Solved Redirect rootkit need help

Status
Not open for further replies.
R

rubbersoul

Posts: 17   +0
Hello

I'm having troubles browsing. Every now and then my pages are getting redirect to a bogus site. It's been happening to both IE and Firefox. It seems to have only just started i.e it's not happening too frequently yet though it's definetely noticeable.

Thanks for the help
 
Welcome to Techspot!

If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.
 
Hi Bobbeye

Thanks a lot for your reply.

I have followed your instructions and the requested logs are as follows ;



MALWAREBYTE'S LOG

------------------------------------------------------------------------------------


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 5808

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

19/02/2011 8:01:58 PM
mbam-log-2011-02-19 (20-01-58).txt

Scan type: Quick scan
Objects scanned: 135352
Time elapsed: 3 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


--------------------------------------------------------------------------------------

GMER LOG

---------------

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-02-19 20:43:36
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\iaStor0 TOSHIBA_ rev.LV01
Running: ng8ji9r5.exe; Driver: C:\DOCUME~1\Bob\LOCALS~1\Temp\afgyyfob.sys


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 00 (MBR): rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 04: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 29: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 39: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 49: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sectors 488396912 (+255): rootkit-like behavior;

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device \Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskTOSHIBA_MK2552GSX_______________________LV010M__#4&4835c41&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found

---- EOF - GMER 1.0.15 ----



-------------------------------------------------------------------------------------------


DDS LOGS

----------------


DDS.txt

--------------------


DDS (Ver_10-12-12.02) - NTFSx86
Run by Bob at 20:51:40.82 on Sat 19/02/2011
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2940.2435 [GMT 11:00]

AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxsrvc.exe
svchost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Bob\My Documents\Downloads\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.scroogle.org/cgi-bin/scraper.htm
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Steam] "c:\program files\steam\steam.exe" -silent
mRun: [LClock] c:\program files\lclock\LClock.exe
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [LtMoh] c:\program files\ltmoh\Ltmoh.exe
mRun: [Camera Assistant Software] "c:\program files\camera assistant software for toshiba\traybar.exe" /start
mRun: [TPSMain] TPSMain.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -t
dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
StartupFolder: c:\docume~1\bob\startm~1\programs\startup\openof~1.lnk - c:\program files\openoffice.org 3\program\quickstart.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bitmet~1.lnk - c:\program files\codebox\bitmeter\BitMeter2.exe
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} - hxxp://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.3.16.0.cab
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.3.1.0.cab
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: schannel.dll, digest.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\bob\applic~1\mozilla\firefox\profiles\ysxhsgrc.default\
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\mozilla firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: foof: foof@foofme.com - %profile%\extensions\foof@foofme.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Boost for Facebook: {47624dda-b77e-4feb-820a-e4f077d5d4ca} - %profile%\extensions\{47624dda-b77e-4feb-820a-e4f077d5d4ca}
FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Ext: Update Notifier: {95f24680-9e31-11da-a746-0800200c9a66} - %profile%\extensions\{95f24680-9e31-11da-a746-0800200c9a66}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - %profile%\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: ImTranslator: {9AA46F4F-4DC7-4c06-97AF-5035170634FE} - %profile%\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170634FE}
FF - Ext: Fasterfox: {c36177c0-224a-11da-8cd6-0800200c9a91} - %profile%\extensions\{c36177c0-224a-11da-8cd6-0800200c9a91}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - %profile%\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\java\jre6\lib\deploy\jqs\ff

============= SERVICES / DRIVERS ===============

R0 iastor86;iastor86;c:\windows\system32\drivers\iastor86.sys [2010-4-4 327192]
R1 MpFilter;Microsoft Malware Protection Driver;c:\windows\system32\drivers\MpFilter.sys [2010-3-25 165264]
R1 MpKsl43f042e4;MpKsl43f042e4;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{49316f14-479b-4abb-9e3e-f79c07eac0c1}\mpksl43f042e4.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{49316f14-479b-4abb-9e3e-f79c07eac0c1}\MpKsl43f042e4.sys [?]
R1 MpKsl872891a4;MpKsl872891a4;c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{fc8f4265-4f68-4380-8cc0-7394b6cc0db7}\MpKsl872891a4.sys [2011-2-19 28752]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [2011-2-19 18816]
S1 MpKsl4d9aa61d;MpKsl4d9aa61d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d4df6549-b41a-4cd7-adba-e8ba4d215354}\mpksl4d9aa61d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d4df6549-b41a-4cd7-adba-e8ba4d215354}\MpKsl4d9aa61d.sys [?]
S1 MpKsl7d192544;MpKsl7d192544;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7081df1e-4dba-486b-834b-a6ad0f3367da}\mpksl7d192544.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{7081df1e-4dba-486b-834b-a6ad0f3367da}\MpKsl7d192544.sys [?]
S1 MpKsl85a0f85d;MpKsl85a0f85d;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d4df6549-b41a-4cd7-adba-e8ba4d215354}\mpksl85a0f85d.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d4df6549-b41a-4cd7-adba-e8ba4d215354}\MpKsl85a0f85d.sys [?]
S1 MpKsl88c7a7ac;MpKsl88c7a7ac;\??\c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d4df6549-b41a-4cd7-adba-e8ba4d215354}\mpksl88c7a7ac.sys --> c:\documents and settings\all users\application data\microsoft\microsoft antimalware\definition updates\{d4df6549-b41a-4cd7-adba-e8ba4d215354}\MpKsl88c7a7ac.sys [?]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6f.tmp --> c:\windows\system32\6F.tmp [?]

=============== Created Last 30 ================

2011-02-19 09:44:06 28752 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{fc8f4265-4f68-4380-8cc0-7394b6cc0db7}\MpKsl872891a4.sys
2011-02-19 09:43:58 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{fc8f4265-4f68-4380-8cc0-7394b6cc0db7}\mpengine.dll
2011-02-19 08:33:47 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-02-19 00:29:09 -------- d-----w- c:\program files\Sophos
2011-02-18 13:07:01 553696 ----a-w- c:\program files\mozilla firefox\uninstall\helper.exe
2011-02-18 03:00:36 -------- d-----w- c:\windows\system32\appmgmt
2011-02-13 02:21:11 -------- d-----w- c:\program files\WarZone
2011-02-13 02:18:42 -------- d-----w- c:\program files\Microprose
2011-02-04 10:32:37 -------- d-----w- c:\docume~1\bob\applic~1\Rovio
2011-02-04 10:31:04 761152 ----a-w- c:\windows\system32\msvcr100.dll
2011-01-30 11:12:37 5890896 ----a-w- c:\docume~1\alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\updates\mpengine.dll
2011-01-30 11:12:30 -------- d-----w- c:\program files\Microsoft Security Client
2011-01-30 03:57:00 103864 ----a-w- c:\program files\internet explorer\plugins\nppdf32.dll

==================== Find3M ====================

2011-01-21 14:44:37 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09:02 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10:33 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34:28 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59:20 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59:19 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59:19 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26:00 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55:26 385024 ----a-w- c:\windows\system32\html.iec
2010-12-14 13:34:30 315392 ----a-w- c:\windows\HideWin.exe
2010-12-09 15:15:09 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30:22 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42:26 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07:07 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-11-29 06:38:30 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 06:38:30 69632 ----a-w- c:\windows\system32\QuickTime.qts

