (a717c8721046828520c9edf31288fc00) C:\WINDOWS\system32\DRIVERS\usbprint.sys
16:22:52.0859 2132 usbprint - ok
16:22:54.0046 2132 usbscan (a0b8cf9deb1184fbdd20784a58fa75d4) C:\WINDOWS\system32\DRIVERS\usbscan.sys
16:22:54.0046 2132 usbscan - ok
16:22:55.0281 2132 usbstor (a32426d9b14a089eaa1d922e0c5801a9) C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
16:22:55.0281 2132 usbstor - ok
16:22:56.0468 2132 usbuhci (26496f9dee2d787fc3e61ad54821ffe6) C:\WINDOWS\system32\DRIVERS\usbuhci.sys
16:22:56.0468 2132 usbuhci - ok
16:22:57.0625 2132 VgaSave (0d3a8fafceacd8b7625cd549757a7df1) C:\WINDOWS\System32\drivers\vga.sys
16:22:57.0625 2132 VgaSave - ok
16:22:58.0781 2132 ViaIde - ok
16:22:59.0984 2132 VolSnap (4c8fcb5cc53aab716d810740fe59d025) C:\WINDOWS\system32\drivers\VolSnap.sys
16:22:59.0984 2132 VolSnap - ok
16:23:01.0187 2132 Wanarp (e20b95baedb550f32dd489265c1da1f6) C:\WINDOWS\system32\DRIVERS\wanarp.sys
16:23:01.0187 2132 Wanarp - ok
16:23:02.0359 2132 WDICA - ok
16:23:03.0609 2132 wdmaud (6768acf64b18196494413695f0c3a00f) C:\WINDOWS\system32\drivers\wdmaud.sys
16:23:03.0609 2132 wdmaud - ok
16:23:04.0953 2132 WudfPf (f15feafffbb3644ccc80c5da584e6311) C:\WINDOWS\system32\DRIVERS\WudfPf.sys
16:23:04.0953 2132 WudfPf - ok
16:23:06.0171 2132 WudfRd (28b524262bce6de1f7ef9f510ba3985b) C:\WINDOWS\system32\DRIVERS\wudfrd.sys
16:23:06.0171 2132 WudfRd - ok
16:23:06.0218 2132 MBR (0x1B8) (8f558eb6672622401da993e1e865c861) \Device\Harddisk0\DR0
16:23:06.0343 2132 \Device\Harddisk0\DR0 - ok
16:23:06.0375 2132 Boot (0x1200) (186f3b014e25048818b6a29813d4ca29) \Device\Harddisk0\DR0\Partition0
16:23:06.0375 2132 \Device\Harddisk0\DR0\Partition0 - ok
16:23:06.0375 2132 ============================================================
16:23:06.0375 2132 Scan finished
16:23:06.0375 2132 ============================================================
16:23:06.0390 3492 Detected object count: 0
16:23:06.0390 3492 Actual detected object count: 0
16:23:47.0593 3356 Deinitialize success

 

[Bobbye]

lease don't turn System Restore off. That will drop all of the restore points. It is possible that the system could become corrupt that in only way back in is through a restore point.

Can you tell me please what you are trying to do by opening the System Restore file To see what restore dates available, just call up 'restore my system to an earlier time.' That will show the dates of the SR. You can cancel out and not do the restore now.

 

[Will40]

I was thinking of the External drive, not the C Drive Bobbye. If I remember correctly, within the System Restore tab on My Computer, I have the option of turning off System Restore for the External drive.

As I'd said previously, I had noticed when I got the virus originally, I couldn't open that particular folder [C:\System Volume Indformation], it would say Access Denied, and when I would hold the mouse over the folder it says 'Folder is Empty'. Although we have rectified that on the C drive, it now gives me the exact same information for the External Drive!

I was simply wondering whether it would make any difference....probably not, but thought I'd ask!

 

[Bobbye]

You're still losing me Will. You refer to opening a folder. I took that to mean you wanted to see all the restore point that were set. SR is a protected system folder which is most likely why you can't open it. You should use the System Tool> System Restore to access.

 

[Will40]

You're still losing me Will. You refer to opening a folder. I took that to mean you wanted to see all the restore point that were set.

Sorry Bobbye, no, that's not what I meant! My fault...!

SR is a protected system folder which is most likely why you can't open it.

What I mean is I cannot open the System Volume Information folder on my external drive. I should be able to! It should not be denying me access. It never has before.

Plus, I CAN open the System Volume Information folder on my C drive. Inside it is a folder holding the system restore info.

BEFORE you fixed my C drive, I had the same problem - I was denied access, and it said the C: \System Volume Information folder was empty (which is wasn't as it would have held the system restore information).

So my thinking is: is the external drive infected (as it has the same symptoms as when the C drive was infected)?
and
How do we fix it?

 

[Bobbye]

Okay Will, this is getting no where:

RP1: 21/09/2011 17:47:27 - System Checkpoint
RP2: 21/09/2011 17:49:42 - Installed Microsoft .NET Framework 2.0 Service Pack 2
RP3: 21/09/2011 17:51:37 - Installed Windows KB971276-v3.
RP4: 21/09/2011 17:51:46 - Installed RGB9RAST
RP5: 21/09/2011 17:51:51 - Installed Microsoft .NET Framework 3.0 Service Pack 2
RP6: 21/09/2011 17:53:26 - Installed Microsoft .NET Framework 3.5 Service Pack 1
RP7: 21/09/2011 17:54:16 - Installed Java(TM) 6 Update 16
RP8: 21/09/2011 17:54:34 - Installed User Profile Hive Cleanup Service
RP9: 21/09/2011 17:54:44 - Installed Alt-Tab Task Switcher Powertoy for Windows XP
RP10: 21/09/2011 18:22:17 - Before Mozilla Backup
RP11: 21/09/2011 18:25:36 - Installed ESET Smart Security
RP12: 21/09/2011 12:58:50 - Installed 3Connect
RP13: 21/09/2011 22:08:48 - Software Distribution Service 3.0

Contents are above.

 

[Will40]

Hi Bobbye,

Yeah, I agree! Forget the SR points - they're irrelevant. I'm just trying to find out how we can get the system back to it's proper working state! They say a picture is worh 1000 words, so just to show what I meant regarding the access of the folders:

C Drive:
Image 1: > removed by Bobbye
Image 2: I can access the folder: > removed by Bobbye
External Drive:
Image 1: Shows folder as empty. > removed by Bobbye
Image 2: Access is denied > removed by Bobbye

My point behind all this was simpy to give as much information to you as possible in order to ascertain what we could try to do to resolve the overall problem!

Apologies if I caused confusion Bobbye, what's in the folder is of no interest to me, I was thinking that the virus is preventing us from getting access to the folder which holds the System Restore information.....hence the questions about system restore.

What are the next steps to take?

Thanks,
Will

 

[Bobbye]

Will, this is not a helpful discussion. I have never asked anyone to access this folder--why???-All you have to do is use System Restore> Restore my system back to a previous date> choose the available date on the screen that comes up.

 

[Will40]

Bobbye , we've become bogged down with irrelevant posts! As earlier - my fault - I was trying to jump the gun & pre-empt!

What are the next steps to take?

Thanks,
Will

My point behind all this was simpy to give as much information to you as possible in order to ascertain what we could try to do to resolve the overall problem!

Forget the SR points - they're irrelevant.

What are the next steps to take?

 

[Bobbye]

Will, please tell me specifically if any malware related problems remain.
References to System Restore are not needed.

 

[Will40]

Only what I said about the external drive Bobbye. Main PC has been fine to date!