=================== ROOTKIT ====================

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: TOSHIBA_ rev.LV01 -> Harddisk0\DR0 -> \Device\Ide\iaStor0

device: opened successfully
user: MBR read successfully

Disk trace:
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89A235DC]<<
_asm { PUSH EBP; MOV EBP, ESP; PUSH ECX; MOV EAX, [EBP+0x8]; CMP EAX, [0x89a297b8]; MOV EAX, [0x89a29834]; PUSH EBX; PUSH ESI; MOV ESI, [EBP+0xc]; MOV EBX, [ESI+0x60]; PUSH EDI; JNZ 0x20; MOV [EBP+0x8], EAX; }
1 ntkrnlpa!IofCallDriver[0x804EF1A6] -> \Device\Harddisk0\DR0[0x8A3D9030]
3 CLASSPNP[0xBA0E8FD7] -> ntkrnlpa!IofCallDriver[0x804EF1A6] -> [0x8A3EF428]
\Driver\iaStor[0x8A3F5338] -> IRP_MJ_CREATE -> 0x89A235DC
kernel: MBR read successfully
_asm { XOR AX, AX; MOV SS, AX; MOV SP, 0x7c00; MOV ES, AX; MOV DS, AX; MOV SI, 0x7c00; MOV DI, 0x600; MOV CX, 0x200; CLD ; REP MOVSB ; PUSH AX; PUSH 0x61c; RETF ; STI ; PUSHA ; MOV CX, 0x132; MOV BP, 0x62a; ROR BYTE [BP+0x0], CL; INC BP; }
detected disk devices:
\Device\Ide\IAAStorageDevice-1 -> \??\IDE#DiskTOSHIBA_MK2552GSX_______________________LV010M__#4&4835c41&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found
detected hooks:
user != kernel MBR !!!
sectors 488397166 (+255): user != kernel
Warning: possible TDL4 rootkit infection !
TDL4 rootkit infection detected ! Use: "mbr.exe -f" to fix.

============= FINISH: 20:53:22.50 ===============


---------------------------------------------------------------


ATTACH.txt


--------------------------------------


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-12-12.02)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 14/12/2010 7:49:42 AM
System Uptime: 19/02/2011 7:53:48 PM (1 hours ago)

Motherboard: TOSHIBA | | Portable PC
Processor: Intel(R) Pentium(R) Dual CPU T3200 @ 2.00GHz | CPU | 1995/667mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 216 GiB total, 90.11 GiB free.
D: is Removable
F: is FIXED (NTFS) - 8 GiB total, 3.508 GiB free.

==== Disabled Device Manager Items =============

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\TOS1901\2&DABA3FF&0
Manufacturer:
Name:
PNP Device ID: ACPI\TOS1901\2&DABA3FF&0
Service:

==== System Restore Points ===================

RP72: 30/01/2011 2:12:46 AM - System Checkpoint
RP73: 30/01/2011 1:34:24 PM - Software Distribution Service 3.0
RP74: 30/01/2011 10:12:16 PM - Software Distribution Service 3.0
RP75: 31/01/2011 9:58:33 PM - Software Distribution Service 3.0
RP76: 2/02/2011 2:10:51 PM - Software Distribution Service 3.0
RP77: 3/02/2011 2:25:53 PM - Software Distribution Service 3.0
RP78: 4/02/2011 4:55:14 PM - Software Distribution Service 3.0
RP79: 5/02/2011 10:03:55 PM - Software Distribution Service 3.0
RP80: 7/02/2011 4:21:46 AM - Software Distribution Service 3.0
RP81: 8/02/2011 9:59:55 AM - Software Distribution Service 3.0
RP82: 9/02/2011 11:50:29 AM - Software Distribution Service 3.0
RP83: 10/02/2011 3:00:13 AM - Software Distribution Service 3.0
RP84: 10/02/2011 4:14:41 PM - Software Distribution Service 3.0
RP85: 11/02/2011 4:39:34 PM - System Checkpoint
RP86: 12/02/2011 8:03:34 PM - System Checkpoint
RP87: 13/02/2011 3:25:11 AM - Software Distribution Service 3.0
RP88: 14/02/2011 12:28:35 PM - System Checkpoint
RP89: 14/02/2011 1:17:08 PM - Software Distribution Service 3.0
RP90: 15/02/2011 10:28:46 PM - Software Distribution Service 3.0
RP91: 16/02/2011 11:26:41 PM - Software Distribution Service 3.0
RP92: 17/02/2011 3:00:13 AM - Software Distribution Service 3.0
RP93: 17/02/2011 3:24:43 AM - Software Distribution Service 3.0
RP94: 18/02/2011 1:37:12 PM - System Checkpoint
RP95: 18/02/2011 2:00:26 PM - Removed Apple Mobile Device Support
RP96: 18/02/2011 2:02:41 PM - Removed iTunes
RP97: 19/02/2011 8:22:38 PM - System Checkpoint

==== Installed Programs ======================

32 Bit HP CIO Components Installer
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9.4.2
Adobe Shockwave Player 11.5
Apple Application Support
Apple Software Update
Atheros Driver Installation Program
µTorrent
BitMeter
Bonjour
Camera Assistant Software for Toshiba
Counter-Strike: Source
Counter-Strike: Source Beta
DJ_SF_06_D1600_SW_Min
GoldenEye: Source - HalfLife 2 Mod
Half-Life 2: Deathmatch
Hotfix for Windows XP (KB2158563)
Hotfix for Windows XP (KB2443685)
Hotfix for Windows XP (KB971276-v3)
Hotfix for Windows XP (KB976002-v5)
Hotfix for Windows XP (KB979306)
HP Deskjet D1600 Printer Driver 14.0 Rel. 6
HP Product Detection
Intel(R) Graphics Media Accelerator Driver
Java Auto Updater
Java(TM) 6 Update 20
Java(TM) 6 Update 23
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB2416447)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Antimalware
Microsoft Application Error Reporting
Microsoft Security Client
Microsoft Security Essentials
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
mIRC
Mozilla Firefox (3.6.13)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
OpenOffice.org 3.2
QuickTime
Realtek AC'97 Audio
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
REALTEK RTL8187B Wireless LAN Driver
Realtek WLAN Driver
Risk WarZone Client
Royal AIO Theme
Security Update for Windows Internet Explorer 8 (KB2360131)
Security Update for Windows Internet Explorer 8 (KB2416400)
Security Update for Windows Internet Explorer 8 (KB2482017)
Security Update for Windows Internet Explorer 8 (KB981332)
Security Update for Windows Media Player (KB2378111)
Security Update for Windows Media Player (KB975558)
Security Update for Windows Media Player (KB978695)
Security Update for Windows XP (KB2079403)
Security Update for Windows XP (KB2115168)
Security Update for Windows XP (KB2121546)
Security Update for Windows XP (KB2229593)
Security Update for Windows XP (KB2259922)
Security Update for Windows XP (KB2279986)
Security Update for Windows XP (KB2286198)
Security Update for Windows XP (KB2296011)
Security Update for Windows XP (KB2296199)
Security Update for Windows XP (KB2347290)
Security Update for Windows XP (KB2360937)
Security Update for Windows XP (KB2387149)
Security Update for Windows XP (KB2393802)
Security Update for Windows XP (KB2419632)
Security Update for Windows XP (KB2423089)
Security Update for Windows XP (KB2436673)
Security Update for Windows XP (KB2440591)
Security Update for Windows XP (KB2443105)
Security Update for Windows XP (KB2476687)
Security Update for Windows XP (KB2478960)
Security Update for Windows XP (KB2478971)
Security Update for Windows XP (KB2479628)
Security Update for Windows XP (KB2483185)
Security Update for Windows XP (KB2485376)
Security Update for Windows XP (KB975562)
Security Update for Windows XP (KB977816)
Security Update for Windows XP (KB978338)
Security Update for Windows XP (KB978542)
Security Update for Windows XP (KB978601)
Security Update for Windows XP (KB979309)
Security Update for Windows XP (KB979482)
Security Update for Windows XP (KB979687)
Security Update for Windows XP (KB980195)
Security Update for Windows XP (KB980232)
Security Update for Windows XP (KB980436)
Security Update for Windows XP (KB981852)
Security Update for Windows XP (KB981957)
Security Update for Windows XP (KB981997)
Security Update for Windows XP (KB982132)
Security Update for Windows XP (KB982214)
Security Update for Windows XP (KB982665)
Sophos Anti-Rootkit 1.5.4
Source SDK Base 2007
Steam
System Requirements Lab CYRI
System Requirements Lab for Intel
Toolbox
TOSHIBA PC Diagnostic Tool
TOSHIBA Power Saver
TOSHIBA Software Modem
Update for Windows XP (KB2141007)
Update for Windows XP (KB2345886)
Update for Windows XP (KB2467659)
VLC media player 1.0.5
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
WinRAR archiver
Xvid 1.2.2 final uninstall
YouTube Downloader 2.6.5

==== Event Viewer Messages From Past Week ========

19/02/2011 7:45:14 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
19/02/2011 7:45:14 PM, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
19/02/2011 7:45:14 PM, error: Service Control Manager [7031] - The Microsoft Antimalware Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 15000 milliseconds: Restart the service.
19/02/2011 11:24:53 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.97.1877.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6502.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
19/02/2011 11:17:33 AM, error: Service Control Manager [7034] - The Agere Modem Call Progress Audio service terminated unexpectedly. It has done this 1 time(s).
18/02/2011 9:37:56 AM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.97.1877.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6502.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
18/02/2011 1:58:19 PM, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
17/02/2011 5:45:23 PM, error: Service Control Manager [7034] - The iPod Service service terminated unexpectedly. It has done this 1 time(s).
15/02/2011 10:12:33 PM, error: Dhcp [1002] - The IP address lease 192.168.2.3 for the Network Card with network address 002163868050 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
13/02/2011 12:37:39 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.97.1582.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6502.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
12/02/2011 7:50:29 PM, error: Microsoft Antimalware [2001] - Microsoft Antimalware has encountered an error trying to update signatures. New Signature Version: Previous Signature Version: 1.97.1355.0 Update Source: Microsoft Update Server Update Stage: Search Source Path: http://www.microsoft.com Signature Type: AntiVirus Update Type: Full User: NT AUTHORITY\SYSTEM Current Engine Version: Previous Engine Version: 1.1.6502.0 Error code: 0x80072efe Error description: The connection with the server was terminated abnormally
12/02/2011 7:46:28 PM, error: PlugPlayManager [12] - The device 'HL-DT-ST DVDRAM GSA-T50N' (IDE\CdRomHL-DT-ST_DVDRAM_GSA-T50N________________RR07____\4&4835c41&0&0.1.0) disappeared from the system without first being prepared for removal.
12/02/2011 7:46:28 PM, error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.

==== End Of File ===========================
 
Please download MBRCheck.exe to your desktop.
  • Be sure to disable your security programs
  • Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
  • A small window should open on your desktop
  • if an unknown bootcode is found you will have further options available to you, at this time press N then press Enter twice.
  • If nothing unusual is found just press Enter
  • A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.
 
MBRCheck log as follows ;

MBRCheck, version 1.2.3
(c) 2010, AD

Command-line:
Windows Version: Windows XP Professional
Windows Information: Service Pack 3 (build 2600)
Logical Drives Mask: 0x00000024

Kernel Drivers (total 113):
0x804D7000 \WINDOWS\system32\ntkrnlpa.exe
0x806E5000 \WINDOWS\system32\hal.dll
0x899CE000 \WINDOWS\system32\KDCOM.DLL
0xBA4BC000 \WINDOWS\system32\BOOTVID.dll
0xB9F79000 ACPI.sys
0xBA5A8000 \WINDOWS\system32\DRIVERS\WMILIB.SYS
0xB9F68000 pci.sys
0xBA0A8000 isapnp.sys
0xBA4C0000 compbatt.sys
0xBA4C4000 \WINDOWS\system32\DRIVERS\BATTC.SYS
0xBA0B8000 MountMgr.sys
0xB9F49000 ftdisk.sys
0xBA5AA000 dmload.sys
0xB9F23000 dmio.sys
0xBA328000 PartMgr.sys
0xBA4C8000 ACPIEC.sys
0xBA670000 \WINDOWS\system32\DRIVERS\OPRGHDLR.SYS
0xBA0C8000 VolSnap.sys
0xB9E49000 iaStor.sys
0xB9D6F000 iastor86.sys
0xBA0D8000 disk.sys
0xBA0E8000 \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
0xB9D4F000 fltMgr.sys
0xB9D3D000 sr.sys
0xB9D26000 KSecDD.sys
0xB9C99000 Ntfs.sys
0xB9C6C000 NDIS.sys
0xB9C52000 Mup.sys
0xBA2A8000 \SystemRoot\system32\DRIVERS\intelppm.sys
0xB9C0E000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0xB816E000 \SystemRoot\system32\DRIVERS\igxpmp32.sys
0xB815A000 \SystemRoot\system32\DRIVERS\VIDEOPRT.SYS
0xBA4B0000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0xB8136000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0xBA338000 \SystemRoot\system32\DRIVERS\usbehci.sys
0xB810E000 \SystemRoot\system32\DRIVERS\HDAudBus.sys
0xB80D6000 \SystemRoot\system32\DRIVERS\Rtenicxp.sys
0xB7F52000 \SystemRoot\system32\DRIVERS\athw.sys
0xBA2D8000 \SystemRoot\system32\DRIVERS\i8042prt.sys
0xBA340000 \SystemRoot\system32\DRIVERS\kbdclass.sys
0xBA348000 \SystemRoot\system32\DRIVERS\mouclass.sys
0xB7F2F000 \SystemRoot\system32\DRIVERS\ks.sys
0xBA7C0000 \SystemRoot\system32\DRIVERS\audstub.sys
0xBA318000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0xB9BF1000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0xB7F18000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0xBA118000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0xBA128000 \SystemRoot\system32\DRIVERS\raspptp.sys
0xBA350000 \SystemRoot\system32\DRIVERS\TDI.SYS
0xB7F07000 \SystemRoot\system32\DRIVERS\psched.sys
0xBA138000 \SystemRoot\system32\DRIVERS\msgpc.sys
0xBA358000 \SystemRoot\system32\DRIVERS\ptilink.sys
0xBA360000 \SystemRoot\system32\DRIVERS\raspti.sys
0xB7ED7000 \SystemRoot\system32\DRIVERS\rdpdr.sys
0xBA148000 \SystemRoot\system32\DRIVERS\termdd.sys
0xBA5C8000 \SystemRoot\system32\DRIVERS\swenum.sys
0xB7E79000 \SystemRoot\system32\DRIVERS\update.sys
0xB9BD5000 \SystemRoot\system32\DRIVERS\mssmbios.sys
0xBA158000 \SystemRoot\system32\DRIVERS\wsimd.sys
0xAF5A3000 \SystemRoot\System32\Drivers\NDProxy.SYS
0xAF583000 \SystemRoot\system32\DRIVERS\usbhub.sys
0xBA5D4000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x9DC7D000 \SystemRoot\system32\drivers\RtkHDAud.sys
0x9DC59000 \SystemRoot\system32\drivers\portcls.sys
0xAF573000 \SystemRoot\system32\drivers\drmk.sys
0x9DB3D000 \SystemRoot\system32\DRIVERS\AGRSM.sys
0xBA440000 \SystemRoot\System32\Drivers\Modem.SYS
0x9DB16000 \SystemRoot\system32\DRIVERS\MpFilter.sys
0xAF31F000 \??\C:\WINDOWS\system32\SAVRKBootTasks.sys
0xBA612000 \SystemRoot\System32\Drivers\Fs_Rec.SYS
0xBA6A2000 \SystemRoot\System32\Drivers\Null.SYS
0xBA61A000 \SystemRoot\System32\Drivers\Beep.SYS
0xAF317000 \SystemRoot\System32\drivers\vga.sys
0xBA61C000 \SystemRoot\System32\Drivers\mnmdd.SYS
0xBA614000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0xAEBEB000 \SystemRoot\System32\Drivers\Msfs.SYS
0xAEBE3000 \SystemRoot\System32\Drivers\Npfs.SYS
0xB7CE1000 \SystemRoot\system32\DRIVERS\rasacd.sys
0x9DAE3000 \SystemRoot\system32\DRIVERS\ipsec.sys
0x9DA8A000 \SystemRoot\system32\DRIVERS\tcpip.sys
0x9DA62000 \SystemRoot\system32\DRIVERS\netbt.sys
0x9DA3C000 \SystemRoot\system32\DRIVERS\ipnat.sys
0x9DA1A000 \SystemRoot\System32\drivers\afd.sys
0xAEFC0000 \SystemRoot\system32\DRIVERS\netbios.sys
0xAEFB0000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x9D9EF000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x9D97F000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0xAEBD3000 \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{08C467CF-F80B-4637-83E3-1293B0A120D3}\MpKsld83c4411.sys
0xAEFA0000 \SystemRoot\System32\Drivers\Fips.SYS
0xAEBC3000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0xAEF60000 \SystemRoot\System32\Drivers\UVCFTR_S.SYS
0x9D961000 \SystemRoot\System32\Drivers\usbvideo.sys
0xAECD7000 \SystemRoot\System32\Drivers\Cdfs.SYS
0x9D887000 \SystemRoot\System32\Drivers\dump_iaStor.sys
0xBF800000 \SystemRoot\System32\win32k.sys
0xB1B71000 \SystemRoot\System32\drivers\Dxapi.sys
0xAEBB3000 \SystemRoot\System32\watchdog.sys
0xBF000000 \SystemRoot\System32\drivers\dxg.sys
0xB3776000 \SystemRoot\System32\drivers\dxgthk.sys
0xBF024000 \SystemRoot\System32\igxpgd32.dll
0xBF012000 \SystemRoot\System32\igxprd32.dll
0xBF04F000 \SystemRoot\System32\igxpdv32.DLL
0xBF25B000 \SystemRoot\System32\igxpdx32.DLL
0xBF562000 \SystemRoot\System32\ATMFD.DLL
0x9D84B000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x9D6E2000 \SystemRoot\system32\drivers\wdmaud.sys
0xB3FB4000 \SystemRoot\system32\drivers\sysaudio.sys
0x9D323000 \SystemRoot\system32\DRIVERS\mrxdav.sys
0x9C78B000 \SystemRoot\system32\DRIVERS\srv.sys
0x9C452000 \SystemRoot\System32\Drivers\HTTP.sys
0xBA370000 \??\c:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{08C467CF-F80B-4637-83E3-1293B0A120D3}\MpKsld74c8460.sys
0x9C076000 \SystemRoot\system32\drivers\kmixer.sys
0x7C900000 \WINDOWS\system32\ntdll.dll

Processes (total 36):
0 System Idle Process
4 System
836 C:\WINDOWS\system32\smss.exe
908 csrss.exe
932 C:\WINDOWS\system32\winlogon.exe
980 C:\WINDOWS\system32\services.exe
992 C:\WINDOWS\system32\lsass.exe
1148 C:\WINDOWS\system32\svchost.exe
1212 svchost.exe
1256 C:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
1292 C:\WINDOWS\system32\svchost.exe
1392 svchost.exe
1544 svchost.exe
1840 C:\WINDOWS\system32\spoolsv.exe
496 C:\WINDOWS\explorer.exe
768 C:\WINDOWS\RTHDCPL.exe
792 C:\Program Files\ltmoh\ltmoh.exe
824 C:\WINDOWS\system32\igfxtray.exe
844 C:\WINDOWS\system32\hkcmd.exe
852 C:\WINDOWS\system32\igfxpers.exe
884 C:\Program Files\Common Files\Java\Java Update\jusched.exe
900 C:\Program Files\Microsoft Security Client\msseces.exe
956 C:\WINDOWS\system32\ctfmon.exe
1120 C:\Program Files\Codebox\BitMeter\BitMeter2.exe
1476 C:\WINDOWS\system32\igfxsrvc.exe
240 svchost.exe
1320 C:\WINDOWS\system32\agrsmsvc.exe
1412 C:\Program Files\Bonjour\mDNSResponder.exe
1344 C:\Program Files\Java\jre6\bin\jqs.exe
2368 C:\WINDOWS\system32\svchost.exe
3208 alg.exe
1084 C:\Documents and Settings\Bob\Desktop\Angry Birds\AngryBirds.exe
2264 C:\Program Files\Mozilla Firefox\firefox.exe
3928 C:\Program Files\Mozilla Firefox\plugin-container.exe
4032 C:\WINDOWS\system32\wscntfy.exe
3820 C:\Documents and Settings\Bob\Desktop\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`5dd00000 (NTFS)
\\.\F: --> \\.\PhysicalDrive0 at offset 0x00000036`73000000 (NTFS)

PhysicalDrive0 Model Number: TOSHIBAMK2552GSX, Rev: LV010M

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Done!
 
Okay, let see if this will get it:
  • Download the file TDSSKiller.zip and save to the desktop.
    (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
  • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
  • Double click on TDSSKiller.exe. to run the scan
  • When the scan is over, the utility outputs a list of detected objects with description.
    The utility automatically selects an action (Cure or Delete) for malicious objects.
    The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
  • Select the action Quarantine to quarantine detected objects.
    The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
  • After clicking Next, the utility applies selected actions and outputs the result.
  • A reboot is required after disinfection.
 
Bobbye,

That seems to have done the trick! Rootkit has been removed and I havent noticed any ridirects or strange happenings for an hour or so.

Thanks a lot for all your help :)
 
Good> we will continue: I need to make sure there are no remaining malware entries:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner
  1. Tick the box next to YES, I accept the Terms of Use.
  2. Click Start
  3. When asked, allow the Active X control to install
  4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  5. Click Start
  6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  7. Click Scan
  8. Wait for the scan to finish
  9. Click on "Copy to Clipboard"> (you won't see the 'clipboard')
  10. Click anywhere in the post where you want the logs to go, the do Ctrl V. The log will be sent from the clipboard and pasted in the post.
  11. Re-enable your Antivirus software.
    NOTE: If you forget to copy to the cli[board, you can find the log here:
    C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.
=======================================
Download Combofix to your desktop from one of these locations:
Link 1
Link 2http://www.forospyware.com/sUBs/ComboFix.exe
  • Double click combofix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. It is strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode if needed.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Query- Recovery Console image
    RcAuto1.gif

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    Click to expand...
  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
    whatnext.png
  • .Click on Yes, to continue scanning for malware
  • .If Combofix asks you to update the program, allow
  • .Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • .Close any open browsers.
  • .Double click combofix.exe
    cf-icon.jpg
    & follow the prompts to run.
  • When the scan completes it will open a text window. Please paste that log in your next reply.
Re-enable your Antivirus software.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 
ESET LOG




C:\TDSSKiller_Quarantine\21.02.2011_18.34.55\boot0000\tdlfs0000\tsk0003.dta a variant of Win32/Olmarik.ADZ trojan
C:\TDSSKiller_Quarantine\21.02.2011_18.34.55\boot0000\tdlfs0000\tsk0006.dta Win64/Olmarik.AMO trojan
C:\TDSSKiller_Quarantine\21.02.2011_18.34.55\boot0000\tdlfs0000\tsk0007.dta Win64/Olmarik.J trojan
C:\TDSSKiller_Quarantine\21.02.2011_18.34.55\boot0000\tdlfs0000\tsk0009.dta Win32/Olmarik.ALK trojan




------------------------------------------------------------------------------------------------------------------------------------------


COMBOFIX LOG


-----------



ComboFix 11-02-21.02 - Bob 22/02/2011 19:44:58.1.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2940.2375 [GMT 11:00]
Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Install.exe
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2011-01-22 to 2011-02-22 )))))))))))))))))))))))))))))))
.

2011-02-22 08:38 . 2011-02-22 08:38 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BE6FEB8B-A88A-4E91-91CC-EB05896DDBF2}\MpKsl933f9698.sys
2011-02-22 08:38 . 2011-01-13 09:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BE6FEB8B-A88A-4E91-91CC-EB05896DDBF2}\mpengine.dll
2011-02-22 01:28 . 2011-02-22 01:28 -------- d-----w- c:\program files\ESET
2011-02-21 07:37 . 2011-02-21 07:37 -------- d-----w- C:\TDSSKiller_Quarantine
2011-02-19 08:33 . 2010-05-25 23:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-02-19 00:29 . 2011-02-19 00:29 -------- d-----w- c:\program files\Sophos
2011-02-18 13:07 . 2010-12-03 19:43 553696 ----a-w- c:\program files\Mozilla Firefox\uninstall\helper.exe
2011-02-17 22:29 . 2011-02-17 22:30 -------- d-----w- c:\program files\Common Files\Adobe
2011-02-17 01:04 . 2011-02-17 02:18 -------- d-----w- c:\documents and settings\Bob\Application Data\dvdcss
2011-02-13 02:21 . 2011-02-13 02:22 -------- d-----w- c:\program files\WarZone
2011-02-13 02:18 . 2011-02-13 02:18 -------- d-----w- c:\program files\Microprose
2011-02-04 10:32 . 2011-02-04 10:32 -------- d-----w- c:\documents and settings\Bob\Application Data\Rovio
2011-02-04 10:31 . 2009-08-23 23:15 761152 ----a-w- c:\windows\system32\msvcr100.dll
2011-01-30 11:12 . 2011-01-13 09:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-01-30 11:12 . 2011-01-30 11:13 -------- d-----w- c:\program files\Microsoft Security Client
2011-01-30 03:57 . 2011-01-30 03:57 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-21 14:44 . 2008-04-14 03:42 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-13 09:41 . 2010-12-16 04:11 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-01-07 14:09 . 2008-04-14 03:39 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2010-04-03 15:47 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2010-04-03 15:45 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2010-04-03 15:50 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2010-04-03 15:50 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2010-04-03 15:50 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2010-04-03 15:46 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2010-04-03 15:50 385024 ----a-w- c:\windows\system32\html.iec
2010-12-20 07:09 . 2010-12-16 05:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 07:08 . 2010-12-16 05:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-14 13:34 . 2010-12-14 13:34 315392 ----a-w- c:\windows\HideWin.exe
2010-12-09 15:15 . 2009-02-09 12:10 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2010-04-03 15:45 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2010-04-03 15:46 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2009-12-08 18:43 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-11-29 06:38 . 2010-11-29 06:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 06:38 . 2010-11-29 06:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
.

------- Sigcheck -------

[-] 2010-04-03 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

[-] 2010-04-03 . 5A8E28037289FCCBF7AD3FC57DF7048F . 502272 . . [1.0626.6002.18005] . . c:\windows\system32\usp10.dll

[-] 2010-04-03 . F2DF0FDBD41B34112EE05ED04258F052 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\steam.exe" [2010-12-21 1242448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-06 16860672]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-28 417792]
"TPSMain"="TPSMain.exe" [2008-07-30 266240]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-28 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-28 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-28 141848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2010-04-03 128512]

c:\documents and settings\Bob\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bitmeter2.lnk - c:\program files\Codebox\BitMeter\BitMeter2.exe [2010-8-28 1462272]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, digest.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\latexdemon\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\latexdemon\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\latexdemon\\source sdk base\\hl2.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steamapps\\latexdemon\\counter-strike source\\hl2.exe"=

R0 iastor86;iastor86;c:\windows\system32\drivers\iastor86.sys [4/04/2010 4:03 AM 327192]
R1 MpKsl933f9698;MpKsl933f9698;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{BE6FEB8B-A88A-4E91-91CC-EB05896DDBF2}\MpKsl933f9698.sys [22/02/2011 7:38 PM 28752]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [19/02/2011 7:33 PM 18816]
S1 MpKsl43f042e4;MpKsl43f042e4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49316F14-479B-4ABB-9E3E-F79C07EAC0C1}\MpKsl43f042e4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49316F14-479B-4ABB-9E3E-F79C07EAC0C1}\MpKsl43f042e4.sys [?]
S1 MpKsl4d9aa61d;MpKsl4d9aa61d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl4d9aa61d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl4d9aa61d.sys [?]
S1 MpKsl7d192544;MpKsl7d192544;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7081DF1E-4DBA-486B-834B-A6AD0F3367DA}\MpKsl7d192544.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7081DF1E-4DBA-486B-834B-A6AD0F3367DA}\MpKsl7d192544.sys [?]
S1 MpKsl85a0f85d;MpKsl85a0f85d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl85a0f85d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl85a0f85d.sys [?]
S1 MpKsl88c7a7ac;MpKsl88c7a7ac;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl88c7a7ac.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl88c7a7ac.sys [?]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 10:58 AM 11336]
S3 MEMSWEEP2;MEMSWEEP2;\??\c:\windows\system32\6F.tmp --> c:\windows\system32\6F.tmp [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MPKSL933F9698
*Deregistered* - klmd25

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2011-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 00:50]

2011-02-21 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 01:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.scroogle.org/cgi-bin/scraper.htm
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\ysxhsgrc.default\
FF - prefs.js: browser.search.selectedEngine - Scroogle SSL search
FF - prefs.js: browser.startup.homepage - hxxp://www.scroogle.org/cgi-bin/scraper.htm
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: foof: foof@foofme.com - %profile%\extensions\foof@foofme.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Boost for Facebook: {47624dda-b77e-4feb-820a-e4f077d5d4ca} - %profile%\extensions\{47624dda-b77e-4feb-820a-e4f077d5d4ca}
FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Ext: Update Notifier: {95f24680-9e31-11da-a746-0800200c9a66} - %profile%\extensions\{95f24680-9e31-11da-a746-0800200c9a66}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - %profile%\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: ImTranslator: {9AA46F4F-4DC7-4c06-97AF-5035170634FE} - %profile%\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170634FE}
FF - Ext: Fasterfox: {c36177c0-224a-11da-8cd6-0800200c9a91} - %profile%\extensions\{c36177c0-224a-11da-8cd6-0800200c9a91}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - %profile%\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-LClock - c:\program files\LClock\LClock.exe
AddRemove-GoldenEye: Source - c:\program files\Steam\SteamApps\sourcemods\GoldenEye: Source_Uninstall.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-22 19:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MEMSWEEP2]
"ImagePath"="\??\c:\windows\system32\6F.tmp"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(932)
c:\windows\system32\igfxdev.dll
.
Completion time: 2011-02-22 19:50:00
ComboFix-quarantined-files.txt 2011-02-22 08:49

Pre-Run: 89,443,737,600 bytes free
Post-Run: 89,502,990,336 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - EAF2FAB4E6AA07BD1CF9C41DFF9259F2
 
Believe it or not, I started on this 2 nights ago- was almost finished and **** internet went down. It's an intermittent problem I've been having with ISP!

Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap'> and copy/paste the text in the code below into it:Be sure to scroll down to include ALL lines.
Code: 
File::
c:\windows\system32\6F.tmp
Folder::
C:\TDSSKiller_Quarantine
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\Auth orizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=-
Driver::
MEMSWEEP2
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste in your next reply.
====================
I would also like to ask about these files:
S1 MpKsl43f042e4;MpKsl43f042e4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49316F14-479B-4ABB-9E3E-F79C07EAC0C1}\MpKsl43f042e4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49316F14-479B-4ABB-9E3E-F79C07EAC0C1}\MpKsl43f042e4.sys [?]

There are 5 of these same kind of files in the Service/Driver section of the log. I have not seen this before. All have the same question mark in Combofix- I didn't put that in. When I try to identify the name such as MpKsl43f042e4, this thread is the only entry that comes up on the internet.

Please check the configuration of the program- there is an error somewhere in it, regarding the updates. Possibly doing a manual update, followed by a reboot will handle it. If it does not, I will remove all of them with script.
 
Bobbye,

I have completed the combofix tasks and the log is as follows. In regards to the " 5 of these same kind of files in the Service/Driver section of the log " I assume that's associated with Microsoft Security Essentials? I have tried updating definitions and rebooting. I'm not certain if that has removed them.

Combofix log as follows ;

ComboFix 11-02-24.01 - Bob 25/02/2011 10:27:16.3.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2940.2479 [GMT 11:00]
Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bob\Desktop\CFScript.exe.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}
.

((((((((((((((((((((((((( Files Created from 2011-01-24 to 2011-02-24 )))))))))))))))))))))))))))))))
.

2011-02-24 22:56 . 2011-02-24 22:56 28752 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7A4A95BF-EBD2-4F97-8150-1C57A6AAF96A}\MpKsl68c2520a.sys
2011-02-24 22:56 . 2011-02-11 06:54 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7A4A95BF-EBD2-4F97-8150-1C57A6AAF96A}\mpengine.dll
2011-02-22 01:28 . 2011-02-22 01:28 -------- d-----w- c:\program files\ESET
2011-02-19 08:33 . 2010-05-25 23:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-02-19 00:29 . 2011-02-19 00:29 -------- d-----w- c:\program files\Sophos
2011-02-18 13:07 . 2010-12-03 19:43 553696 ----a-w- c:\program files\Mozilla Firefox\uninstall\helper.exe
2011-02-17 22:29 . 2011-02-17 22:30 -------- d-----w- c:\program files\Common Files\Adobe
2011-02-17 01:04 . 2011-02-17 02:18 -------- d-----w- c:\documents and settings\Bob\Application Data\dvdcss
2011-02-13 02:21 . 2011-02-13 02:22 -------- d-----w- c:\program files\WarZone
2011-02-13 02:18 . 2011-02-13 02:18 -------- d-----w- c:\program files\Microprose
2011-02-04 10:32 . 2011-02-04 10:32 -------- d-----w- c:\documents and settings\Bob\Application Data\Rovio
2011-02-04 10:31 . 2009-08-23 23:15 761152 ----a-w- c:\windows\system32\msvcr100.dll
2011-01-30 11:12 . 2011-01-13 09:41 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-01-30 11:12 . 2011-01-30 11:13 -------- d-----w- c:\program files\Microsoft Security Client
2011-01-30 03:57 . 2011-01-30 03:57 103864 ----a-w- c:\program files\Internet Explorer\Plugins\nppdf32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-11 06:54 . 2010-12-16 04:11 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-01-21 14:44 . 2008-04-14 03:42 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-07 14:09 . 2008-04-14 03:39 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2010-04-03 15:47 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2010-04-03 15:45 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2010-04-03 15:50 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2010-04-03 15:50 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2010-04-03 15:50 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2010-04-03 15:46 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2010-04-03 15:50 385024 ----a-w- c:\windows\system32\html.iec
2010-12-20 07:09 . 2010-12-16 05:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 07:08 . 2010-12-16 05:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-14 13:34 . 2010-12-14 13:34 315392 ----a-w- c:\windows\HideWin.exe
2010-12-09 15:15 . 2009-02-09 12:10 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2010-04-03 15:45 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2010-04-03 15:46 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2009-12-08 18:43 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
2010-11-29 06:38 . 2010-11-29 06:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 06:38 . 2010-11-29 06:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
.

------- Sigcheck -------

[-] 2010-04-03 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

[-] 2010-04-03 . 5A8E28037289FCCBF7AD3FC57DF7048F . 502272 . . [1.0626.6002.18005] . . c:\windows\system32\usp10.dll

[-] 2010-04-03 . F2DF0FDBD41B34112EE05ED04258F052 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-02-22_08.48.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-02-24 22:49 . 2011-02-24 22:49 16384 c:\windows\Temp\Perflib_Perfdata_568.dat
- 2010-12-13 20:42 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll
+ 2010-12-13 20:42 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
+ 2008-04-14 03:42 . 2009-07-27 23:17 135168 c:\windows\system32\shsvcs.dll
- 2008-04-14 03:42 . 2008-04-14 03:42 135168 c:\windows\system32\shsvcs.dll
+ 2008-04-14 03:42 . 2009-07-27 23:17 135168 c:\windows\system32\dllcache\shsvcs.dll
- 2008-04-14 03:42 . 2008-04-14 03:42 135168 c:\windows\system32\dllcache\shsvcs.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\steam.exe" [2010-12-21 1242448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-06 16860672]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-28 417792]
"TPSMain"="TPSMain.exe" [2008-07-30 266240]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-28 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-28 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-28 141848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2010-04-03 128512]

c:\documents and settings\Bob\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bitmeter2.lnk - c:\program files\Codebox\BitMeter\BitMeter2.exe [2010-8-28 1462272]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, digest.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\latexdemon\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\latexdemon\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\latexdemon\\source sdk base\\hl2.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steamapps\\latexdemon\\counter-strike source\\hl2.exe"=

R0 iastor86;iastor86;c:\windows\system32\drivers\iastor86.sys [4/04/2010 4:03 AM 327192]
R1 MpKsl68c2520a;MpKsl68c2520a;c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7A4A95BF-EBD2-4F97-8150-1C57A6AAF96A}\MpKsl68c2520a.sys [25/02/2011 9:56 AM 28752]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [19/02/2011 7:33 PM 18816]
S1 MpKsl08ae13cb;MpKsl08ae13cb;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F624763D-9851-4317-8895-6A931C4BA3B2}\MpKsl08ae13cb.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F624763D-9851-4317-8895-6A931C4BA3B2}\MpKsl08ae13cb.sys [?]
S1 MpKsl43f042e4;MpKsl43f042e4;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49316F14-479B-4ABB-9E3E-F79C07EAC0C1}\MpKsl43f042e4.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49316F14-479B-4ABB-9E3E-F79C07EAC0C1}\MpKsl43f042e4.sys [?]
S1 MpKsl4d9aa61d;MpKsl4d9aa61d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl4d9aa61d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl4d9aa61d.sys [?]
S1 MpKsl7d192544;MpKsl7d192544;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7081DF1E-4DBA-486B-834B-A6AD0F3367DA}\MpKsl7d192544.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7081DF1E-4DBA-486B-834B-A6AD0F3367DA}\MpKsl7d192544.sys [?]
S1 MpKsl85a0f85d;MpKsl85a0f85d;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl85a0f85d.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl85a0f85d.sys [?]
S1 MpKsl88c7a7ac;MpKsl88c7a7ac;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl88c7a7ac.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl88c7a7ac.sys [?]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 10:58 AM 11336]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - MPKSL68C2520A
*NewlyCreated* - MPKSLC4D5D859
*Deregistered* - MpKslc4d5d859

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2011-02-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 00:50]

2011-02-24 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 01:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.scroogle.org/cgi-bin/scraper.htm
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\ysxhsgrc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.scroogle.org/cgi-bin/scraper.htm
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: foof: foof@foofme.com - %profile%\extensions\foof@foofme.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Boost for Facebook: {47624dda-b77e-4feb-820a-e4f077d5d4ca} - %profile%\extensions\{47624dda-b77e-4feb-820a-e4f077d5d4ca}
FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Ext: Update Notifier: {95f24680-9e31-11da-a746-0800200c9a66} - %profile%\extensions\{95f24680-9e31-11da-a746-0800200c9a66}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - %profile%\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: ImTranslator: {9AA46F4F-4DC7-4c06-97AF-5035170634FE} - %profile%\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170634FE}
FF - Ext: Fasterfox: {c36177c0-224a-11da-8cd6-0800200c9a91} - %profile%\extensions\{c36177c0-224a-11da-8cd6-0800200c9a91}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - %profile%\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-02-25 10:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(904)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\OpenOffice.org 3\Basis\program\shlxthdl\shlxthdl.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2011-02-25 10:31:39
ComboFix-quarantined-files.txt 2011-02-24 23:31
ComboFix2.txt 2011-02-24 22:52
ComboFix3.txt 2011-02-22 08:50

Pre-Run: 83,417,186,304 bytes free
Post-Run: 83,406,413,824 bytes free

- - End Of File - - FB11D6F485ACFE854FDD86DAB7D13E55
 
Okay, we'll clean up some of the excess update processes:

Please run this Custom CFScript:

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:
Code: 
File::
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F624763D-9851-4317-8895-6A931C4BA3B2}\MpKsl08ae13cb.sys
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49316F14-479B-4ABB-9E3E-F79C07EAC0C1}\MpKsl43f042e4.sys
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl4d9aa61d.sys
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7081DF1E-4DBA-486B-834B-A6AD0F3367DA}\MpKsl7d192544.sys
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl85a0f85d.sys
c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl88c7a7ac.sys 

Driver::
MpKsl08ae13cb
MpKsl43f042e4
MpKsl4d9aa61d
MpKsl7d192544
MpKsl85a0f85d
MpKsl88c7a7ac
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
====================
One more check to make sure there are no bad entries left:
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.
  • Extract it to a directory on your hard drive called c:\HijackThis.
  • Then navigate to that directory and double-click on the hijackthis.exe file.
  • When started click on the Scan button and then the Save Log button to create a log of your information.
  • The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
 
Hey Bobbye

Combofix and hijackthis logs are as follows:

ComboFix 11-02-24.01 - Bob 02/03/2011 0:00.4.2 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.2940.2466 [GMT 11:00]
Running from: c:\documents and settings\Bob\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bob\Desktop\CFScript.txt.txt
AV: Microsoft Security Essentials *Disabled/Updated* {BCF43643-A118-4432-AEDE-D861FCBCFCDF}
AV: Microsoft Security Essentials *Disabled/Updated* {EDB4FA23-53B8-4AFA-8C5D-99752CCA7095}

FILE ::
"c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{49316F14-479B-4ABB-9E3E-F79C07EAC0C1}\MpKsl43f042e4.sys"
"c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{7081DF1E-4DBA-486B-834B-A6AD0F3367DA}\MpKsl7d192544.sys"
"c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl4d9aa61d.sys"
"c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl85a0f85d.sys"
"c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{D4DF6549-B41A-4CD7-ADBA-E8BA4D215354}\MpKsl88c7a7ac.sys"
"c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{F624763D-9851-4317-8895-6A931C4BA3B2}\MpKsl08ae13cb.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MPKSL08AE13CB
-------\Legacy_MPKSL43F042E4
-------\Legacy_MPKSL4D9AA61D
-------\Legacy_MPKSL7D192544
-------\Legacy_MPKSL85A0F85D
-------\Legacy_MPKSL88C7A7AC
-------\Service_MpKsl08ae13cb
-------\Service_MpKsl43f042e4
-------\Service_MpKsl4d9aa61d
-------\Service_MpKsl7d192544
-------\Service_MpKsl85a0f85d
-------\Service_MpKsl88c7a7ac


((((((((((((((((((((((((( Files Created from 2011-02-01 to 2011-03-01 )))))))))))))))))))))))))))))))
.

2011-02-28 08:11 . 2011-02-11 06:54 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DC2088C0-A466-49C4-9992-D0466A390C05}\mpengine.dll
2011-02-25 00:24 . 2011-02-25 00:24 -------- d-----w- c:\documents and settings\Bob\Local Settings\Application Data\Identities
2011-02-22 01:28 . 2011-02-22 01:28 -------- d-----w- c:\program files\ESET
2011-02-19 08:33 . 2010-05-25 23:45 18816 ------w- c:\windows\system32\SAVRKBootTasks.sys
2011-02-19 00:29 . 2011-02-19 00:29 -------- d-----w- c:\program files\Sophos
2011-02-18 13:07 . 2010-12-03 19:43 553696 ----a-w- c:\program files\Mozilla Firefox\uninstall\helper.exe
2011-02-17 22:29 . 2011-02-17 22:30 -------- d-----w- c:\program files\Common Files\Adobe
2011-02-17 01:04 . 2011-02-17 02:18 -------- d-----w- c:\documents and settings\Bob\Application Data\dvdcss
2011-02-13 02:21 . 2011-02-13 02:22 -------- d-----w- c:\program files\WarZone
2011-02-13 02:18 . 2011-02-13 02:18 -------- d-----w- c:\program files\Microprose
2011-02-04 10:32 . 2011-02-04 10:32 -------- d-----w- c:\documents and settings\Bob\Application Data\Rovio
2011-02-04 10:31 . 2009-08-23 23:15 761152 ----a-w- c:\windows\system32\msvcr100.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-02-11 06:54 . 2010-12-16 04:11 5943120 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-01-21 14:44 . 2008-04-14 03:42 439296 ----a-w- c:\windows\system32\shimgvw.dll
2011-01-13 09:41 . 2011-01-30 11:12 5890896 ----a-w- c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2011-01-07 14:09 . 2008-04-14 03:39 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-12-31 13:10 . 2010-04-03 15:47 1854976 ----a-w- c:\windows\system32\win32k.sys
2010-12-22 12:34 . 2010-04-03 15:45 301568 ----a-w- c:\windows\system32\kerberos.dll
2010-12-20 23:59 . 2010-04-03 15:50 916480 ----a-w- c:\windows\system32\wininet.dll
2010-12-20 23:59 . 2010-04-03 15:50 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-12-20 23:59 . 2010-04-03 15:50 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2010-12-20 17:26 . 2010-04-03 15:46 730112 ----a-w- c:\windows\system32\lsasrv.dll
2010-12-20 12:55 . 2010-04-03 15:50 385024 ----a-w- c:\windows\system32\html.iec
2010-12-20 07:09 . 2010-12-16 05:47 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-20 07:08 . 2010-12-16 05:47 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-14 13:34 . 2010-12-14 13:34 315392 ----a-w- c:\windows\HideWin.exe
2010-12-09 15:15 . 2009-02-09 12:10 718336 ----a-w- c:\windows\system32\ntdll.dll
2010-12-09 14:30 . 2010-04-03 15:45 33280 ----a-w- c:\windows\system32\csrsrv.dll
2010-12-09 13:42 . 2010-04-03 15:46 2148864 ----a-w- c:\windows\system32\ntoskrnl.exe
2010-12-09 13:07 . 2009-12-08 18:43 2027008 ----a-w- c:\windows\system32\ntkrnlpa.exe
.

------- Sigcheck -------

[-] 2010-04-03 . 9425B72F40257B45D45D24773273DAD0 . 361600 . . [5.1.2600.5625] . . c:\windows\system32\drivers\tcpip.sys

[-] 2010-04-03 . 5A8E28037289FCCBF7AD3FC57DF7048F . 502272 . . [1.0626.6002.18005] . . c:\windows\system32\usp10.dll

[-] 2010-04-03 . F2DF0FDBD41B34112EE05ED04258F052 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
((((((((((((((((((((((((((((( SnapShot@2011-02-22_08.48.42 )))))))))))))))))))))))))))))))))))))))))
.
+ 2011-03-01 13:07 . 2011-03-01 13:07 16384 c:\windows\Temp\Perflib_Perfdata_24c.dat
- 2010-12-13 20:42 . 2010-07-05 13:15 17272 c:\windows\system32\spmsg.dll
+ 2010-12-13 20:42 . 2008-07-08 13:02 17272 c:\windows\system32\spmsg.dll
+ 2008-04-14 03:42 . 2009-07-27 23:17 135168 c:\windows\system32\shsvcs.dll
- 2008-04-14 03:42 . 2008-04-14 03:42 135168 c:\windows\system32\shsvcs.dll
+ 2008-04-14 03:42 . 2009-07-27 23:17 135168 c:\windows\system32\dllcache\shsvcs.dll
- 2008-04-14 03:42 . 2008-04-14 03:42 135168 c:\windows\system32\dllcache\shsvcs.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files\Steam\steam.exe" [2010-12-21 1242448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-06 16860672]
"LtMoh"="c:\program files\ltmoh\Ltmoh.exe" [2007-01-09 191552]
"Camera Assistant Software"="c:\program files\Camera Assistant Software for Toshiba\traybar.exe" [2008-04-28 417792]
"TPSMain"="TPSMain.exe" [2008-07-30 266240]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-08-28 150040]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-08-28 170520]
"Persistence"="c:\windows\system32\igfxpers.exe" [2008-08-28 141848]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-11-29 421888]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2011-01-31 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-20 932288]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-02-25 437160]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"_nltide_3"="advpack.dll" [2010-04-03 128512]

c:\documents and settings\Bob\Start Menu\Programs\Startup\
OpenOffice.org 3.2.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2010-5-20 1195008]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bitmeter2.lnk - c:\program files\Codebox\BitMeter\BitMeter2.exe [2010-8-28 1462272]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders schannel.dll, digest.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\Program Files\\Steam\\steamapps\\latexdemon\\half-life 2 deathmatch\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\latexdemon\\source sdk base 2007\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\latexdemon\\source sdk base\\hl2.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\Steam\\steamapps\\latexdemon\\counter-strike source\\hl2.exe"=

R0 iastor86;iastor86;c:\windows\system32\drivers\iastor86.sys [4/04/2010 4:03 AM 327192]
R1 SAVRKBootTasks;Boot Tasks Driver;c:\windows\system32\SAVRKBootTasks.sys [19/02/2011 7:33 PM 18816]
S1 MpKsl020a3e57;MpKsl020a3e57;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DC2088C0-A466-49C4-9992-D0466A390C05}\MpKsl020a3e57.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DC2088C0-A466-49C4-9992-D0466A390C05}\MpKsl020a3e57.sys [?]
S1 MpKsl0888d258;MpKsl0888d258;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DC2088C0-A466-49C4-9992-D0466A390C05}\MpKsl0888d258.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{DC2088C0-A466-49C4-9992-D0466A390C05}\MpKsl0888d258.sys [?]
S1 MpKsl554f5fb5;MpKsl554f5fb5;\??\c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{41431C93-F47D-4BA2-80C5-6540E10CB41E}\MpKsl554f5fb5.sys --> c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{41431C93-F47D-4BA2-80C5-6540E10CB41E}\MpKsl554f5fb5.sys [?]
S3 cpudrv;cpudrv;c:\program files\SystemRequirementsLab\cpudrv.sys [18/12/2009 10:58 AM 11336]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2011-03-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 00:50]

2011-03-01 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Security Client\Antimalware\MpCmdRun.exe [2010-11-11 01:26]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.scroogle.org/cgi-bin/scraper.htm
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\documents and settings\Bob\Application Data\Mozilla\Firefox\Profiles\ysxhsgrc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.scroogle.org/cgi-bin/scraper.htm
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: foof: foof@foofme.com - %profile%\extensions\foof@foofme.com
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Boost for Facebook: {47624dda-b77e-4feb-820a-e4f077d5d4ca} - %profile%\extensions\{47624dda-b77e-4feb-820a-e4f077d5d4ca}
FF - Ext: FEBE: {4BBDD651-70CF-4821-84F8-2B918CF89CA3} - %profile%\extensions\{4BBDD651-70CF-4821-84F8-2B918CF89CA3}
FF - Ext: Update Notifier: {95f24680-9e31-11da-a746-0800200c9a66} - %profile%\extensions\{95f24680-9e31-11da-a746-0800200c9a66}
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - %profile%\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: ImTranslator: {9AA46F4F-4DC7-4c06-97AF-5035170634FE} - %profile%\extensions\{9AA46F4F-4DC7-4c06-97AF-5035170634FE}
FF - Ext: Fasterfox: {c36177c0-224a-11da-8cd6-0800200c9a91} - %profile%\extensions\{c36177c0-224a-11da-8cd6-0800200c9a91}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA} - %profile%\extensions\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}
FF - Ext: Greasemonkey: {e4a8a97b-f2ed-450b-b12d-ee082ba24781} - %profile%\extensions\{e4a8a97b-f2ed-450b-b12d-ee082ba24781}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - Ext: Java Quick Starter: jqs@sun.com - c:\program files\Java\jre6\lib\deploy\jqs\ff
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2011-03-02 00:16
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2576)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Microsoft Security Client\Antimalware\MsMpEng.exe
c:\windows\system32\agrsmsvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\wscntfy.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\igfxsrvc.exe
.
**************************************************************************
.
Completion time: 2011-03-02 00:19:46 - machine was rebooted
ComboFix-quarantined-files.txt 2011-03-01 13:19
ComboFix2.txt 2011-02-24 23:31
ComboFix3.txt 2011-02-24 22:52
ComboFix4.txt 2011-02-22 08:50

Pre-Run: 83,000,569,856 bytes free
Post-Run: 83,032,801,280 bytes free

- - End Of File - - 7CDEE1AD65F8D4C05E9F6348CEB6BB1E




--------------------------------------------------------------------------------------------


HijackThis Log


------------------------------


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:30:54 AM, on 2/03/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 SP3 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Security Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\ltmoh\Ltmoh.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Codebox\BitMeter\BitMeter2.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scroogle.org/cgi-bin/scraper.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
O4 - HKLM\..\Run: [TPSMain] TPSMain.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\steam.exe" -silent
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "c:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: OpenOffice.org 3.2.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O4 - Global Startup: Bitmeter2.lnk = C:\Program Files\Codebox\BitMeter\BitMeter2.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} (GMNRev Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.3.16.0.cab
O16 - DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} (SysInfo Class) - http://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.3.1.0.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

--
End of file - 5524 bytes
 
I recommend that you uninstall, then reinstall Microsoft Antimalware It should be having the drivers or Services in multiple and being questioned in Combofix. Although I remove some, others are back.
=================================================
Please reopen HijackThis to 'do system scan only'. Check each of the following, if present:

C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Common Files\Java\Java Update\jucheck.exe
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe


Close all Windows except HijackThis and click on "Fix Checked."

Control Panel> Java> Uncheck the auto-update line. Confirm Yes when asked.
Java updates don't overwrite earlier versions. If you occasionally check for updates yourself, it will remind you that you must uninstall the earlier version in Add/Remove Programs found in the Control Panel

The Java Quick Starter does not need to run. It makes little difference, but uses resources:
Start> Run> type in services.msc> double click on Java Quick Starter> Change Startup Type to Disabled> Stop the Service

Use the msconfig utility to uncheck processes for the following on the Startup menu:
Any Java related processes
Adobe reader processes (Reader_sl.exe, AdobeARM.exe
Camera Assistant by Toshia (trybar.exe) can be started when needed
QuickTime Task> auto-updater

To remove entries from Startup using the msconfig utility:
  • Click on Start> Run> type in msconfig> enter>
  • Click on Selective Startup
  • Choose the Startup tab:
    This is where you UNCHECK the Startup items. This does not remove the item or uninstall anything> it just stops it from starting on boot. It can be rechecked at any time if wanted.
  • To expand the Command Column, (this shows what the process 'belongs' to) hold left mouse button down on the dividing line on frame above Location and move to the right to expand.
  • Click on Apply> OK when finished.

NOTE:
When you reboot the system the first time after making changes using the msconfig utility, a nag message comes up that can be ignored and closed after checking 'don't show this message again.'
Once you make changes to the Startup menu, you must remain in Selective Startup to retain those changed. If you go back to Normal Startup, everything you unchecked will be checked again and start on boot.
======================================
How is the system running now?
 
Status
Not open for further replies.

Similar threads

Julio Franco
Here's how you can get hired at your dream tech company
Replies
3
Views
141
erickmendes
erickmendes
Bob O'Donnell
Data Governance and Provenance: Two words that are critical to the future of generative AI
Replies
1
Views
108
human7
H
Cal Jeffrey
TikTok and others scrape your data, whether you use their apps or not
Replies
11
Views
1K
Hodor
Hodor

Latest posts

Back